california cannabis indemnity
Don’t skim over that indemnification clause!

Coming from Seattle to Los Angeles, I’ve already seen one state flip from being a “gray medical cannabis state” to a fully regulated licensing system and I understand how painful a process this can be. So much of what I saw in Washington State is now happening in California.

In California today, folks are jockeying for operational licenses on the state and local levels under MAUCRSA and “the cream” is rising to the top, just as it did in Washington. One-to-two-person shops and mom and pop operators are feeling the financial pinch of licensing costs and compliance woes. The secondary market for buying cannabis businesses is also beginning to open up as cities and counties solidify and stick with their local cannabis entitlement programs. Transactions between cannabis licensees are becoming increasingly sophisticated, from IP licensing agreements, to distribution agreements, to white labeling agreements, to purchase and sale agreements for inventory.

And just as happened in Washington State at the onset of legalization there, we are seeing many cultivators and manufacturers overpromising on what they can deliver, more often due to overconfidence as to dishonesty. In legal terms, this means we are also seeing cultivation and manufacturing licensees, and distributors agreeing to indemnify retailers and other licensees for everything under the sun, quite often to their own detriment. Even though the cannabis industry is maturing rapidly in California, many are still using boilerplate or Google-discovered or Legal Zoom and Rocket Lawyer contracts for these very serious transactions. This use of bad template documents (most of which are modified little if at all for the realities of the cannabis industry) has got to stop, or cannabis licensees will soon find themselves embroiled in costly and counter-productive disputes/litigation.

And that brings me to the crux of this post, which is one of the most important “boilerplate” contract provisions that absolutely must be tailored for a California cannabis contract: indemnification. What, exactly, is indemnification? It’s when one party (the “indemnitor”) agrees to hold harmless and compensate the other party (the “indemnitee”) for losses suffered by the indemnitee.

Many cannabis sellers in California are far too willing to indemnify third parties for things completely out of their control, like lab results, changes in regulations that may affect the other party’s operations, and unforeseen conduct by users of the cannabis product. These blanket indemnification provisions are creating liability and exposure.

In the past month or so, many cannabis companies have come to us (both in Los Angeles and in San Francisco) with poorly drafted, irrelevant or nonsensical indemnification provisions and agreements from cannabis sellers. So, what makes for a good indemnification provision in a cannabis contract?

A preliminary question should be the breadth of the indemnification. If you are the seller and you want to protect yourself, you should tailor your indemnification to what makes sense and to what you can afford. You do not want something like the following (which is being used fairly often in California these days by inexperienced lawyers and lawyerless companies):

“The Indemnitor agrees to indemnify, defend, and hold harmless the Indemnitee, its officers, directors, employees, owners, agents, assigns, and affiliates (collectively, the “Indemnified Parties”) from and against any and all claims, liability, loss, expenses, suits, damages, judgments, demands, and costs(including reasonable attorneys’ fees and expenses) (each a “Claim”) arising out of any accident, injury, or death to persons, or loss of or damage to property, or fines and penalties which may result, in whole or in part, by reason of the use or sale of any Product, or its packaging, except to the extent that such damage is due solely and directly to the gross negligence or willful misconduct of the Indemnified Parties and that the Indemnified Parties, or any of them, were acting in bad faith.”

This sort of provision is a bad idea for any cannabis seller. It means that seller will be liable to the buyer for just about anything that could go wrong–anywhere, for anyone–from the product. No one wants to be on the hook for things they cannot control.

Here are a few important things to consider when crafting a cannabis indemnification term:

  • Both the cannabis seller and buyer need to focus on what kinds of losses will or will not be covered by indemnification. If I’m the seller, I’m going to want to exclude incidental, punitive, and indirect damages even if foreseeable. If I’m the cannabis buyer, I’m going to want to include at least incidental damages and foreseeable indirect damages.
  • It is both unusual and risky for a seller to agree to indemnify a party indefinitely, and yet this too has become common in California. If you are the seller, make sure your indemnity agreement or provision has an end date.
  • Your indemnification agreement or provision should include a protocol for making indemnification claims to the indemnifying party. The boilerplate indemnification provisions and agreements we are seeing typically never even mention any claim deadline or claim notice requirements. As the cannabis seller you should, at minimum, address these two issues in your indemnification provision or agreement.
  • If the indemnification is mutual, and captures reciprocal indemnification obligations in the same paragraph or contract section, ask yourself “why?” Putting the same parameters around indemnification for both parties often makes no sense, because each party has a different role in the business relationship. Consider separating the indemnity obligations and applying tailored language for each party, as appropriate for that party’s role in the transaction.
  • Finally, can you just cross it out? If you have deal leverage, and someone presents you with an indemnification provision (particularly an onerous one), you may be able to get rid of it altogether. Sometimes, you can convince the other party to give you everything they need to feel comfortable through appropriate representations and warranties.

There are certainly very good and reliable stock indemnification provisions in most contracts, and there’s a reason for that boilerplate in that it’s time-tested and mostly appropriate for more standard business agreements. However, be sure that whatever you’re putting into your cannabis contracts on indemnification is tailored to your specific situation. If not, you could find yourself holding the bag on way more than what is fair — let alone what you expected or can afford.

california cannabis marijuana privacy policy
No longer optional for your canna business website.

