State Data Privacy & Security Law as a Tool for Protecting Legal Adult Use Cannabis Consumers and Industry Employees

zion.mercado Paper, , ,

State Data Privacy & Security Law as a Tool for Protecting Legal Adult Use Cannabis Consumers and Industry Employees

By: Nicole Onderdonk

1. Introduction

The legalization of adult use cannabis[1] at the state level, its continued illegality at the federal level, and the patchwork of privacy regulations in the United States has generated interesting academic and practical questions around data privacy and security.[2]  At risk are the consumers and employees participating in the legal recreational cannabis marketplace— particularly, their personal information.[3]   For these individuals, the risks of unwanted disclosure of their personal information and the potential adverse consequences associated with their participation in the industry varies significantly depending on which state an individual is located in.[4]  Further, while these are distinct risks, the unwanted disclosure of personal information held by cannabis market participants may significantly increase the degree and likelihood of an individual experiencing adverse employment-related consequences due to recreational cannabis use.  Therefore, data privacy and security laws can and should be deployed by states as a tool to not only protect legal adult use cannabis consumers’ and employees’ personal information, but also their interests and rights more broadly related to their participation in the legal cannabis market.

Privacy law and cannabis law are both arenas where states are actively engaged in their roles in the federalist system as “laboratories of democracy.”[5]  The various state-by-state approaches to protecting consumer and employee data privacy and legalizing recreational cannabis have taken various shapes and forms, akin to other areas of the law where there is an absence or silence at the federal level.  This divergence may create problems and concerns,[6] but it also may reveal novel solutions.  Regarding the personal data of recreational cannabis consumers and industry employees, the strongest solution that emerges from an analysis of the current state-by-state legal framework is a hybrid one—taking the most successful aspects from each state’s experimentation and deploying it to protect legal adult use cannabis market participants from collateral adverse consequences.

 

2. Background

     a. Risk 1: Potential Adverse Consequences of Participation in the Legal Adult Use Cannabis Market

Despite remaining a Schedule I “controlled substance” at the federal level,[7] twenty-four states and the District of Columbia have legalized adult use cannabis.[8]  Legal adult use cannabis sales exceeded $19 billion for 2022 and are projected to double over the next five years.[9]  The legal cannabis industry employs over 400,000 full-time workers, with the market consistently growing by about 30% annually for the past five years.

However, even with adult use cannabis legal in nearly half of the country[11] and data supporting the normalization of cannabis use,[12] stigma and its collateral consequences persist even in states where recreational cannabis is legal.[13]  Many legalizing states do not have laws in place to protect participants in the legal cannabis industry—whether consumers or employees—from the potential adverse consequences of their participation.[14]  Some of the most serious of these consequences include: employment; banking and lending; public benefits; civil litigation; and immigration.

          i. Employment Consequences

An employer’s knowledge of an employee’s legal cannabis use can affect current or future employment.[15]  While some states have enacted laws or regulations to protect medical cannabis users, only a handful have enacted protections for nonmedical use.  In addition, even when protections exist, there are exceptions and limitations. For example, the Nevada law only protects future employees but does not apply to current employees.  In addition, the statute explicitly excludes firefighters, emergency medical technicians, certain jobs that require the employee to operate a motor vehicle, and any job that the employer determines “could adversely affect the safety of others”[18]—categorized broadly as “safety-sensitive” jobFurther, state anti-discrimination statutes do not protect legal recreational cannabis consumers, or industry employees, applying for or working in federal jobs.

          ii. Other Potential Adverse Consequences

In addition to employment, participation in a state’s legal recreational cannabis market may have adverse consequences for an individual in the areas of banking and lending; public benefits; civil litigation; and immigration.

First, involvement in the cannabis industry can affect consumers and employees’ ability to get loans from traditional banks at competitive rates, such as mortgages. In addition, there are reports of cannabis employees’ bank accounts being denied or closed.  Second, legal cannabis use can result in the denial of federal benefits, such as housing, given its federally illegal status, and this goes for both adult use and medical cannabis.[23]  Social security benefits may also be affected.[24]  Third, cannabis use, even in a state that is legal, can affect the outcome of civil litigation—for example, child custody proceedings.[25]   Finally, disclosure of cannabis use can have catastrophic consequences for those going through the U.S. immigration process.[26]  Even if an activity is permitted by state law, the immigration system treats it as a crime,[27] a position that U.S. Citizenship and Immigration Services (USCIS) reconfirmed in 2019.[28]  Further, the risk of this adverse consequence may be even greater in states where cannabis is legalized: the lack of a criminal charge at the state level deprives non-citizen individual participating in the legal cannabis marketplace of their would-be right to counsel in a state level criminal proceeding and, therefore, may leave individuals less informed about the potential immigration status consequences that still exist due to cannabis possession still being illegal at the federal level. [29]

     b. Risk 2: Unwanted Disclosure of Personal Information Held by Legal Adult Use Cannabis Industry Participants

