CCPA and CPRA Compliance: What Cannabis Businesses Need To Do Now

Enforcement of the California Consumer Privacy Act (CCPA) began on July, 1 2020. The CCPA gives consumers who reside in California significantly more control over how companies use their personal information. As a result, all companies needed to review their data, systems, and processes to ensure they were in full compliance with the new laws.

It wasn’t until Friday, August 14, 2020, that the state’s Attorney General announced the regulations to implement the CCPA were approved and effective immediately. However, complying with the CCPA became more confusing for businesses, because in some instances, the enforcement regulations went beyond what the CCPA statute requires.

The story wasn’t over yet though. In fact, compliance issues were just getting started.

In October 2020, California Governor Gavin Newsom signed two amendments to the CCPA into law. A.B. 1281 extended partial exemptions for employee data and business-to-business (B2B) data, which was previously set to expire on January 1, 2021. A.B. 713 amended the CCPA’s exemptions related to medical information and health privacy.

But that wasn’t all. Fast forward to November 2020, and things got even more confusing.

On November 3, 2020, California voters approved ballot proposition 24, the California Privacy Rights Act of 2020 (CPRA), or what some people refer to as CCPA 2.0. CPRA won’t take effect until January 1, 2023, but it brings with it even more changes that businesses will need to comply with including

  • New definition of a covered business
  • Additional language about sharing data
  • Additional consumer rights
  • New rules for a category of “sensitive personal information”
  • New definition of “consent”
  • Changes to the definition of “service provider”
  • Expanded private right of action for data breaches
  • New disclosure requirements
  • Removal of the 30-day cure period
  • Extended exemptions for employee and B2B data
  • Establishment of the California Privacy Protection Agency
  • And more

Every company, including cannabis businesses, should understand the current requirements under the CCPA and what’s coming in the CPRA.  Now is the time to start reviewing and revamping your policies and procedures.

For some companies, compliance with these laws is a very big task, but the risks of noncompliance – in terms of lawsuits and monetary penalties – are just too big to ignore. Following are 10 initial actions cannabis businesses can take to comply with CCPA.

1. Define a CCPA Compliance Budget

Your cannabis business’ CCPA compliance budget depends on a number of factors. Importantly, you need to consider hiring new employees to manage compliance today and on an ongoing basis. In addition, you’ll need to train employees to follow new workflows in an effort to meet the requirements of the CCPA.

While the bulk of your budget will be used in the short-term to bring your company into compliance with the new regulations, you’ll also need to invest in ongoing compliance monitoring. The CCPA is likely to evolve, and other states are already ramping up efforts to pass more stringent privacy laws.

2. Hire Key Employees

If your business doesn’t already have a compliance expert on staff, now is the time to hire one. Furthermore, you’ll need experienced security staff to implement the necessary changes to your company’s website, systems, and so on.

The key is to have one person who is held accountable for leading compliance efforts in your company, and that includes CCPA compliance. Typically, this person would be at the executive level and may have a manager and other professionals on staff (or available as consultants) to assist them. Depending on the size of your business, compliance could require an entire team of people.

3. Develop Data Mapping and Retention Processes

Data governance is an important part of your cannabis business’ CCPA compliance. You must have processes in place to identify how personal information is collected, how it’s categorized, how it’s stored, where it’s stored, how it’s protected, and how your business prevents illegal sharing, sale, or distribution of that data.

The CCPA includes a provision that says companies must be able to provide consumers who request their personal information with all data collected within the timeframe allowed by law. If your business doesn’t have a process in place to identify and map personal information to its sources, responding to these requests could be extremely time-consuming if not impossible. In fact, if your processes are inadequate, your cannabis business could end up facing lawsuits and penalties.

4. Develop a Consumer Request Response System

The CCPA gives companies a period of time to respond to consumers’ requests for the personal information collected about them. If your company doesn’t have a response system in place and can’t produce the requested information as allowed by law, then you may not be able to respond adequately within that timeframe. Again, your business could face costly lawsuits and penalties as a result.

It’s essential that your business develops a consumer request response system, and as much of that system should be automated as possible. Imagine if you get 10 or 100 requests within a month. If systems aren’t automated, your business may not be able to respond to all of those requests in time and could get into a lot of trouble – legally and financially.

5. Create a Consumer Opt-Out System

Under the CCPA, California consumers have the right to opt out of third party trackers and advertising technologies. As such, you need to fully understand all technology used on your website, mobile applications, and so on.

You also need to create a consumer opt-out system so consumers can opt out of tracking at any time. Like your consumer request response system (see #4 above), your consumer opt-out system should be automated to the extent possible. While this will include a higher cost today for development and implementation, you’ll save even more time and money later if you automate the system now.

6. Update Privacy Policies

Your cannabis business’ privacy policies need to be updated in order to comply with the CCPA. Keep in mind, updating privacy policies refers to updating both internal and external privacy policies and notices.

In other words, this legal requirement doesn’t just apply to the privacy policy published on your website. It also refers to privacy-related policies, disclosures, and notices used throughout your business.

7. Develop Legal and Regulator Response Workflows

How will your company respond if a regulator requests information about your CCPA compliance processes? What if a consumer files a civil action against your cannabis business related to their personal information under the CCPA? Both could happen at some point in time, so you need workflows in place to streamline the response process, including automating systems to the extent possible.

Your cannabis business’ compliance leader (see #2 above) should oversee the response process, but all employees who have a role in collecting and providing the requested data need to understand what is expected of them. These workflows should include specific responsibilities and timelines.

8. Define Policies and Train Employees

Every cannabis business employee should be trained on the CCPA and understand its importance. They should fully understand their responsibilities and be trained on the workflows they’ll be expected to carry out in response to information requests from consumers, regulators, and court actions.

CCPA and privacy compliance training isn’t a one-time thing. As laws evolve and more states enact new privacy regulations, updated training will be required on an ongoing basis to ensure your cannabis business remains fully compliant at all times.

9. Review Third-Party Data and Service Providers for Compliance

If your company relies on service providers or third parties to provide, store, manage, or otherwise collect, share, sell, or distribute data with or on behalf of your business, then you need to review their CCPA compliance. In addition, contracts should be updated to address changes needed based on the CCPA regulations.

It’s imperative that your cannabis business audits service providers and third parties on an ongoing basis to ensure they continue to comply with the CCPA and all other federal and state privacy laws. This is a critical step that will reduce your company’s risk over the long-term.

10. Monitor California and Other States’ Privacy Laws

Not only will the CCPA continue to evolve, but other states are modifying privacy laws to put consumers in control of how their personal information is used by companies. Again, you need the right compliance leader and team in place to continually monitor these laws, so your cannabis business can take action as required.

Key Takeaways about CCPA Compliance

Cannabis businesses need to take action now to ensure they’re fully compliant with the CCPA and CPRA in order to reduce the risks associated with noncompliance in the future. These 10 steps should help you get started. The key is to begin working on your company’s compliance strategy and implementation now if you haven’t done so already because enforcement of the CCPA already began.

Enforcement of the CPRA doesn’t start until January 1, 2023, but it’s important to understand that the CPRA affects personal information collected on or after January 1, 2022. In other words, you don’t have two years to ramp up. You really only have one year to put the right systems in place to comply with the CPRA.

For businesses that rely on the Cannabiz Media License Database to generate leads and grow, they can rest-assured it’s already fully compliant with the CCPA. You can follow the link to learn more about how to ensure your email marketing and CRM comply with CCPA.

Schedule a demo of the Cannabiz Media License Database to see how it can help your business grow.

Originally published 3/24/20. Updated 12/4/20.

Discuss On Twitter