Unless you’ve been living under a rock for the past few months, you’ve probably read about the host of sweeping new laws in California, like its new Internet of Things law, cannabis privacy law, or net neutrality law, to name just a few. California has long been regarded a trailblazer when it comes to making people who are outside of California do things to comply with California law. So it probably comes as no surprise that website operators outside of California may need to comply with a privacy policy law in California: the California Online Privacy Protection Act.

Pursuant to this law, any business that owns or operates a website that advertises to, services, or in many cases is simply accessible by California residents will almost certainly need to conspicuously post (and—importantly—actually follow) a privacy policy containing statutorily defined disclosures. This requirement applies when a website collects “personally identifiable information” about California consumers, including first and last name, home or other address, email address, telephone number, Social Security number, or any other information that would permit a person to contact a website user (either physically or online). Moreover, a policy may be required even for businesses located in distant areas of the United States just by virtue of the fact that its website can collect this information.

If a company fails to create or adhere to a privacy policy and does so either intentionally or in a material and negligent way, that company may be in violation of the law. The law does state that website operators will not be in violation until 30 days after being notified that their website does not contain a privacy policy, but it does not specify where notification can come from (i.e., the state or any source), which means that reliance on this window may be risky. The law is enforced by the California Attorney General, with penalties of up $2,500 per violation. These penalties could be a severe for businesses that offer mobile apps, as the California Attorney General has taken the position that a new (potentially $2,500) violation occurs each time a non-compliant app is downloaded.

You may be wondering how this applies to your cannabis business. The fact is that there are numerous ways in which even seemingly passive websites collect protected information from and about users. Even if your website does not sell any products, it may include “Contact Us” or mailing list subscription portals which collect protected information. If your website sells or ships any sort of product, it may collect at least some protected information. Even if your business has not collected information about any California residents in the past but simply could do so, the mere possibility may mean it needs to comply.

Furthermore, there are other good business and legal reasons to post and adhere to a privacy policy. Customers appreciate when businesses are transparent about their privacy practices. For obvious reasons, ensuring that cannabis customers’ privacy is maintained is important. Additionally, in the event of a data breach which requires notification to state or federal authorities, the fact that a company took steps to maintain customer privacy may be important considerations in determining if any enforcement actions should be taken.

The good news is that, unlike some laws or regulations that cannabis companies face, California’s privacy policy law is relatively straightforward in that it specifies what a company needs to disclose in a privacy policy and how that policy needs to be displayed on a website. That said, ensuring that a privacy policy accurately describes a company’s current and future privacy practices can be a challenge, and inaccurate or gratuitous statements in a privacy policy could expose a company to additional liability. In other words, a policy needs to be tailored to a company’s specific practices, and so copying language from other privacy policies could cause even more trouble for a company.

Cannabis companies have enough to worry about. They shouldn’t add to the problem by failing to address privacy or data security laws. A good place to start is engaging counsel to draft a comprehensive privacy policy. After all, at least according to California, one is required.

oregon marijuana cannabis data securityLast week we discussed the data breach notification laws with which cannabis companies doing business in Oregon must comply following a cyber intrusion. Today, we discuss the safeguards these companies must adopt to protect the security, confidentiality and integrity of customers and employee (collectively, “Consumer”)’s personal information, who reside in Oregon.

Pursuant to Oregon Revised Statutes (“ORS”) § 646A.622 any business that “owns, maintains or otherwise possesses, and has control over or access to,” written and electronic data that includes personal information used for business purposes, must develop, implement, and maintain reasonable safeguards to protect the personal information.

Generally, “personal information” means a Consumer’s first name or first initial and last name in combination with, for example, a Consumer’s social security number, driver license number or financial account information, if (1) encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and (2) the data element or combination of data elements would enable a person to commit identity theft against a consumer.

The company must act in accordance with this law by:

(1) Complying with:

  • State or federal laws with greater protections for personal information than ORS § 646A.622;
  • Gramm-Leach-Billey Act as of January 1, 2016 as of June 2018, if the company is subject to this act; or
  • Requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as of June 2018, if HIPAA applies to the company;

and

(2) Implementing a security program that includes:

Administrative Safeguards, such as:

  • Frequently identifying reasonably foreseeable internal and external risks;
  • Frequently training and managing employees in security program practices and procedures; and
  • Selecting service providers that are capable of maintaining appropriate safeguards and adhering to procedures and protocols to which you and the service provider agree, but also requiring the service providers by contract to maintain the safeguards, procedures and protocols.

 Technical Safeguards, like:

  • Assessing risks and vulnerabilities in network and software design;
  • Taking reasonably timely action to address the risks and vulnerabilities; and
  • Applying security updates and a reasonable security patch management program to software that might reasonably be at risk of or vulnerable to a breach of security;

and

 Physical Safeguards, including but not limited to:

  • Monitoring, detecting, preventing, isolation and responding to intrusions timely and frequently; and
  • Disposing of personal information after you no longer use it for business purposes, pursuant to local, state and federal law.

