Over the last few months, cannabis and CBD companies have been subject to some pretty massively publicized cases. We’ve seen partnership disputes, consumer class actions, shareholder suits, agency enforcement actions, intellectual property cases, and more. One thing virtually nobody is talking about—or prepared for—are the inevitable wave of CCPA suits.
Before I explain what CCPA is and why this will be significant, I should caution that readers shouldn’t stop reading just because they aren’t in California. CCPA is shorthand for the California Consumer Privacy Act. The law is pretty much exactly what it sounds like: a consumer privacy law.
What makes CCPA different from many other consumer privacy laws is: (1) it can apply anywhere in the world so long as a business “does business in California” (this term is not well defined) and meets a few other criteria, (2) is almost as broad as the EU’s extremely broad GDPR privacy regulation; (3) requires all companies subject to it to commit to certain privacy practices; and (4) most importantly, is going to lead to some pretty big deal lawsuits.
CCPA provides that in the event of a data breach—which can range from malicious hacking to something as simple as an unencrypted laptop being lost—a consumer whose data was affected can sue the company who was breached and exposed their data. If the company did not have “reasonable security procedures” in place, the consumer can recover either their actual damages, or statutory damages of between $100–$750 per incident. This may not sound like a lot, but consider these two fact patterns:
- A cannabis dispensary in California gets protected information for 3,000 customers and stores them in an unsecure manner. A criminal hacks the company’s computers and accesses this information. The dispensary will have to give notice to the consumers, who can turn around and sue it in a class action lawsuit. Even without having to prove damages, the plaintiffs can obtain up to $2,250,000 in statutory damages. This could be the death knell for a company.
- Same set of facts, except one customer on the list lives in a state where it is legal to terminate employees for cannabis use, and loses his or her job as a result of the breach exposing his or her information. That consumer may be able to prove damages, and they will likely exceed $750.
These are just a few examples of situations that can happen under CCPA, and they are pretty severe. While CCPA does not define what “reasonable security procedures are” some sources have suggested that failure to adhere to the all 20 controls in the Center for Internet Security’s Critical Security Controls.
Even if the standard weren’t so rigorous, there are many cannabis companies out there who are not even thinking about data security at all. CCPA is not going to be fun for them. And I’m not even going to address the concept for attorney general actions in this post (needless to say, those won’t be fun either).
I think one of the biggest issues about CCPA is that people just don’t understand it or don’t think that the law even applies to them. Something I hear all the time is “CCPA doesn’t apply because our company doesn’t sell goods online” or “CCPA doesn’t apply because we’re a small company”. Both of these statements are just wrong and CCPA could apply to even small businesses who have a small online presence.
The moral of the story is that companies will be at a major disadvantage when—not if—CCPA suits start coming. Stay tuned to the Canna Law Blog on CCPA cannabis developments.