Empowering Consumers, California Privacy Laws Could Spell Trouble for Cannabis Companies

• Publication year: 2021

Griffen Thorne^*

Abstract: The California Consumer Privacy Act creates private rights of action for Californians that will impact companies regardless of their jurisdiction. The cannabis industry is particularly susceptible to privacy claims; it requires the collection and storage of personal information, but regulations impose little in the way of data protection requirements. This article discusses security controls; potential damages; types of data at risk; other pressures, beyond legal requirements, the industry faces; and mitigation strategies.

The California Consumer Privacy Act (CCPA) is by far the nation's most comprehensive data protection statute. CCPA creates new private rights of action for certain California consumers whose personal information was accessed during a data breach, in the event that the breached company holding their personal information failed to undertake reasonable security measures. CCPA's new private rights of action will have far-reaching effects on companies across the globe.

One industry that will be uniquely susceptible to CCPA litigation is the state's nascent regulated cannabis industry. Under California law, licensed cannabis businesses are required to collect and store a large amount of consumer personal information. However, cannabis regulations generally impose little to no data protection requirements on regulated entities, creating a perfect storm for potential data breaches.

This article examines relevant provisions of CCPA, personal information collection requirements applicable to licensed California cannabis companies, and other unique business and industry pressures applicable to the cannabis industry that will surely lead to future data breaches and CCPA litigation.

[Page 21]

CCPA Fundamentals

CCPA was signed into law in 2016, and since then has been the subject of numerous legislative amendments.¹ The law went into effect on January 1, 2020.² CCPA is, to date, the nation's most comprehensive general consumer data protection law and is comparable in scope to the European Union's General Data Protection Regulation (GDPR).

At its core, CCPA affords consumers a host of new rights with respect to their data. For example, CCPA provides consumers with the right to request that a company holding their personal information delete that personal information.³ Many of these rights previously did not exist under California law and generally do not apply to businesses that are not are not regulated under the CCPA.

In addition to affording consumers new legal rights and protections, CCPA also puts the onus on regulated businesses to safeguard personal information. For example, CCPA requires that companies notify consumers about their data collection policies and consumers rights relative to the companies.⁴

In practical terms, this means that CCPA-regulated companies must update their privacy policies and other documents provided to consumers at the point of data collection in order to notify consumers about their new rights and how to exercise them, and for any other information required by law to be disclosed to consumers.⁵

Notably for this article, CCPA augmented existing California data breach notification laws. Under prior California law, companies holding certain important classes of personal information—including Social Security numbers, drivers' license numbers, biometric information, and other information that could essentially be used for identity theft—were and are required to notify consumers in the event of a data breach.⁶ A data breach is considered any event where data is accessed or acquired in an unlawful manner, and can range from malicious hacking to the simple loss of an unencrypted device holding the data.⁷

CCPA adds to existing breach-notification requirement by providing consumers with a private right of action in the event that the company that was breached did not employ "reasonable" data security measures.⁸ Unfortunately, this term is not defined by the laws or CCPA's implementing regulations, leaving many companies guessing as to what exactly qualifies as a reasonable security measure.

[Page 22]

A number of commentators, however, argue that the "reasonable" security measure requirement is actually extremely stringent and incorporates all 20 controls set forth in the Center for Internet Security's (CIS) Critical Security Controls (the Controls), citing a 2016 California Attorney General Report.⁹ The Controls are separated into basic, foundational, and organizational security controls, and include security controls ranging from basic to sophisticated, and include security controls such as:

1. Inventorying and controlling hardware and software assets.
2. Continuous vulnerability management.
3. Controlled use of administrative privileges.
4. Secured configuration of hardware and software on mobile devices, laptops, workstations, and servers.
5. Email and web browser protection.
6. Malware defenses.
7. Secure configuration for network devices (e.g., firewalls, routers, and switches).
8. Incident response and management.
9. Penetration testing.¹⁰

Additionally, the Report indicates that the Controls are simply the "minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization's environment constitutes a lack of reasonable security."¹¹

Therefore, to the to the extent that the term "reasonable security procedures" is determined to mean implementation of the Controls, there are a number of key takeaways for any CCPA-regulated business:

1. Businesses will need to thoroughly examine the Controls to determine which Controls actually apply to their operations. For example, businesses that provide employees with laptops or other mobile devices will need to undertake more rigorous security compliance than those that do not.
2. Compliance will take a significant amount of time, effort, and most importantly, money. While some Controls may arguably be carried out by in-house personnel (especially for smaller enterprises), some tasks will inevitably require outside assistance. Without a technical staff, penetration or securing network configurations may be impossible internally.
3. The Controls are a baseline, at least so long as the Report controls. Businesses that meet all 20 Controls may still be deemed to provide unreasonable security measures if their operations demand a higher level of security.

[Page 23]

If a CCPA-regulated business is the victim of a data breach and did not have "reasonable security procedures" in place, a consumer can recover either actual damages, or statutory damages of between $100 and $750 per incident.¹...