An individual may be exposed to these consequences through their own “voluntary” disclosure[30] or through unwanted disclosure of their personal information held by a third party.  There are plentiful anecdotes and evidence of adverse consequences resulting from voluntary disclosure.[31]  In contrast, there does not appear to be similarly plentiful evidence (yet) of adverse consequences resulting from third party disclosure. However, there is evidence of the latent risk.[32]

Unwanted disclosure of information held by a third party may result from affirmative action by the third party itself—such as the unauthorized sharing of personal information to the government or third parties—or the result of a data breach.  Regarding unauthorized sharing of personal information to the government or third parties, this may occur under several circumstances. States vary on their data collection requirements and practices for data collection: some prohibit certain data collection and storage,[33] while others require certain data collection and storage. In addition, even when disclosure is prohibited, there are often carveouts for disclosure to state or federal officials.[35]  Further, as the cannabis industry has matured, businesses have turned toward targeted advertising and other marketing techniques that have significant privacy implications.[36]  For example, mobile apps that track cannabis use are used by cannabis business to collect sensitive demographic data, such as “gender, sex, location or age.” [37]  In addition, other market participants are developing AI solutions that collate various inputs from cannabis businesses, including consumer transaction data, and using it to develop specific products.[38] While there may be some benefits to deploying consumer data in this way, practices such as these generally result in more personal information being collected and stored and potentially shared with third parties. In the absence of laws governing this disclosure, cannabis consumer data may be shared with innumerable third parties for marketing or other purposes without the consumer’s consent, or perhaps even knowledge.

In the case of data breaches, consumers and employees may be exposed to other negative, non-cannabis-specific impacts, such as identity theft or financial loss.  In recent years, as the industry has grown, have increasingly become targets for cyberattacks.[39]  There have been multiple large data breaches that have occurred in the cannabis industry over the last several years, in particular affecting national technology platforms used across multiple states in their retail operations.[40]  For example, in 2020, THSuites, a point-of-sale and management software solution used by dispensaries across the country, experienced a data breach that exposed 85,000 files including “customers’ full names, dates of birth, phone numbers, emails, addresses, signatures, cannabis varieties and quantities purchased, amount of money spent and transaction dates” as well as, for medical cannabis users, their medical ID numbers.[41]  In addition to consumers, cannabis industry employees have been affected by these data breaches.[42]

The risk of unwanted disclosure is not limited to personal information held by cannabis industry businesses.[43]  Through the license application process, state cannabis regulatory authorities often collect and store a significant amount of data on cannabis companies as well as employees.[44]  In addition, some of these regulatory bodies collect information from companies, including transactional data, While some states’ cannabis regulators have transparent, established data privacy and security policies and practice[46] others reserve significant discretion to make unilateral data sharing decisions.[47]

In summary, in the absence of appropriate data privacy and security protections that apply to all cannabis market participants (direct businesses, indirect business, regulators, and third-party technology providers), both consumer and employee data is at significant risk of exposure and misuse.

     c. Combining the Risks to Define the Problem: Unwanted Disclosure of Personal Information Heightens Risk of Potential Adverse Consequences

While collateral consequences and unwanted disclosure of personal information are two distinct risks to recreational cannabis consumers and industry employees, when combined—especially in states where both are inadequately mitigated by protective law or policy—the problem is in urgent need of a solution.  A state’s lack of strong data protection requirements increases the likelihood of unwanted disclosure of personal information[48] and, consequently, may heighten the risk of an individual suffering potential adverse consequences.

