Yesterday, California Governor Jerry Brown signed a new piece of privacy legislation—AB-2402—which places restrictions on how licensed cannabis companies in California share information about their customers.
AB-2402 is significant in that it prevents licensed cannabis businesses from sharing expansive categories of customers’ personal information with third parties—except in limited circumstances in connection with payments, or where a customer has consented to sharing his or her data with a third party. Notably, AB-2402 prohibits licensed cannabis businesses from discriminating against or refusing service to consumers who do not consent to disclosure of their personal information to third parties.
So what kinds of personal information is AB-2402 designed to protect? The bill incorporates the definition of “personal information” from existing California law, which definition includes a person’s first name or initial and last name in combination with a (1) Social Security number, (2) driver’s license number, (3) financial account number in combination with a security or access code, (4) medical information, or (5) health information. “Personal information” can also include a username or email address in combination with a password, or with a security question and answer that would permit access to an online account.
AB-2402 is also significant in that it expands the legal definition of “medical information” in the cannabis context to include medical marijuana identification cards, which also cannot be disclosed except as noted above (and also to certain government officials if necessary to perform certain official duties). In fact, AB-2402 goes so far as to deem licensed cannabis businesses that receive medical marijuana identification cards to be providers of health care—but only for purposes of the Confidentiality of Medical Information Act—which could subject businesses to penalties for improper use or disclosure of information.
The law is welcomed by many privacy advocates, including the Electronic Frontier Foundation, which cited surveys by Politifact which had found that a number of cannabis dispensaries kept broad categories of customer information. It is understandable why privacy advocates support stronger consumer rights in the cannabis industry. Cannabis is, after all, still illegal at the federal level, and so it is not difficult to imagine why customers would want their information to be kept under lock and key.
At the same time, compliance with this new privacy law may appear difficult to cannabis companies. That said, the law is not a totally new concept—California already requires companies (and not just cannabis companies) to provide notification to affected individuals in the event that similar information is acquired by a third party without authorization. AB-2404 simply modifies and expands existing obligations to encompass almost any kind of third-party information sharing.
Complying with AB-2402 will likely require companies to take stock of and retool their data security and sharing practices, and to retrain employees. This is not an impossible task, but it’s one that companies should place at the top of their agenda. After all, California is the state with (arguably) the most intense focus on protecting citizens’ personal information.
AB-2402 was only just signed, and its text does not identify when it takes effect. We’ll keep you posted on any updates.