So what does all of this mean? Simply put, business owners with 100 or fewer employees (which includes almost all Oregon cannabis businesses), will comply with these statutory requirements if their information security and disposal program contains administrative, technical and physical safeguards and disposal measures that are appropriate to: (1) the size and complexity of their business; (2) the nature and scope of their activities; and (3) the sensitivity of the personal information collected from or about a Consumer.

Cannabis business should take these safeguard standards seriously. Each violation if subject to a penalty of up to $1,000. Note that each day of a continuing violation is a separate violation, but the maximum penalty for any occurrence is $500,000. Civil penalties under ORS § 183.745 may also apply.

Complying with ORS § 646A.222 is not only required by law, it is also a very good idea for all cannabis business. Indeed, developing a vetted, comprehensive plan of action is the best way to effectively respond to an attack and to reduce the amount of damage to your company. Be safe out there!

noncompete marijuana cannabis
Noncompetes aren’t always enforceable.

Marijuana has been legal in Oregon for about three years now. Employees with specialized skills are starting to jump ship and head to competitors. What do you do, as an employer, if a candidate for employment shows you a non-competition agreement they signed with their former employer? Typically, the former employer will go after the employee to enforce the non-competition agreement, but the former employer may seek an injunction against your business to prohibit you from hiring the candidate.  Is there a way around this? Perhaps.

First, you should consider whether the non-competition agreement is enforceable. As we’ve previously discussed, non-competition agreements in Oregon are highly disfavored. Non-competition agreements in Oregon are only enforceable if the employee was making at least the median income of a family of four at the time of termination and the employee was given the non-competition agreement at least two weeks prior to the commencement of employment, or if the non-competition agreement was entered into as a part of a bona-fide advancement with the employer. If these factors are not met, the agreements are not enforceable.

However, this does not automatically invalidate the agreement. The Oregon Court of Appeals ruled in Bernard v. S.B., Inc. that the employee must take affirmative steps to invalidate or void the obligation of the non-competition agreement. Meaning, they need to send a written notice to the former employer that they intend to void the agreement. Have an attorney review the agreement to determine if its enforceable in the first place, if it’s not, it may be easy for the potential employee to void the agreement and make it safe for you to hire the individual.

Second, some employees may have entered into non-competition agreements in other states. Those agreements may be entirely enforceable under choice of law provisions in the agreements. What then? It’s time for negotiation skills. Some companies may not want to deal with the hassle of attempting to enforce a non-competition agreement and may agree to sign a waiver releasing the former employee from their obligations under the agreement. Others may truly want to enforce the non-competition agreement and refuse to release the employee from the agreement. At that point, you may want an attorney on your side to review the non-competition agreement and see if there is a way to avoid violating it. Perhaps the agreement only prohibits the employee from working with edibles, but you plan on utilizing the employee’s skills to clone plants, for example. Further, an attorney may be able to work with the former employer to convince them to waive the non-competition agreement.

Non-competition agreements can be a good tool to protect your investment in your employees and to protect trade secrets. Alternatively, they can be a pain when you are attempting to hire. Whatever side you’re on, it’s always best to have an attorney on your side to review the agreement and ensure your company is protected to the fullest extent.

california cannabis data privacy
California is taking steps to safeguard canna consumers.

Yesterday, California Governor Jerry Brown signed a new piece of privacy legislation—AB-2402—which places restrictions on how licensed cannabis companies in California share information about their customers.

AB-2402 is significant in that it prevents licensed cannabis businesses from sharing expansive categories of customers’ personal information with third parties—except in limited circumstances in connection with payments, or where a customer has consented to sharing his or her data with a third party. Notably, AB-2402 prohibits licensed cannabis businesses from discriminating against or refusing service to consumers who do not consent to disclosure of their personal information to third parties.

So what kinds of personal information is AB-2402 designed to protect? The bill incorporates the definition of “personal information” from existing California law, which definition includes a person’s first name or initial and last name in combination with a (1) Social Security number, (2) driver’s license number, (3) financial account number in combination with a security or access code, (4) medical information, or (5) health information. “Personal information” can also include a username or email address in combination with a password, or with a security question and answer that would permit access to an online account.

AB-2402 is also significant in that it expands the legal definition of “medical information” in the cannabis context to include medical marijuana identification cards, which also cannot be disclosed except as noted above (and also to certain government officials if necessary to perform certain official duties). In fact, AB-2402 goes so far as to deem licensed cannabis businesses that receive medical marijuana identification cards to be providers of health care—but only for purposes of the Confidentiality of Medical Information Act—which could subject businesses to penalties for improper use or disclosure of information.

The law is welcomed by many privacy advocates, including the Electronic Frontier Foundation, which cited surveys by Politifact which had found that a number of cannabis dispensaries kept broad categories of customer information. It is understandable why privacy advocates support stronger consumer rights in the cannabis industry. Cannabis is, after all, still illegal at the federal level, and so it is not difficult to imagine why customers would want their information to be kept under lock and key.

