We’ve been writing a lot lately about recent major changes in federal hemp laws that will likely affect every hemp company in the United States (see here, here, and here). While we’re on the topic of dramatic legal changes, it’s probably a good idea to talk about a California privacy law that’s about to take effect and require many cannabis and hemp companies across the nation to dramatically change their business practices—the California Consumer Privacy Act (or “CCPA”).
CCPA takes effect January 1, 2020. If you haven’t heard of it yet, you will soon. It is comparable in scope and breadth to the EU’s General Data Protection Regulation (or “GDPR”) which is a real nightmare for businesses to comply with. CCPA is by far the most significant and expansive U.S. privacy law to date. Just keeping up with the law has been difficult—there have been a dozen attempts to amend the law, many of which have been successful (some privacy organizations have even created amendment trackers), and the California Attorney General recently issued proposed regulations that add another layer of complexity to the already complex law.
One of the first (and more complicated) aspects of CCPA is figuring out to whom it even applies. CCPA applies to (a) for-profit businesses who (b) do business in California and (c) collect consumers’ personal information themselves or through others or determine the purposes and means of processing consumers’ personal information and (d) meet one of the following three criteria:
- A business generates more than $25 million in annual gross revenues (this number will be adjusted over time).
- A business “Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.”
- A business derives at least 50 percent of its annual revenues from selling consumers’ personal information.
This is a mouthful. Here are some of the particularly important notes:
- There is no requirement that the business is located in California. A cannabis or hemp company in any other state or country could be forced to comply so long as it hits the above criteria.
- “Doing business” is not defined and could be construed very broadly to include seemingly minor relations to the state of California.
- CCPA can apply to certain parents or subsidiaries of companies to whom CCPA applies. In other words, if an out-of-state cannabis or hemp company owns a company to whom CCPA applies, then CCPA may apply to both companies even though the parent is based elsewhere and otherwise wouldn’t need to comply.
- For many companies, points 1 and 3 may not apply. However, point 2 should give any company pause. In recent guidance, the California Attorney General interpreted this provision by stating that “[A]ny firm that collects personal information from more than 137 consumers or devices a day will meet the 50,000 threshold. To provide an upper bound on the number of firms potentially affected by the CCPA regulations, we consider two alternative assumptions. We assume that either 50% or 75% of all California businesses that earn less than $25 million in revenue will be covered under than CCPA.” In other words, if a business obtains personal information (which is defined in an extremely broad way) from just 137 consumers or “devices” per day, then CCPA could apply. And of course, this is not limited to online collection.
If CCPA applies to a cannabis or hemp business, compliance will be no small undertaking. Below are some of the key aspects of CCPA that businesses should be aware of:
- CCPA creates numerous rights for consumers with respect to businesses who hold their personal information, including the right to find out what information about the consumer a business possesses, the right to deletion of certain information, the right to opt out of the sale of information, and so on. Businesses must be able to comply with customer requests and doing so can be complex. Is the average cannabis or hemp business able to drop everything and identify to a consumer within a short window exactly what information the business has about the customer?
- To really be able to comply with CCPA, businesses should be able to identify how they collect information from any source, and what they do with it. This can be a tremendously complicated task, especially for larger businesses or businesses that have an online presence.
- Companies need to have privacy policies that explain to customers what information they have, how they obtained it, and what they do with it. While California already required businesses with websites to have privacy policies, CCPA-type privacy policies will be much more broad and will not just apply to information collected through websites. Moreover, pursuant to the proposed regulations recently released by the California Attorney General, those policies must be accessible to consumers with disabilities, which can be a huge challenge to comply with for covered businesses.
- If businesses sell (or in some cases even provide) customer information to third parties, that will need to be explained to customers up front, and customers will have the ability to opt-out of such information sharing. In fact, per the Attorney General regulations, websites should even include a special opt-out button.
- Businesses who provide consumer information to third-party “service providers” to process the information on behalf of the business must enter into contracts with the service providers that obligate them to adhere to certain standards under CCPA.
- Businesses must train their employees and agents concerning certain privacy practices.
- CCPA creates a private right of action for consumers and allows them to seek statutory or actual damages in the event of certain breaches where companies failed to adopt reasonable security measures. This means that there will likely be an onslaught of class-action suits against all kinds of companies in the future, including cannabis companies. Even companies who do believe they have reasonable security measures in place will have to essentially prove that through expensive litigation. The one saving grace is that there may be a cure period for some businesses, but in all likelihood, lawsuits will be coming.
This is just a short list of some of the more important requirements of CCPA. As any reader can see, compliance will not be easy. Cannabis and hemp companies that don’t start thinking about CCPA now may be at risk later.