More than 20 years after California became the first state to legalize the sale of medical marijuana, it has blossomed into the largest legal cannabis market in the world. And as of January 1, 2020, the Golden State has added yet another 'first' to its ever-growing list of accolades: the first state in the country with a comprehensive data policy to protect consumers' personal information (PI).
The California Consumer Privacy Act (CCPA) presents a broad range of rights for consumers, but ultimately, protects them from having their data stored, shared, or sold without their consent. It applies to all companies that serve California state residents and have at least $25 million in gross revenue. In addition, companies that have the PI of at least 50,000 California residents or those that derive at least half their annual revenue from selling consumers' personal information also fall under the law. This means that most cannabis companies with California operations - even those that are not headquartered or incorporated in the state, will need to comply.
Luckily, a 6-month grace period has been issued for enforcement. Meaning that even though the law went into effect on January 1, 2020, full enforcement won't begin until July 1, 2020, which gives operators plenty of time to update their policies and get in compliance.
So let's take a look at what you need to know about CCPA and how it will affect your cannabis operations.
The 3 Key Pillars of CCPA
They say location is king, but when it comes to CCPA it's all about communication. Before CCPA went into effect, companies were in complete control of what data was collected and how it was being used. But going forward, the law gives consumers a few key rights that encourage a more transparent exchange of information. Thus, communicating the nuances of your data collection practices reign supreme.
Pillar #1: Communication
First and foremost, operators will need to understand what type of personal data is protected by CCPA. This encompasses everything from names and addresses, to biometric information, IP addresses, browsing history, and much more. Having a firm grasp of what's protected will enable you to properly communicate to customers:
- Which pieces of PI you're collecting
- How / what you're using it for
- Which 3rd parties it's being transferred to and how they're using it, and
- Step-by-step instructions for how someone can opt-out of its collection.
The disclosures you put on your physical signage is also something that your privacy counsel can help with. Since meeting with an attorney can be pricey - albeit entirely necessary when it comes to CCPA - we recommend heading into your discussion with a general idea of the different kinds of verbiage and documentation you may want their help with.
Now, let's take a look at the second key pillar of CCPA - deletion.
Pillar #2: Deletion
This is arguably the biggest departure from previous regulations since it awards CA consumers the right to request that their information be deleted. Because of this, companies will need to establish clear policies on how employees should respond to these requests and what channels can be used to make these requests through.
For example, you may require customers to contact you through a dedicated email alias, so the
appropriate parties can adequately track and follow-up on these communications - without the risk of them falling through the cracks. Additionally, you may not be able to lawfully oblige their request. Yup, you read that right. Just because a customer makes the request doesn't automatically mean you have to comply with it - under certain circumstances, of course. So, having a distinct process for how to handle these inquiries will help safeguard you from employees spreading misinformation or causing customer contempt.
Side note: your privacy counsel can also help you craft a consistent email response for various types of customer data questions, so be prepared to bring that up with them as well.
Take purchase limits for example. Currently, global purchase limit tracking isn't something that's required (or possible) in California. Meaning, it's wholly the responsibility of the individual operator to enforce daily purchase limits and ensure looping isn't taking place. In this case, the storage of PI is necessary as it allows operators to enforce state-mandated limitations-” a staple of cannabis compliance in CA. The ability to store PI at the retail-level is even more important, as there are no POS providers on the market today that are able to track and enforce purchase limits without leveraging unique personal identifiers. At Treez, we're exploring new ways of anonymizing personal information that can support these types of consumer requests, without putting the compliance of our operators at risk. However, technological solutions in this industry also need time to mature and respond to the new regulation. Stay tuned.
However, just because the exclusion exists doesn't mean it applies everywhere. For example, you don't have the right to decline a customer's request to have their PI removed from 3rd party platforms for things like SMS or email-based marketing campaigns since that doesn't impact your ability to operate lawfully. That being said, things like loyalty programs necessitate that you save data to allow customers to reap the benefits of return visits. And since those programs benefit the customer in the long term, many may be willing to have their data stored and shared to take advantage of member perks. Just be sure you're communicating the 'how', 'what', 'where', 'when', and 'why' of that partner's data collection and usage properly. Because these opt-in agreements offer a great place to make your storage practices known and cover yourself.
After all, as a consumer-centric business, it's in your interest to have customers agree to allow you to hold on to their data. Not only does it let you make more prescriptive purchasing decisions and offer personalized product recommendations, but it also helps to provide a seamless return experience, enables loyalty programs, and much more. In short, finding legal ways to encourage your customers to let you hold on to this data will enhance your ability to create a world-class customer experience. Just remember, the legality of either obliging or declining deletion requests requires adequate consideration and will need to be managed on a partner-by-partner basis.
Pillar #3: Discrimination (or lack thereof)
The last key pillar of CCPA is that businesses are not allowed to discriminate against consumers who request to exercise their rights. So, covered companies must be willing to serve customers even though they've chosen to opt-out of data collection. However, this requirement, as we've recently learned, only needs to be upheld if the deletion doesn't jeopardize a company's ability to operate lawfully.
This is an important point to take note of for cannabis companies since there exists a lawful need to save a consumer's personal information at the retail level (re: purchase limits). Because of this, training your staff on the proper recourse around these requests should not be underestimated.
Of course, how you choose to structure and communicate your store's data collection policies is largely up to how you and your privacy counsel. At the end of the day consulting with a pro ensures the policies you're implementing and the way you're communicating them is both fair and lawful under CCPA.
How to Implement CCPA
By now, it should be evident how important privacy expertise and communication are when it comes to CCPA compliance. Realistically, they're the only way to avoid fines down the line that can cost you upwards of $2,500 per violation. But once you've had a chance to consult with the right people and draft the appropriate verbiage, it's time to put your policies to work. And that starts with - you guessed it - communicating these policies to customers.
Website Disclosures & Membership Agreements
While this method is great for all new customer sign-ups, you'll also want to consider how to present your existing customer-base with this same information. Treez operators can reach out to us to have the outdated agreement confirmation removed from customer profiles so receptionists are equipped with a quick visual queue that this documentation needs to be updated. Alternatively, if your current system doesn't provide you with an integrated solution, you may need to rethink your intake flow for returning customers in the short term. Just be sure to plan accordingly for how you'll be tracking and managing your opt-in paperwork if you decide to go that route.
Elevate Your In-Store Entrance Experience
Another great way to educate customers about their rights is to have a printed fact sheet about your store's data policies. Not only will this enable your employees to relay accurate information to anyone who asks, but it's a simple addition to every exit bag - making the dissemination of this important information even easier.
Regardless of which avenues you choose to pursue, leveraging your privacy counsel's expertise will present the safest ways to cover your six. And don't forget, you still have until the end of June to get your CCPA ducks in a row. So take your time and make sure to do it right.
Erecting a CCPA-compliant data policy may sound like a daunting task on paper, but it largely boils down to proper communication. So while things like signage and physical documentation are great for communicating your store's policies around CCPA, enlisting the help of a specialized professional is an absolute must.
And at the end of the day if you're getting frequent requests from customers to opt-out of data collection or to delete their PI entirely, try reminding them of all of the benefits that go along with data storage, such as loyalty programs, more personalized product recommendations, easy returns, etc. While the goal should never be to talk people out of their decision, it should be to educate them on why you aren't able to comply with certain requests and help them see the potential benefits they stand to gain by letting you hold on to it. So just remember, providing consistent access to your privacy and data collection policies will help keep your customers happy while also making sure that you stay in compliance for the long haul.