Of these twenty-five states (including D.C.) who have legalized recreational cannabis, only six have comprehensive privacy laws.[49] Of the nineteen states that do not have comprehensive privacy laws, only five have laws that protect recreational cannabis users and/or employees of cannabis businesses from employment discrimination by non-cannabis businesses.[50]  However, most states have some degree of data security or privacy requirements for cannabis businesses and/or protections for recreational cannabis consumers and employee[51]  While no one state’s regime is identical to another’s, the data privacy and security approaches can largely be grouped into three categories: (1) comprehensive state generally applicable privacy laws; (2) cannabis-specific privacy laws or requirements; and (3) state consumer protection enforcement.

          i. Comprehensive state generally applicable privacy laws

In the absence of a comprehensive federal privacy law,[52] states have enacted their own privacy measures, with California leading the way with the California Consumer Privacy Act (CC).[53]  In California, all businesses that meet or exceed certain size parameters (i.e., number of employees, amount of data handled, profits) are subject to the CCPA.[54]  Like any other California business, cannabis businesses that meet or exceed these parameters must comply with the CCPA.[55]  This includes businesses letting consumers know what personal information it is collecting and why, and if it is being shared (the right to know) and allowing consumers to opt-out of the sale or sharing of their personal information (the right to opt-opt).[56]  CCPA also requires that businesses perform cybersecurity audits and risk assessments to fulfill its obligation to protect consumer’s personal information.[57]  Although it does not specify specific cybersecurity measures that must be implemented,[58] CCPA addresses the privacy protection goals of both data minimization and security.

          ii. Cannabis-specific privacy laws

As much of the U.S. privacy law is sector specific, another option for states is to implement cannabis-specific privacy measures.  Illinois is an example of this.[59]  Potentially a result of “concerns about privacy that were raised during [legislative] negotiations” ahead of its passage,[60] Illinois built data consumer privacy protections into its legalization bill:

To protect personal privacy, the Department of Financial and Professional Regulation shall not require a purchaser to provide a dispensing organization with personal information other than government-issued identification to determine the purchaser’s age, and a dispensing organization shall not obtain and record personal information about a purchaser without the purchaser’s consent. A dispensing organization shall use an electronic reader or electronic scanning device to scan a purchaser’s government-issued identification, if applicable, to determine the purchaser’s age and the validity of the identification. Any identifying or personal information of a purchaser obtained or received in accordance with this Section shall not be retained, used, shared or disclosed for any purpose except as authorized by this Act.[61]

In addition, it placed restrictions on the state’s cannabis regulators to prevent unauthorized disclosure of personal information by these market participants.[62]  This approach to data privacy and security for adult use cannabis consumers ensures that, in the absence of state or federal comprehensive privacy regulation, the sensitive information of consumers will be protected.

          iii. State consumer protection enforcement

In a May 2023 report tracking year over year changes in litigation trends for the cannabis industry, “[t]he most notable difference . . . was the prevalence of actions brought by state and local governments against industry participants for failure to comply with state laws and regulations” comprising 11% of all lawsuits, up from 4% the previous yea[63]  Federal enforcement of consumer protection laws is on the rise at the federal level, with the Food and Drug Administration (FDA),[64] Federal Communications Commission (FCC),[65] and the Federal Trade Commission (FTC)[66] either issuing guidance or bring enforcement actions against cannabis companies.  As state cannabis markets mature, it is reasonable to assume that state enforcement may step up as well.  In a particularly interesting case, Nebraska (where neither recreational nor medical cannabis are legal), the Attorney General brought a consumer protection action against a cannabis company for false claims related to a particular product.[67]

State unfair and deceptive acts practices (UDAP) laws are a good fit for regulating the privacy practices of state cannabis businesses because they are already in place and have a longstanding history of use for privacy enforcement in the absence of specific privacy laws.[68] A state could enforce its UDAP laws against cannabis businesses like any other business.

 

3. Analysis of Existing Legal Framework and Other Potential Solutions

Cannabis data protection solutions should be guided by the Fair Information Practice Principles (FIPPS), as first articulated by the predecessor to the U.S. Department of Health and Human Services in 1973 and since broadly adopted internationally and globally as a framework for data protection.[69]  These principles include transparency, data minimization, purpose specification, use limitation, data quality, and security.[70]  Based on the data risks identified in the context of the adult use cannabis industry,[71] data minimization and security are top of mind.

