CCPA and CPRA Compliance: What Cannabis Companies Must Do Now

Enforcement of the California Consumer Privacy Act (CCPA) began on July 1, 2020. The CCPA gives California residents far more control over how businesses use their personal information. As a result, all companies have had to review their data, systems, and processes to ensure they are fully compliant with the new laws.

It wasn’t until Friday, August 14, 2020, that the Attorney General announced that the rules implementing the CCPA were immediately approved and effective. However, compliance with the CCPA became more confusing for businesses as the enforcement provisions in some cases went beyond the requirements of the CCPA law.

The story wasn’t over yet, however. In fact, compliance issues were just beginning.

In October 2020, California Governor Gavin Newsom signed two amendments to the law. AB 1281 extended some exceptions for employee data and B2B (business-to-business) data that previously expired on January 1, 2021. AB 713 amended the CCPA’s exemptions for medical information and privacy in healthcare.

But that was not all. Fast forward to November 2020 and things got even more confusing.

On November 3, 2020, California voters voted to vote Proposal 24, the California Privacy Rights Act of 2020 (CPRA), or what some call CCPA 2.0. CPRA won’t go into effect until January 1, 2023, but it brings with it even more changes that businesses must adhere to, including

• New definition of a covered transaction
• Additional language for sharing data
• Additional consumer rights
• New rules for a category “confidential personal data”
• New definition of “consent”
• Changes to the definition of “service provider”
• Extended private right of action in the event of data protection violations
• New disclosure requirements
• Removal of the 30 day curing time
• Extended exceptions for employee and B2B data
• California Privacy Protection Agency founded
• And more

Every business, including cannabis companies, should understand the current requirements of the CCPA and the provisions of the CPRA. Now is the time to review and revise your policies and procedures.

For some companies, complying with these laws is a huge task, but the risk of non-compliance – in terms of lawsuits and fines – is just too great to be ignored. Below are 10 initial steps cannabis companies can take to comply with the CCPA.

1. Define a CCPA compliance budget

Your cannabis business’s CCPA compliance budget will depend on a number of factors. The important thing is that you consider hiring new employees to manage compliance today and on an ongoing basis. In addition, you will need to train employees to follow new workflows in order to meet the requirements of the CCPA.

While most of your budget will be used in the short term to bring your business into line with the new regulations, you will also need to invest in ongoing compliance monitoring. The CCPA is likely to evolve, and other states are already stepping up efforts to pass stronger data protection laws.

2. Hire key employees

If your company doesn’t already have an employee compliance expert, now is the time to hire one. In addition, you will need experienced security personnel to make the necessary changes to your company’s website, systems, etc.

The key is to have someone responsible for leading compliance efforts in your company. This also includes CCPA compliance. Typically, this person is at an executive level and may have a manager and other professional (or available as a consultant) to assist them. Depending on the size of your business, regulatory compliance can require a whole team of people.

3. Develop data mapping and retention processes

Data governance is an important part of CCPA compliance for your cannabis business. You need to have processes in place to determine how personal information is collected, how it is categorized, how it is stored, where it is stored, how it is protected, and how your business will illegally share, sell, or distribute that information prevented.

The CCPA contains a provision that states that businesses must be able to provide consumers who request their personal information with any information collected within the timeframe permitted by law. If your organization does not have a process for identifying and associating personal information with its sources, responding to these requests can be extremely time-consuming or even impossible. Indeed, if your processes are inadequate, your cannabis business could face lawsuits and penalties.

4. Develop a consumer request response system

The CCPA gives companies a period of time to respond to consumer requests for the personal information it collects about them. If your company does not have a response system in place and is unable to provide the information requested as permitted by law, you may not be able to respond appropriately within this timeframe. Again, your company could face costly lawsuits and penalties.

It is important that your company develops a system for responding to customer inquiries. Much of this system should be as automated as possible. Imagine receiving 10 or 100 inquiries within a month. If systems are not automated, your company may not be able to respond to all of these requests in a timely manner and could run into great legal and financial difficulties.

5. Create a consumer opt-out system

Under the CCPA, California consumers have the right to disable third-party trackers and advertising technologies. Therefore, you need to fully understand all of the technologies used on your website, mobile applications, etc.

You also need to set up a consumer opt-out system so that consumers can turn off tracking at any time. Like your system for answering customer inquiries (see No. 4 above), your system for deactivating customer inquiries should be automated as much as possible. While this has increased development and implementation costs today, you will save even more time and money later by automating the system now.

6. Update the privacy policy

Your cannabis company’s privacy policy needs to be updated to comply with the CCPA. Note that updating privacy policies refers to updating both internal and external privacy policies and notices.

In other words, this legal requirement doesn’t just apply to the privacy policy posted on your website. It also relates to privacy-related policies, disclosures, and notices that are used in your company.

7. Develop workflows for legal and regulatory action

How will your company react if a regulator requests information about your CCPA compliance processes? What if a consumer files a civil lawsuit against your cannabis business related to their personal information under the CCPA? Both can occur at a certain point in time. Workflows are therefore required to optimize the response process and automate systems as much as possible.

Your cannabis company’s compliance manager (see # 2 above) should oversee the response process, but all employees who have a role in collecting and providing the requested data need to understand what is expected of them. These workflows should contain specific responsibilities and schedules.

8. Define guidelines and train employees

Everyone in the cannabis business should be trained in and understand the importance of the CCPA. They should fully understand their responsibilities and be trained in the workflows they should perform in response to requests for information from consumers, regulators, and legal proceedings.

CCPA and privacy compliance training are not a one-time thing. As laws evolve and more states pass new data protection regulations, continuously updated training is required to ensure that your cannabis business remains fully compliant at all times.

9. Check third-party data and service providers for compliance

If your company relies on service providers or third parties to provide, store, manage, or otherwise collect, share, sell or distribute data with or on behalf of your company, you must verify their CCPA compliance. In addition, the contracts should be updated to reflect changes required by the CCPA regulations.

It is imperative that your cannabis business keep reviewing service providers and third parties on an ongoing basis to ensure they are continuing to comply with the CCPA and all other federal and state data protection laws. This is a critical step that will reduce your company’s risk in the long run.

10. Monitor the privacy laws of California and other states

Not only will the CCPA evolve, but other states are changing data protection laws to give consumers control over how their personal information is used by businesses. Again, you need the right compliance leader and team to continuously monitor these laws so your cannabis business can take action if necessary.

Key Findings on CCPA Compliance

Cannabis companies need to take steps now to ensure they are fully compliant with the CCPA and CPRA in order to reduce the risks associated with non-compliance in the future. These 10 steps should help you get started. The key is to start working on your company’s compliance strategy and implementation now, if you haven’t already since enforcement of the CCPA has already started.

Enforcement of the CPRA will not begin until January 1, 2023, but it is important to understand that the CPRA will affect personal information collected on or after January 1, 2022. In other words, you don’t have two years to power up. You really only have a year to put in place the right systems for CPRA compliance.

Companies that rely on the Cannabiz Media License Database to generate and grow leads can rest assured that it is already fully compliant with the CCPA. You can follow the link to learn more about how to make sure your email marketing and CRM are CCPA compliant.

‍Schedule a demo in the Cannabiz Media License Database to see how it can help your business grow.

‍Originally published on 3/24/20. Updated on December 4th, 2020.