At the same time, compliance with this new privacy law may appear difficult to cannabis companies. That said, the law is not a totally new concept—California already requires companies (and not just cannabis companies) to provide notification to affected individuals in the event that similar information is acquired by a third party without authorization. AB-2404 simply modifies and expands existing obligations to encompass almost any kind of third-party information sharing.

Complying with AB-2402 will likely require companies to take stock of and retool their data security and sharing practices, and to retrain employees. This is not an impossible task, but it’s one that companies should place at the top of their agenda. After all, California is the state with (arguably) the most intense focus on protecting citizens’ personal information.

AB-2402 was only just signed, and its text does not identify when it takes effect.  We’ll keep you posted on any updates.

marijuana california cannabis L.A.
Be careful! It’s easy to slip up under Proposition M.

I’ve written in the past about the precarious business of buying and selling existing dispensaries in Los Angeles, but that was under the now repealed Proposition D. In March of 2017, Angelenos voted in favor of Proposition M, which is a licensing and regulatory piece of legislation implemented and overseen by the City’s Department of Cannabis Regulation (“DCR”) and the Cannabis Regulation Commission. Under Prop. M, the City is licensing cannabis businesses in three phases, the first of which was exclusively for “Existing Medical Marijuana Dispensaries” (EMMDs). EMMDs are basically grandfathered Prop. D/Pre-ICO operators that met certain compliance criteria set forth by the City under Prop. M. As of the writing of this post, there are only 163 EMMDs in the entire City. This low number of dispensaries in potentially the largest cannabis market in the world makes the secondary market for these storefronts incredibly hot. So much so that our Los Angeles cannabis lawyers are receiving term sheets for the purchase of EMMDs on an almost bi-weekly basis. And based on that experience, it’s time to update readers on what to look for when contemplating the purchase of an EMMD, which is no small task under the City’s new laws.

Running due diligence on dispensaries in Los Angeles is massively important. The reason being (in addition to normal M & A due diligence) is that the City still has many, many illegal operators (though the City Attorney is doing his best to shut down those operations as fast as possible). Therefore, it’s not a stretch that an “LA dispensary” would try to take a buyer for a ride on a sale when, in reality, that dispensary is 100% illegal, making the purchaser a sitting duck.

In turn, here are the major bases to cover when buying an EMMD in the City of LA under Prop. M:

  1. Is the dispensary even on the City’s EMMD list? The DCR has done a fantastic job of continually updating its EMMD list on its website. Checking that list is the very first step for any reliable due diligence. If the dispensary is not listed, ask the sellers why that’s the case. At this point, with the window for EMMD licensing closed, failure to appear is going to be a huge and fatal red flag that’s fatal unless the selling dispensary can provide viable proof that they are in valid pursuit of EMMD status from the DCR or appealing a DCR denial of EMMD status,
  1. Licenses are not transferable. Many people don’t realize that commercial cannabis licenses are not transferable under California State law. The same goes for commercial cannabis licenses in the City of L.A.—they cannot be bought and sold as individual assets; only the entity that holds them can change owners (meaning, you’re looking at purchasing the company that holds the license). Therefore, any EMMD that’s trying to sell you one of its licenses (or one of its future licenses) is not recognizing that it can only sell its membership interests or stock, and not the licenses themselves, under state and L.A. laws and regulations.
  1. What entity type is the EMMD? Assuming your target EMMD is on the City’s EMMD list and the EMMD understands that it can only engage in an entity purchase and sale, the next question is whether the EMMD is organized as a non-profit or a for profit company. If the EMMD was in compliance with Prop. D, it’s most likely some form of a non-profit corporation (most often a non-profit mutual benefit corporation (“NPMBC”), stemming from 2008 State Attorney General guidelines regarding compliance with the Compassionate Use Act of 1996 under which the sale of medical cannabis for profit is not permitted). This obviously creates an issue where a non-profit has no equity that can be legally bought and sold, and individual NPMBC directors taking buyer purchase money undoubtedly violates the California corporations code in a multitude of ways. In turn, part of the EMMD purchase will entail some form of “conversion” to a for profit entity to ensure that future membership interests or stock can be sold off. Luckily, NPMBCs and non-profits in general in California can “convert” to for profit corporations and, from there, into whatever other for profit entity the controlling interests so decide. To “convert” though, unless the NPMBC’s bylaws specify otherwise, a vote of the entire “membership” (i.e., potentially all of the medical cannabis patient members) of the non-profit may be required in order to convert. And do not forget that a lot of dispensaries in L.A. may have made significant mistakes when putting together their bylaws so that a “conversion” vote may not even be possible without exposing the purchaser to significant successor liability from the NPMBC’s “members”. Also, don’t forget that the old corporate and tax sins of the NPMBC may haunt the new entity, so secure the appropriate representations, warranties, and indemnities accordingly.
  2. EMMD conversion is permitted outright in LA with a catch. Once you have the general conversion plan sorted in your term sheet, you have to deal with conversion under local law. In L.A., “. . . a change from non-profit status to for-profit status by an EMMD is exempt from [having to seek DCR approval] if no other ownership change is made in accordance with Proposition D’s ownership rulesand notice is provided to DCR within five business days. This exemption is not available after a License is issued.” This means that while EMMDs maintain a temporary license from the DCR to operate, EMMDs can convert from non-profits to for-profits without having to secure DCR approval so long as: 1) The original directors remain the “owners” and 2) The DCR gets 5 business days’ notice of the corporate change over. In turn, even if the entity can be converted, purchasers cannot immediately take over the EMMD unless the EMMD and the new owners are ready to complete all of the steps at point 6 below.
  1. EMMD status stopped in Phase 1. A lot of our clients have been pitched by several EMMDs on the alleged fact that EMMDs will get special treatment for the receipt of additional retail licenses in L.A.. This is not correct. All retailers in L.A. can receive and run up to three retail licenses total (including Type 9 delivery only retail). In phase 1 licensing, which was for EMMDs only and which has come and gone forever, if an EMMD only applied for a single retail license in that “Priority Processing” phase, they must wait until phase 3 for additional retail license application (which is the general public licensing phase). Regarding phase 3, the City has never said when it will open and it’s anyone’s guess as to when that window will commence, but it’s unlikely to happen in 2018 given the slower pace of licensing in LA. In any event, if EMMDs want more retail licenses (for which they did not apply when phase 1 was open), they’ll have to get in line like everyone else in phase 3.
  2. Phase 3 may be a dead end. Per point 5 above, if part of your purchase agreement is that the EMMD status will help you secure additional retail licenses in phase 3, you really need to be careful with that performance obligation. In phase 3, the City is already obligated under Prop. M to issue retail licenses to social equity applicants on a 2-to-1 basis relative to other general public (non-social equity) applicants. Since over 160 EMMDs already exist in L.A., this means that before even a single retail license issues to a general public (non-social equity) applicant, the City must first issue over 300 retail licenses to social equity applicants. Couple that with the fact that Los Angeles has undue concentration caps for retail licenses and the writing is on the wall that retail licensure may not be possible for non-social equity general public applicants in phase 3, and that includes for non-social equity EMMDs seeking additional retail licenses.
  1. This ain’t your daddy’s M & A. Mergers and acquisitions in regulated industries are a different animal because the transaction has to fit with regulatory vetting and approval before anything really becomes effective between the parties. Cannabis M & A is no different and, in fact, is probably worse since it’s an emerging industry and because commercial cannabis activity remains federally illegal. Once a California cannabis business has its annual license, if it wants to sell its membership interests or stock to bring in a disclosable “owner” (i.e., among other things, anyone or any entity that owns 20% or more in equity), it will first need to seek approval from the state agency that issued it its licenses. That’s not uncommon in states with robust cannabis regulations. What people may not know, though, is that the DCR also wants to know about changes in ownership and has full authority to reject the change request based on its scrutiny of the incoming owners. Specifically, in LA:

“A License is not transferable unless the change to the Licensee’s organizational structure or ownership is submitted to and approved by DCR. The Licensee shall complete a change of ownership application, pay all applicable fees and obtain the written approval of the change of ownership by DCR, pursuant to the Rules and Regulations . . .”

There are also specific increased requirements for changes of ownership for a social equity business set forth in the City’s Cannabis Procedures at section 104.20.

In any M & A term sheet and/or definitive purchase agreement for an EMMD in L.A., the parties have to take into account the requirement of first going through the DCR to have the transaction approved and they also need to address what happens in the event the new owners are, or the change of ownership request is, rejected by the DCR. The timeline for state and local government approval on these things is also both important and unpredictable, but should nonetheless be agreed to by the parties at the outset of the transaction to ensure success.

  1. Relocation is no picnic. In addition to their grandfathering, the EMMDs are not subject to undue concentration limits, and so long as they meet certain requirements they don’t have to comply with the Prop. M zoning and buffer requirements until 2022. However, if the EMMD relocates (which the DCR currently allows) or if it moves any of its other licenses from its original premises, it will lose the zoning and buffer exemptions. A good amount of the M & A we’re seeing includes a component that an EMMD with other licenses will either re-locate itself or some or all of its other licenses as part of the transaction. And a lot of that M & A completely fails to address the fact that upon such relocation the zoning and buffer grandfathering is lost. Be sure to address this grandfathering and/or the loss thereof if it’s part of your dispensary M & A goals in LA.

It’s not a stretch to say that selling and buying EMMDs in LA is not for the faint of heart. There are many important details that must be considered in any due diligence period and that must also be reflected in any viable purchase and sale agreement. So, do your homework and proceed with extreme caution.

california cannabis labeling prop 65
Don’t sleep on Prop 65!