The security principle requires organizations to protect personal information it collects in all its forms, “through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.[72]  The data minimization principle requires organizations to “only collect [personal information] that is directly relevant and necessary to accomplish the specified purpose(s) and only retain [it] for as long as is necessary to fulfill the specified purpose(s”[73]

Other principles implicated are transparency (requiring that organizations “be transparent and notify individuals regarding collection, use, dissemination, and maintenance of [personal information]”), purpose specification (requiring that organizations “specifically articulate the authority that permits the collection of [personal information]” as well as the intended purpose and use), and use limitation (requiring that organizations “use [personal information] solely for the purpose(s) specified”[74]

Applying these principles to the current state cannabis regulatory landscape, one obvious gap is data minimization policies for cannabis industry employee data.  Cannabis industry employee data is arguably at a higher risk than consumer data due to the lack of protections and, for public health and safety reasons, more data is required to be collected (e.g., background checks).  One option for ensuring this protection would be placing data minimization and purpose limitation requirements on state licensing process. For example, in Illinois, a provision of the state’s legalization bill established a level of confidentiality for information gathered through the license application process:

Information provided by the cannabis business establishment licensees or applicants to the Department of Agriculture, the Department of Public Health, the Department of Financial and Professional Regulation, the Department of Commerce and Economic Opportunity, or other agency shall be limited to information necessary for the purposes of administering this Act.

While the Illinois provision has carveouts for the Freedom of Information Act (FOIA) and other law enforcement related activities,[76] a provision like this could be implemented by states with additional guardrails, such as a retention time limit for personal information and more specific guidance regarding what “information necessary” for administration means.

Another gap is cybersecurity requirements for cannabis businesses. As a starting point, states could require businesses to provide their cybersecurity plans as part of their license application process.  Further, they could add both data privacy and security requirements to their legalization bills. For example, the Illinois license application includes questions about consumer point-of-sale software and what data it collects.[77] Additional questions could be added regarding the security credentials of the software (especially if the software is being purchased from or hosted by a third party – a primary target of recent cyberattacks against the cannabis industry[78]).

Aside from the potential data privacy and security solutions, another way to combat the adverse consequences of the unauthorized sharing of adult use cannabis consumer data is by directly addressing the risk posed by the disclosure.  Several of the states where adult use cannabis is legal have employment protections for recreational cannabis use.[79] California has one of the strongest examples of this: A.B. 1288 and Executive Order 700 which prohibit employers from even inquiring about an employee’s off-duty recreational cannabis use By addressing the risk of adverse employment consequences for recreational cannabis users, the lack of data privacy and security requirements for cannabis businesses may become less consequential.

 

 4. Conclusion

In conclusion, in the absence of federal legalization and a federal comprehensive privacy bill, state law solutions will need to carry the responsibility of protecting consumer and employee privacy in the legal adult use cannabis market.  Despite the seeming chaos in both the area of privacy law and cannabis law, states have delivered some innovative solutions in their role as “laboratories of democracy.”  The primary gaps in the current solutions are employee data minimization and cybersecurity requirements in the legal recreational cannabis industry.  As argued above, data privacy and security tools such as data minimization measures and cyber-security requirements can help address these problems.  In parallel, given the serious potential adverse consequences that legal adult use cannabis consumers and industry employees face in the event of an unwanted disclosure of their information, it is likely prudent to couple any privacy law actions with employment protections as well.

 

 

Sources

[1] States use a variety of terms to refer to legal nonmedical cannabis: “adult use marijuana,” “adult use cannabis,” “recreational marijuana,” “recreational cannabis”.  For the purposes of this paper, “adult use cannabis” and “recreational cannabis” will be used throughout interchangeably to refer to non-medical cannabis.

[2] See, e.g., Chris Hart & Jeremy Meisinger, Cannabis Data Privacy Issues to Watch in 2021, Bloomberg L. (Feb. 9, 2021, 4:00 AM), https://news.bloomberglaw.com/privacy-and-data-security/cannabis-data-privacy-issues-to-watch-in-2021; Brett Schuman et al., How Cannabis Companies Can Keep Up With Privacy Compliance, LAW360 (Mar. 16, 2023, 5:17 PM), https://www.law360.com/articles/1585934/how-cannabis-cos-can-keep-up-with-privacy-compliance. While the scope of this paper is limited to adult use cannabis only, it is worth noting that the data privacy and security concerns in the medical cannabis space generate equally interesting questions.  See, e.g., Benjamin West, The Grass Is Greener Somewhere: Protecting Privacy Rights of Medical Cannabis Patients in the Workplace, 95 Chi.-Kent L. Rev. 751, 755, 770–73 (2020) (arguing that states which legalize medical cannabis “should concurrently” pass legislation that protects the privacy rights of  “employees who are state-certified medical cannabis patients”); Kimberly A. Houser and Janine Hiller, Medical Marijuana Registries: A Painful Choice, 57 Am. Bus. L.J. 827, 843–48 (discussing the privacy issues implicated by state medical cannabis registries, including whether federal laws such as the Health Information Portability and Accountability Act (HIPAA)).

[3] See infra Section II.B.

