By Griffen Thorne, Attorney at Harris Bricken
The California Consumer Privacy Act (CCPA) took effect at the beginning of the year. CCPA is a massive privacy law similar in scope to the European Union’s infamous General Data Protection Regulation, and applies to many businesses (not just cannabis businesses) that are based in or even “do business” in California. I wrote about the thresholds for whether CCPA applies here, and the moral of the story is that the bar can be pretty low when it comes to application of the law.
For businesses that are subject to CCPA, compliance can be rough. One of the hallmarks of the law is that it provides California consumers with many new rights that they can exercise with respect to businesses that hold the consumers’ personal information. These rights include things like a right to direct a business not to sell consumer personal information, a right to know specifically what kinds of personal information a business collected, and importantly for this piece, a right to request that businesses delete personal information of the consumer.
The deletion right is what I want to focus on today. Per CCPA regulations, businesses that receive deletion requests must confirm receipt within a short period of time, and then respond to the request within 45 days from the date of receipt (in some cases, this can be doubled to 90 days). Businesses can use various methods to confirm that the person making the request is actually the person whose information is going to be deleted (I could write an entire post just on verification). At the end of the process, the business will be required to delete personal information unless there is an exception, which I will discuss below.
Deletion requests can be pretty significant for covered businesses. Such businesses may need to purge marketing or other key information that is otherwise valuable. The deletion process itself can also be time consuming and expensive (especially for small businesses that may not have a dedicated compliance team). However, when it comes to cannabis businesses, it’s possible that there may be many grounds to retain information.
CCPA makes clear that covered businesses may have the right to reject a deletion request if is necessary for the company or its service provider to:
These incidents are incredibly broad and can apply to a broad array of information. But number 8 is pretty significant for cannabis businesses. In interpretive materials issued in coordination with the CCPA regulations, the CA Attorney General staff noted that:
This clarification is not necessary because [the section cited above] sets forth when a business shall not be required to comply with a consumer’s right to delete, which includes when they must maintain the information to comply with a legal obligation. Civil Code § 1798.145(c) also sets forth that the CCPA shall not restrict a business’s ability to comply with federal, state, and local laws, among other things. Further, Civil Code § 1798.196 states that it is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law of the United States or California Constitution.
Unpacking this interpretation, it appears likely that licensed cannabis businesses that are obligated under the state Medicinal and Adult-Use Cannabis Regulation and Safety Act (“MAUCRSA”) and corresponding regulations to maintain certain categories of consumer personal information may be exempted from deleting that information. Here are two good examples:
To the extent that cannabis businesses are required by law to maintain personal information, they may be able to use that as a shield to complying with data deletion requests. This is a vast oversimplification. As one would expect, it is not always clear whether (1) something constitutes personal information, and (2) there is an actual legal obligation to maintain that information. Businesses that receive deletion or other CCPA requests must consult with privacy professionals or attorneys to determine the scope of requests. Failure to properly respond can lead to significant penalties.
Re-published with the permission of Harris Bricken and The Canna Law Blog
Your email address will not be published. Required fields are marked *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Comment *
Notify me of follow-up comments by email.
Notify me of new posts by email.
Δ
Voters will now get to decide whether to legalize recreational marijuana in a state that has a well-established medical pot marketplace. When the Florida Supreme Court earlier this month approved a November referendum on…
The legal cannabis industry is thriving in the U.S., reaching its highest-ever number of jobs and sales, a new report shows. Vangst, a cannabis industry job platform, found that at…
Maine is the newest frontier for the illicit marijuana trade, with potentially hundreds of suspected unlicensed grow houses operating in the state, a CBS News investigation has found. It’s part…
Ten years ago this month, Iowa policymakers made it legal to use cannabis for certain medical treatment, marking the start of what would eventually become Iowa’s existing medical cannabidiol program.…