Almost on a weekly basis, clients ask our California cannabis attorneys to review and provide advice and guidance on their packaging and labeling for their cannabis and cannabis products pursuant to California’s Medicinal and Adult-Use Cannabis Regulation and Safety Act (MAUCRSA). This means that our California cannabis attorneys have committed to memory the applicable packaging and labeling rules set forth under MAUCRSA and by the California Department of Food and Agriculture (CDFA) and the California Department of Public Health (CDPH). Between the two, CDFA deferred to CDPH on packaging and labeling for flower, and CDPH really only regulated packaging and labeling for cannabis infused products under the emergency rules. The packaging and labeling rules are not rocket science, but they’re immensely important for MAUCRSA compliance and consumer safety. However, none of the CDPH regulations or even MAUCRSA mention the applicability of Proposition 65 to California cannabis and cannabis products.

In addition to reviewing countless packaging and labeling content under MAUCRSA, our California marijuana business lawyers have also done a good amount of clean up of non-compliant packaging and labeling related to poor or uninformed legal advice regarding how Prop. 65 applies in the context of California cannabis. Failure to comply with Prop. 65 usually means disaster for the unwary business owner, ranging from costly and aggressive lawsuits to being shut down by the state.

The Safe Drinking Water and Toxic Enforcement Act of 1986 (a/k/a Prop. 65), requires the Office of Environmental Health Hazard Assessment (OEHHA) to publish a list of chemicals known to cause cancer, birth defects or other types of reproductive harm. The list now includes more than 1,000 chemicals. Effective June 19, 2009, marijuana smoke was added to the Prop. 65 list of chemicals known to cause cancer. OEHHA’s Carcinogen Identification Committee “determined that marijuana smoke was clearly shown, through scientifically valid testing according to generally accepted principles, to cause cancer.” Technically then, all cannabis flower is subject to Prop. 65 warnings since all flower contains/produces “marijuana smoke.” In addition, oils, wax, vapes, etc. usually contain at least one chemical on OEHHA’s list. Given this fact, there is hardly a cannabis business in California that won’t find itself subject to Prop. 65 warning requirements at some point. And none of the state agencies in charge of MAUCRSA are going to assist licensees in figuring out what they need to do to protect themselves under Prop. 65.

The first question cannabis businesses need to ask themselves in a Prop. 65 analysis is whether they’re subject to Prop. 65 at all. Who’s exempt? It’s a short list:

  1. Businesses with fewer than 10 employees and government agencies.
  2. Businesses are also exempt from the warning requirement “if the exposures they cause are so low as to create no significant risk of cancer or are significantly below levels observed to cause birth defects or other reproductive harm.” How low you ask? The exposure levels are different for each chemical type–for cancer causing chemicals, for example, no warning is required if the chemical exposure is calculated to result in “not more than one excess case of cancer in 100,000 individuals exposed over a 70-year lifetime.” You can find the Prop. 65 allowable exposure levels here.

Availing yourself of this second exemption is going to be very difficult, complex, and expensive to prove. It likely isn’t worth it if you even think you’re close to exceeding the allowable exposure levels.

Once you determine that Prop. 65 applies to you, you then need to identify the type of warning you need based on your product(s) and the relevant chemicals. And to really throw in a twist, you should know that new Prop. 65 regulations take effect on August 30, 2018. In turn, only the new safe harbor warnings should be used for products manufactured on and after August 30, 2018 (though you can still use the old September 2008 safe harbor warnings for product made before that date).

One of the most important changes with the new regulations is that you now need to actually identify at least one triggering chemical depending on the type of harm caused by that chemical. Specifically, OEHHA mandates that:

If, for example, there are five possible chemical exposures from a given product, and all five chemicals are listed only as carcinogens, then the business would only be required to name one of those five chemicals in the warning. . . If there are exposures to both carcinogens and reproductive toxicants, a business would be required to name one of the chemicals that is a carcinogen and one of the chemicals that is a reproductive toxicant, but the business could choose to identify more chemicals in the warning.

In turn, your new Prop. 65 warning will look like one of the following (plus the required symbol at the beginning and to the left of the warning):

  • For carcinogens: “WARNING: This product can expose you to chemicals including [name of one or more chemicals], which is [are] known to the State of California to cause cancer. For more information go to www.P65Warnings.ca.gov.”
  • For  reproductive toxicants: “WARNING; This product can expose you to chemicals including [name of one or more chemicals], which is [are] known to the State of California to cause birth defects or other reproductive harm. For more information go to www.P65Warnings.ca.gov.”
  • For exposures to both listed carcinogens and reproductive toxicants: “WARNING; This product can expose you to chemicals including [name of one or more chemicals], which is [are] known to the State of California to cause cancer, and [name of one or more chemicals], which is [are] known to the State of California to cause birth defects or other reproductive harm. For more information go to www.P65Warnings.ca.gov.”
  • For exposures to a chemical that is listed as both a carcinogen and a reproductive toxicant: “WARNING: This product can expose you to chemicals including [name of one or more chemicals], which is [are] known to the State of California to cause cancer and birth defects or other reproductive harm. For more information go to www.P65Warnings.ca.gov.”

In certain circumstances, short-form warnings for consumer products are allowed so long as minimum font requirements are met. Specifically, in addition to other content requirements, the short-form warning must be “in a type size no smaller than the largest type size used for other consumer information on the product and in no case in a type size smaller than 6-point type.”

