clipart rubix cube on green background with shadow

Consumer Privacy, California Cannabis and CCPA Deletion Requests

Griffen Thorne

clipart rubix cube on green background with shadow

The California Consumer Privacy Act (CCPA) took effect at the beginning of the year. CCPA is a massive privacy law similar in scope to the European Union’s infamous General Data Protection Regulation, and applies to many businesses (not just cannabis businesses) that are based in or even “do business” in California. I wrote about the thresholds for whether CCPA applies here, and the moral of the story is that the bar can be pretty low when it comes to application of the law.

For businesses that are subject to CCPA, compliance can be rough. One of the hallmarks of the law is that it provides California consumers with many new rights that they can exercise with respect to businesses that hold the consumers’ personal information. These rights include things like a right to direct a business not to sell consumer personal information, a right to know specifically what kinds of personal information a business collected, and importantly for this piece, a right to request that businesses delete personal information of the consumer.

The deletion right is what I want to focus on today. Per CCPA regulations, businesses that receive deletion requests must confirm receipt within a short period of time, and then respond to the request within 45 days from the date of receipt (in some cases, this can be doubled to 90 days). Businesses can use various methods to confirm that the person making the request is actually the person whose information is going to be deleted (I could write an entire post just on verification). At the end of the process, the business will be required to delete personal information unless there is an exception, which I will discuss below.

Deletion requests can be pretty significant for covered businesses. Such businesses may need to purge marketing or other key information that is otherwise valuable. The deletion process itself can also be time consuming and expensive (especially for small businesses that may not have a dedicated compliance team). However, when it comes to cannabis businesses, it’s possible that there may be many grounds to retain information.

CCPA makes clear that covered businesses may have the right to reject a deletion request if is necessary for the company or its service provider to:

  1. Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
  3. Debug to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law.
  5. Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
  7. To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
  8. Comply with a legal obligation.
  9. Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

These incidents are incredibly broad and can apply to a broad array of information. But number 8 is pretty significant for cannabis businesses. In interpretive materials issued in coordination with the CCPA regulations, the CA Attorney General staff noted that:

This clarification is not necessary because [the section cited above] sets forth when a business shall not be required to comply with a consumer’s right to delete, which includes when they must maintain the information to comply with a legal obligation. Civil Code § 1798.145(c) also sets forth that the CCPA shall not restrict a business’s ability to comply with federal, state, and local laws, among other things. Further, Civil Code § 1798.196 states that it is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law of the United States or California Constitution.

Unpacking this interpretation, it appears likely that licensed cannabis businesses that are obligated under the state Medicinal and Adult-Use Cannabis Regulation and Safety Act (“MAUCRSA”) and corresponding regulations to maintain certain categories of consumer personal information may be exempted from deleting that information. Here are two good examples:

  1. Retail cannabis companies are required under Bureau of Cannabis Control (BCC) regulations to maintain video security footage for 90 days or more, and are required to use cameras capable of recording facial features in the retail sales area. This may constitute “biometric” information under CCPA (which is defined to include “imagery of the . . . face”) and therefore may be considered personal information under CCPA.
  2. Cannabis delivery companies are required to maintain records that would allow the BCC to figure out every person to whom they delivered cannabis. It appears that this obligation is for 7 years. This information would undoubtedly contain personal information.

To the extent that cannabis businesses are required by law to maintain personal information, they may be able to use that as a shield to complying with data deletion requests. This is a vast oversimplification. As one would expect, it is not always clear whether (1) something constitutes personal information, and (2) there is an actual legal obligation to maintain that information. Businesses that receive deletion or other CCPA requests must consult with privacy professionals or attorneys to determine the scope of requests. Failure to properly respond can lead to significant penalties.

Share

Griffen Thorne

Griffen is an attorney in Harris Sliwoski’s Los Angeles office, where he focuses his practice on corporate, transactional, intellectual property, data security, regulatory, and litigation matters across a wide variety of domestic and international industries.

Harris Sliwoski Attorney Read more posts
Read More

California, Data / Cyber

Related Posts

cannabis investment

Foreign Investment in U.S. Cannabis: Five Key Considerations
missouri cannabis social equity

Missouri Revokes Nine Social Equity Licenses
Magnifying glass focusing on a document titled "cannabis contract" with an authority's cannabis leaf symbol in the background.

Cannabis Contracts 101: Authority and Why it Matters
The supreme court building of Florida illuminated in green light against a twilight sky.

Florida Court OK’s Canna Initiative
cannabis industry

Saving Oregon’s Cannabis Industry
Washington

Cannabis Just Got A Little Greener in Washington
cannabis industry

California’s Cannabis Industry Conundrum and the Road Ahead
injunction

California Cannabis Litigation: Threats of License Loss and Injunctions
Promotional material for a webinar on buying or selling a cannabis business hosted by harris sliwoski law firm with speakers griffen thorne, vince sliwoski, and andy shelley scheduled for april 17, 2024.

FREE Webinar: How to Buy or Sell a Cannabis Business | April 17th
Arizona

Arizona Cannabis: From Social Equity Approval to Corporate Cannabis
LOI

How LOIs Can Go Horribly Wrong
A digital button with a replay icon and the text "reply the webinar" depicted in a soft, minimalist style.

Cannabis Loans and Investments | The Webinar Replay 
hb 4121 mortatorium

Oregon Cannabis License Moratorium: Almost There
washington cannabis

Washington May Raise the Minimum Age for High THC Cannabis Purchases
cannabis cultivator

California Allows Cannabis Cultivators to Reduce License Sizes