How do cannabis businesses go about beginning to protect themselves?
Several things should be done. The first thing is you want to be transparent with your customers about what you’re doing. This means that when they enter your dispensary, there should be privacy notice available to them. Particularly if you’re collecting information just upon entering. If you’re collecting driver’s license information, your clients should know why you’re doing that and where that information will go.
There are questions about the effectiveness of notice because some dispensaries may post something that nobody will read. Still, there should be an effort to ensure visitors know what will be done with the data.
Cannabis Business Privacy and Data Security
Furthermore, if you are tracking purchases, point-of-sale systems automatically track and compile purchase information to support loyalty programs; those should be opt-in. Clients should not suddenly be receiving emails from a dispensary saying, “Hey, you have x amount of points because you made this purchase in that purchase” without their consent. You want to make sure that you’re getting their agreement to participate in those kinds of things.
Also, things that you should really be doing on the back end are making sure that you have a good security policy in place and that that can be implemented. Typically you know you had a policy at one level procedures. Another level down tells people on the security side responsible for your systems exactly what needs to be done.
Operators should have access controls in place, ensure the sensitive data is encrypted, and ensure those policies are implemented and audited. Also, it is essential to train staff on the importance of data privacy and security on the privacy and security side.
Cannabis Businesses Must Focus on Privacy and Data Security
Data Privacy Compliance
I know if you’re a small to a medium-sized dispensary, these probably seem like intensive obligations, but they’re essential. But, on the other hand, they’re not very much when you consider that if your data is breached, you’re going to have a state attorney general breathing down your neck potentially, or you might be a party to lawsuits under California CCPA for private rights of action for breaches, so you want to take it seriously.