California Changes to Consumer Privacy Data Will Affect All Cannabis Businesses Dealing With California Residents

The rules have changed in California concerning how and when you can use customer data, and the impact will be felt in many industries across the country, including the cannabis and hemp industries.  On January 1, 2020, the California Consumer Privacy Act of 2018 (“CCPA”) became law and affects businesses operating in California and businesses in other states that obtain personal information from a California resident.  For example, a California business gathering email addresses or IDs from customers must comply with this act. In addition, a Colorado business which operates online or scans the ID of a person from California may be subject to the CCPA. 

The law requires far more accountability for companies who collect and maintain consumer’s personal information in the United States.  Routine activities like tracking website traffic can fall under the CCPA and now require enhanced oversight and reporting. It has never been more important to secure consumer data and stay organized in order to comply with the new disclosure and retention requirements, as statutory damages are $2,500 for each unintentional violation and $7,500 for each intentional violation.

Capturing, interpreting, and utilizing consumer activity can produce data driven decisions to enhance future business and greatly increase your company’s attractiveness to potential investors or acquirers. Now is the time to revisit your website terms and conditions and discuss data privacy and security. Attorney Dan Kramer heads up McAllister Garfield’s work on data security and privacy. For more about Dan, see If you have any questions about this issue, contact Dan Kramer at