13 Oct California Cannabis: Does Your Business Have a Website? If So, You Probably Need a Privacy Policy.
No longer optional for your canna business website.
Unless you’ve been living under a rock for the past few months, you’ve probably read about the host of sweeping new laws in California, like its new Internet of Things law, cannabis privacy law, or net neutrality law, to name just a few. California has long been regarded a trailblazer when it comes to making people who are outside of California do things to comply with California law. So it probably comes as no surprise that website operators outside of California may need to comply with a privacy policy law in California: the California Online Privacy Protection Act.
Pursuant to this law, any business that owns or operates a website that advertises to, services, or in many cases is simply accessible by California residents will almost certainly need to conspicuously post (and—importantly—actually follow) a privacy policy containing statutorily defined disclosures. This requirement applies when a website collects “personally identifiable information” about California consumers, including first and last name, home or other address, email address, telephone number, Social Security number, or any other information that would permit a person to contact a website user (either physically or online). Moreover, a policy may be required even for businesses located in distant areas of the United States just by virtue of the fact that its website can collect this information.
If a company fails to create or adhere to a privacy policy and does so either intentionally or in a material and negligent way, that company may be in violation of the law. The law does state that website operators will not be in violation until 30 days after being notified that their website does not contain a privacy policy, but it does not specify where notification can come from (i.e., the state or any source), which means that reliance on this window may be risky. The law is enforced by the California Attorney General, with penalties of up $2,500 per violation. These penalties could be a severe for businesses that offer mobile apps, as the California Attorney General has taken the position that a new (potentially $2,500) violation occurs each time a non-compliant app is downloaded.
You may be wondering how this applies to your cannabis business. The fact is that there are numerous ways in which even seemingly passive websites collect protected information from and about users. Even if your website does not sell any products, it may include “Contact Us” or mailing list subscription portals which collect protected information. If your website sells or ships any sort of product, it may collect at least some protected information. Even if your business has not collected information about any California residents in the past but simply could do so, the mere possibility may mean it needs to comply.
Furthermore, there are other good business and legal reasons to post and adhere to a privacy policy. Customers appreciate when businesses are transparent about their privacy practices. For obvious reasons, ensuring that cannabis customers’ privacy is maintained is important. Additionally, in the event of a data breach which requires notification to state or federal authorities, the fact that a company took steps to maintain customer privacy may be important considerations in determining if any enforcement actions should be taken.
The good news is that, unlike some laws or regulations that cannabis companies face, California’s privacy policy law is relatively straightforward in that it specifies what a company needs to disclose in a privacy policy and how that policy needs to be displayed on a website. That said, ensuring that a privacy policy accurately describes a company’s current and future privacy practices can be a challenge, and inaccurate or gratuitous statements in a privacy policy could expose a company to additional liability. In other words, a policy needs to be tailored to a company’s specific practices, and so copying language from other privacy policies could cause even more trouble for a company.
Cannabis companies have enough to worry about. They shouldn’t add to the problem by failing to address privacy or data security laws. A good place to start is engaging counsel to draft a comprehensive privacy policy. After all, at least according to California, one is required.
Sorry, the comment form is closed at this time.