Unfortunately, I still see cannabis products floating around that completely ignore or bungle Prop. 65 requirements, making these businesses sitting ducks for bounty-hunter plaintiffs and their attorneys. You’ve really only gone halfway in your MAUCRSA packaging and labeling analysis if you haven’t considered whether Prop. 65 applies to your business and what you need to do to duck in under the safe harbors. So, double check whether Prop. 65 applies to you and what you need to do to protect your business to ensure that you’re not on the wrong end of any Prop. 65 litigation.

marijuana cannabis loan
This industry is different, you know.

Many cannabis businesses are funded with debt. Sometimes, the debt is owed to one of the business’s owners, who pursued a debt structure for tax reasons. Other times, the debt is owed to a third party. That party could be a friend or family member, an investor keen on the industry, or even a professional hard money lender. Our marijuana business lawyers have papered a large number of loans in the industry, on behalf of both businesses and lenders. This blog post identifies some considerations for lenders making plays in the industry.

Do Your Diligence.

Before making a loan of any type to a cannabis business, do your diligence. Like so many things related to cannabis businesses, this exercise is different than with standard businesses. There are several reasons for this: 1) cannabis businesses often have short or non-existent operating histories; 2) by extension, cannabis businesses often have limited financial information at hand (tax returns, P&Ls, etc.); 3) the financial projections for cannabis businesses are more speculative than for other businesses, due to market dynamism; and 4) regarding operations, cannabis businesses may be “license pending” and thus offer little to vet.

Altogether, these factors make it supremely important to vet the actual owners of the business, as well as whatever you can get on the enterprise. This means having a look at personal financials and assets, credit reports, asking for personal references and calling around, etc. And when it comes to diligence on the business, make sure you do more than simply run a UCC search and review financials. Ask for company agreements. After all, a business may have an oppressive lease or licensing agreement which makes it less likely to succeed, or it may have similar documents with contingent or springing security interests that diminish your repayment prospects.

Prepare to Be Vetted.

The cannabis business will look into you, of course. But the real vetting is likely to happen by the licensing authority. In Washington, for example, the two groups that must report to the Liquor Control Board are “true parties of interest” and “financiers.” In California, it’s “owners and financial interest holders.” And in Oregon, it’s anyone with a “financial interest.” Each of these terms is defined in each state’s ever-evolving administrative rules, but it’s very likely that as a lender, you will need to be disclosed and vetted by the licensing authority. This may entail submission of information on your business, if you have one, and/or its owners and spouses. It also usually means fingerprints, background checks, and having your name on file as a part of the public record.

Demand Security.

Arms-length loans are almost never unsecured, so this one is a no-brainer, and if a marijuana business pushes back, it should be a dealbreaker. The best type of collateral is something tangible, like real property (land) that is unencumbered by senior interests, or where foreclosure by a senior noteholder would not wipe out all available equity. But there are other types of collateral, too, like personal property (including intellectual property); and there is always the option for a convertible note. Finally, lenders often get creative with deposit control agreements and other collection levers.

In the personal property category, the noteworthy asset when lending to plant-touching businesses is the cannabis itself. Most states have procedures for secured creditors to take control of a cannabis business under provisional licensing authority, for liquidation purposes. But, before you sign up for this, ask yourself: Could I really see myself chopping down cannabis plants one day? Or paying a receiver to do that? If not, and if the business has no other valuable assets, this loan may not be right for you.

Demand Personal Guarantees.

This ties into the diligence and security categories. A personal guaranty is just an extension on whatever security you can otherwise acquire as a part of the loan. Make sure these guarantees are uniformly integrated into the loan documents, and that each guaranty is more than a cursory sentence appended to a promissory note. The personal guaranty should cover various contingencies, e.g.: What happens if the guarantor dies? Are there any allowances for its termination, aside from repayment of the loan? Etc. Also, consider whether your borrower resides in a community property state like Washington or California, where the guaranty may not attach to marital property.

Do Market (and Legal!) Research.

Lenders to the cannabis industry are getting better rates than almost anyone else. They are taking on more risk, and feeding an insatiable capital market. We have seen loans with interest rates up to 50%(!) for relatively quick turns, but we have also seen loans that do not conform with licensing rules, or with state lending and usury laws. The exercise here is to ascertain market norms, look at your prospective borrower’s situation, and consider these factors in the greater context of lending statutes and marijuana licensing program rules. Finally, balance what you think you can get against the decreasing odds of collection that inevitably come with higher interest rates and compact repayment schedules.

Hacking back isn’t the answer, unfortunately.

As I have discussed for the last two weeks, cannabis businesses have become increasingly vulnerable to cyberattacks. It is natural for a company victimized by data breaches to want to retaliate by hacking back. However, under current U.S. law, which is codified under the Computer Fraud and Abuse Act (“CFAA”), it is strictly prohibited to intentionally access another’s computer without authorization.

