The California Consumer Privacy Act (CCPA) took effect at the beginning of the year. CCPA is a massive privacy law similar in scope to the European Union’s infamous General Data Protection Regulation, and applies to many businesses (not just cannabis businesses) that are based in or even “do business” in California. I wrote about the thresholds for whether CCPA applies here, and the moral of the story is that the bar can be pretty low when it comes to application of the law.
For businesses that are subject to CCPA, compliance can be rough. One of the hallmarks of the law is that it provides California consumers with many new rights that they can exercise with respect to businesses that hold the consumers’ personal information. These rights include things like a right to direct a business not to sell consumer personal information, a right to know specifically what kinds of personal information a business collected, and importantly for this piece, a right to request that businesses delete personal information of the consumer.
The deletion right is what I want to focus on today. Per CCPA regulations, businesses that receive deletion requests must confirm receipt within a short period of time, and then respond to the request within 45 days from the date of receipt (in some cases, this can be doubled to 90 days). Businesses can use various methods to confirm that the person making the request is actually the person whose information is going to be deleted (I could write an entire post just on verification). At the end of the process, the business will be required to delete personal information unless there is an exception, which I will discuss below.
Deletion requests can be pretty significant for covered businesses. Such businesses may need to purge marketing or other key information that is otherwise valuable. The deletion process itself can also be time consuming and expensive (especially for small businesses that may not have a dedicated compliance team). However, when it comes to cannabis businesses, it’s possible that there may be many grounds to retain information.
CCPA makes clear that covered businesses may have the right to reject a deletion request if is necessary for the company or its service provider to:
- Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
- To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- Comply with a legal obligation.
- Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
These incidents are incredibly broad and can apply to a broad array of information. But number 8 is pretty significant for cannabis businesses. In interpretive materials issued in coordination with the CCPA regulations, the CA Attorney General staff noted that:
This clarification is not necessary because [the section cited above] sets forth when a business shall not be required to comply with a consumer’s right to delete, which includes when they must maintain the information to comply with a legal obligation. Civil Code § 1798.145(c) also sets forth that the CCPA shall not restrict a business’s ability to comply with federal, state, and local laws, among other things. Further, Civil Code § 1798.196 states that it is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law of the United States or California Constitution.
Unpacking this interpretation, it appears likely that licensed cannabis businesses that are obligated under the state Medicinal and Adult-Use Cannabis Regulation and Safety Act (“MAUCRSA”) and corresponding regulations to maintain certain categories of consumer personal information may be exempted from deleting that information. Here are two good examples:
- Retail cannabis companies are required under Bureau of Cannabis Control (BCC) regulations to maintain video security footage for 90 days or more, and are required to use cameras capable of recording facial features in the retail sales area. This may constitute “biometric” information under CCPA (which is defined to include “imagery of the . . . face”) and therefore may be considered personal information under CCPA.
- Cannabis delivery companies are required to maintain records that would allow the BCC to figure out every person to whom they delivered cannabis. It appears that this obligation is for 7 years. This information would undoubtedly contain personal information.
To the extent that cannabis businesses are required by law to maintain personal information, they may be able to use that as a shield to complying with data deletion requests. This is a vast oversimplification. As one would expect, it is not always clear whether (1) something constitutes personal information, and (2) there is an actual legal obligation to maintain that information. Businesses that receive deletion or other CCPA requests must consult with privacy professionals or attorneys to determine the scope of requests. Failure to properly respond can lead to significant penalties.