Photo via Turdhat2
A new bill moving through the California legislature would require licensed cannabis dispensaries to ask consent before selling or sharing a customer’s private information, protecting legal weed consumers from potential data misuse.
For the past five months, Golden State residents and tourists alike have enjoyed the legal freedoms and wide product selection of adult-use cannabis legalization, all while largely ignoring the piles of sensitive personal data repeatedly turned over to dispensaries and delivery services.
Because marijuana is an age-sensitive product, all California dispensaries are required to check customer IDs before sales, with a significant number of permitted pot shops scanning customer data into permanent profiles that are then kept on file.
In an investigation into dispensary data collection by the Fresno Bee last month, reporters found that every single pot shop that they approached told them that they retained information about their customers, including names, addresses, birthdays, and phone numbers, even though state law doesn’t require dispensaries to record any purchaser information after their age has been verified. Across the state, dispensary employees told the Bee that any customer who refused to turn over their personal data would be turned away from the store.
To reconcile that gap in data collection and consumer consent, California’s Assembly Bill 2402 would both “prohibit a licensee from disclosing a consumer’s personal information” and “prohibit a licensee from discriminating against a consumer or denying a consumer a product or service because he or she has not provided consent to authorize the licensee to disclose the consumer’s nonpublic personal information.”
Originally introduced in February of this year, A.B. 2402 moved slowly through state committees before passing through the California Assembly in a landslide vote last month. Now awaiting a vote in the state Senate, the consumer protection legislation has garnered the support of at least one high-profile digital rights organization.
In a letter to state legislators, the Electronic Frontier Foundation — a San-Francisco based nonprofit working to protect personal information across the digital landscape — argued that A.B. 2402 is a necessary precaution in safeguarding Golden State pot buyers from unwanted advertisements as well as the federal government, which still enforces a nationwide prohibition on cannabis.
“As the legal marijuana market in California develops, consumer privacy will be a critical area to protect,” the organization explained. “That’s doubly true as marijuana vendors turn to apps and websites to market themselves, which will give them the ability to collect data about the most minute customer choices and preferences. That information will be increasingly valuable to data brokers. Not only could such data be used for invasive marketing, it could ultimately be acquired and used by federal law enforcement.”
In Alaska, Colorado, and Oregon, dispensaries are required by state law to destroy all customer personal information within 30 days of any purchase. Oregon, the last state to enact a marijuana consumer protection law, allows customers to offer email addresses or phone numbers to pot shops for special sales or personalized shopping, but that data collection must be explicitly voluntary.
Over the past three months, the stockpiling and sale of personal data has emerged as a central political issue, thanks in most part to recent revelations about Facebook, the data firm Cambridge Analytica, and the 2016 U.S. presidential election. With millions of Facebook users’ data unwittingly sold to political influencers, not to mention countless advertisers, the scandal caused lawmakers to reconsider the public’s often secretive relationship with Big Data purveyors.
If passed by the California state Senate, A.B. 2402 would move to the desk of Governor Jerry Brown for a final decision on the cannabis consumer protection bill.