Legislators have given some thought to this problem. Most recently, the re-introduction in October 2017 of the Active Cyber Defense Certainty (“ACDC”) Act, a bill sponsored by Congressman Tom Graves (R-Ga) and Congresswoman Krysten Sinema (D-Az), raised questions about the legality of counter attacking. Indeed, the ACDC Act proposes to amend the CFAA and enable victims of cyberattacks to adopt active defensive measures to identify the hackers, destroy information originally stolen from the victims’ networks, and attack the intruders’ servers to interrupt the ongoing attack. Although an eye-for-an-eye form of justice is appealing, unauthorized access to networks is not a good idea. Here is why.

First and foremost, the ACDC Act has not be enacted. This means that the CFAA remains the law of the land, and accessing others’ computer systems without their permission is a criminal offense. Every state law punishes hacking under the computer crime statutes. These crimes carry serious penalties ranging from a class B misdemeanor (punishable by up to six months in prison, a fine of up to $1,000, or both) to a class B felony (punishable by up to 20 years in prison, a fine of up to $15,000, or both).

Second, even if retaliation were legal, most companies would lack the expertise required to safely conduct an offensive cyber operation. It is incredibly difficult to identify individuals and entities behind cyberattacks. Most intruders cover their tracks very carefully by using encryption and by routing strikes through others’ computers. Given this, counter hacking would most certainly result in attacking computer systems and destroying data belonging to innocent third parties.

Then, there is the issue of whether victim companies have the technical proficiency required to effectively take counter measures against cyber intruders. Indeed, the internal tools needed to effectively hack back represent a major undertaking: a high level of expertise, constant vigilance, and huge financial resources. Moreover, it is highly unlikely that companies that could not prevent the intrusion of their networks would manage to take on their attackers on their own digital turf.

Lastly, retaliation by companies that fell victim of a data breach would most certainly impede law enforcement investigations and delete or temper with evidence that could be useful in a prosecution. Unlike law enforcement agencies, companies do not have the relevant technical expertise or diplomatic tools to pursue hackers. Most companies ignore how to preserve a chain of custody that would enable the introduction of untampered evidence at trial. In addition, counter hacking is an incredibly dangerous endeavor because it is very difficult, if not impossible, to see what a company would be up against. In retaliating, a company would run the risk of escalating the situation and of further injuring itself.

As I have discussed before (here and here), no one and no company is immune to cyberattacks. It is understandable that companies, including cannabis companies, are getting tired of being passive and of merely defending against these breaches. However, hacking back is not a feasible option given its illegality and the negative consequences it could have on the retaliating company. When faced with a data breach, don’t let your emotions dictate your actions; instead, stick with a comprehensive plan of action that will help you minimize your damages and let skilled, experienced law enforcement agents do the job of tracking and investigating your attackers.

cannabis marijuana term sheet

When I receive a summary of a cannabis business deal–the first emails, calls, LOIs, and term sheet in any form–with 90% accuracy I can say whether the transaction will be a difficult one or not. Note that “difficult” does not correlate with complex: Often the more complex deals, with multiple entities and asset transfers, end up being much easier, whereas a simple secured loan can be more difficult. And in the context of a transaction, “difficult” = “time consuming” = unnecessary expense. Everyone would like to avoid that.

The number one differentiating and determinative factor in assessing the difficulty of a marijuana business deal is the term sheet. If a deal is a building, think of the term sheet as both the architect’s blueprint and the physical foundation on which the deal is built. Deals that are smooth are built with a clear plan and on a solid base; these come in on time and under budget. Deals that are built based on a vague understanding of the final goal but with no firm, documented plan, will be typified by stops and starts, walls built, torn down and rebuilt, and a final product that stands but doesn’t resemble what either parties had in mind (“in mind” being a key phrase here, as often what was in the parties’ mind was never exchanged in an agreement). Oh, and the dreaded cost overruns.

Engage your attorney before you sign a term sheet. 

Having a final term sheet is necessary for a smooth transaction, but agreeing that a half-baked term sheet is “final” may prove worse than having no term sheet at all. Do not make the mistake of thinking you cannot engage your attorney until you have a term sheet signed: In fact, an hour with your attorney before you finalize the terms, could save you many hours down the line. Your experienced business attorney will know how the terms will fit in the documents, and in turn what terms you may not have addressed fully, or at all.

Do not have your attorney draft the transaction documents until after you sign a comprehensive and binding term sheet. 

Speed in transactions is defined by certainty. Term sheets that say “market standard” terms for X is likely a proxy for “we didn’t take the time to discuss X.” This can work if the parties have a common reference point or an external reference. For example, in the context of an equity financing, “standard NVCA language on Registration Rights” is OK. “Standard anti-dilution” is not OK: There are at least three flavors and they are wildly different, so the drafting attorney with that term sheet is guessing–or likely talking only to his side–on the issue. The stops, starts, and re-drafts is what eats up time.

Continuing with the building analogy: Every couple building their dream home wants the house built quickly and correctly, and on budget. But they had better get all the critical details decided and in the plans before the first brick is laid. In other words, if you don’t agree on the location and number of bathrooms, you wouldn’t tell a contractor to “start building now and we’ll decide on the bathrooms later.” The decisions won’t get easier if you put them off, and having a full plan in place from the beginning will make the process more enjoyable for all.