-
The California Consumer Privacy Act (CCPA) took effect at the beginning of the year. CCPA is a massive privacy law similar in scope to the European Union’s infamous General Data Protection Regulation, and applies to many businesses (not just cannabis businesses) that are based in or even “do business” in California. I wrote about the thresholds for whether CCPA applies here, and the moral of the story is that the bar can be pretty low when it comes to application of the law.
For businesses that are subject to CCPA, compliance can be rough. One of the hallmarks of the law is that it provides California consumers with many new rights that they can exercise with respect to businesses that hold the consumers’ personal information. These rights include things like a right to direct a business not to sell consumer personal information, a right to know specifically what kinds of personal information a business collected, and importantly for this piece, a right to request that businesses delete personal information of the consumer.
The deletion right is what I want to focus on today. Per CCPA regulations, businesses that receive deletion requests must confirm receipt within a short period of time, and then respond to the request within 45 days from the date of receipt (in some cases, this can be doubled to 90 days). Businesses can use various methods to confirm that the person making the request is actually the person whose information is going to be deleted (I could write an entire post just on verification). At the end of the process, the business will be required to delete personal information unless there is an exception, which I will discuss below.
Deletion requests can be pretty significant for covered businesses. Such businesses may need to purge marketing or other key information that is otherwise valuable. The deletion process itself can also be time consuming and expensive (especially for small businesses that may not have a dedicated compliance team). However, when it comes to cannabis businesses, it’s possible that there may be many grounds to retain information.
CCPA makes clear that covered businesses may have the right to reject a deletion request if is necessary for the company or its service provider to:
These incidents are incredibly broad and can apply to a broad array of information. But number 8 is pretty significant for cannabis businesses. In interpretive materials issued in coordination with the CCPA regulations, the CA Attorney General staff noted that:
This clarification is not necessary because [the section cited above] sets forth when a business shall not be required to comply with a consumer’s right to delete, which includes when they must maintain the information to comply with a legal obligation. Civil Code § 1798.145(c) also sets forth that the CCPA shall not restrict a business’s ability to comply with federal, state, and local laws, among other things. Further, Civil Code § 1798.196 states that it is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law of the United States or California Constitution.
Unpacking this interpretation, it appears likely that licensed cannabis businesses that are obligated under the state Medicinal and Adult-Use Cannabis Regulation and Safety Act (“MAUCRSA”) and corresponding regulations to maintain certain categories of consumer personal information may be exempted from deleting that information. Here are two good examples:
To the extent that cannabis businesses are required by law to maintain personal information, they may be able to use that as a shield to complying with data deletion requests. This is a vast oversimplification. As one would expect, it is not always clear whether (1) something constitutes personal information, and (2) there is an actual legal obligation to maintain that information. Businesses that receive deletion or other CCPA requests must consult with privacy professionals or attorneys to determine the scope of requests. Failure to properly respond can lead to significant penalties.
Consumer Privacy, California Cannabis and CCPA Deletion Requests on Harris Bricken.