[4] See infra Section II.A., C.

[5] See New State Ice Co. v. Lebmann, 285 U.S. 262, 311 (Brandeis, J., dissenting) (“It is one of the happy incidents of the federal system that a single courageous state may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.”).

[6] See, e.g., Alex Pearce, Time for A National Privacy Law? Fragmented Patchwork of State Laws Creates Compliance Issues, Del. Law., Spring 2020, at 6, 7 (“This increasingly fragmented patchwork of federal and state privacy laws imposes substantial burdens on businesses, especially small and mid-size organizations with limited resources available to understand and implement measures to comply with a diverse array of requirements. Its value to consumers is also questionable: their personal information is subject to a confusing and inconsistent set of rules that vary depending on where they reside, where a business is located, and the sector in which the business operates.”).

[7] See 21 U.S.C. § 802(16).

[8] Where Marijuana is Legal in the United States, MJBizDaily, https://mjbizdaily.com/map-of-us-marijuana-legalization-by-state/ (last updated Nov. 13, 2023).

[9] Projected US Cannabis Market Size, MJBizDaily, https://mjbizdaily.com/us-cannabis-sales-estimates/ (last updated Apr. 2023).

[10] Brue Barcott et al., Leafly Job Report 2022 2 (2022), https://leafly-cms-production.imgix.net/wp-content/uploads/2022/02/18122113/Leafly-JobsReport-2022-12.pdf; see also Legal Cannabis Industry is the Most Prolific Job Creator in America, businesswire (Feb. 23, 2022, 11:00 AM), https://www.businesswire.com/news/home/20220223005383/en/Legal-Cannabis-Industry-is-the-Most-Prolific-Job-Creator-in-America—Supporting-More-Than-428000-Jobs (stating that, “despite the ongoing economic and employment challenges presented by the Covid-19 pandemic,” the cannabis industry was the “most prolific job creator” in the U.S. in 2021, “with no other industry coming close”).

[11] See Where Marijuana is Legal in the United States, supra note 8.

[12] See Ted Van Green, Americans Overwhelmingly Say Marijuana Should Be Legal for Medical or Recreational Use, Pew Rsch. Ctr. (Nov. 22, 2022), https://www.pewresearch.org/short-reads/2022/11/22/americans-overwhelmingly-say-marijuana-should-be-legal-for-medical-or-recreational-use/ (stating that 59% of Americans favor legalization of both medical and recreational cannabis); see also Joan Oleck, The ‘Typical’ Cannabis Consumer? A New Report Dispels Stereotypes, Forbes (May 27, 2023, 9:57 AM), https://www.forbes.com/sites/joanoleck/2023/05/27/the-typical-cannabis-consumer-a-new-report-dispels-stereotypes (stating that 42% of U.S. adults used cannabis in 2023, 53% described their use as both medical and recreational, the majority of users were white women 35 or older).

[13] See infra Section II.A.i–ii.

[14] Id.

[15] Sophie Quinton, Workers Who Legally Use Cannabis Can Still Lose Their Jobs, Stateline (Feb. 28, 2022 12:00 AM), https://stateline.org/2022/02/28/workers-who-legally-use-cannabis-can-still-lose-their-jobs/.

[16] See, e.g., Ariz. Rev. Stat. § 36-2813 (LexisNexis 2014); Ariz. Const. amend. 98, § 3(f); Del. Code Ann. tit. 16, § 4905; D.C. Code § 32–951.02 (2022); 410 Ill. Comp. Stat. 130/40 (2019); Minn. Stat. § 152.32 (2023).

[17] California, Connecticut, Montana, Nevada, New York, and Rhode Island have enacted laws that protect nonmedical cannabis consumers from employment discrimination.  See Cal. Gov’t Code § 12954; Conn. Gen. Stat. § 21a-422p; Mont. Code Ann. § 39-2-313; Nev. Rev. Stat. § 613.132; N.J. Stat. Ann. § 24:6I-52a; N.Y. Lab. Law § 201-d; 21 R.I. Gen. Laws § 21-28.11-29.

[18] See Nev. Rev. Stat. § 613.132.

[19] See What Is a ‘Safety-Sensitive’ Job Under State Marijuana Laws?, SHRM (Oct. 5, 2021), https://www.shrm.org/in/topics-tools/employment-law-compliance/safety-sensitive-job-state-marijuana-laws. Even in states where the employee protection laws for legal recreational cannabis users do not carve out “safety-sensitive jobs” (such as New Jersey), individual municipalities may be able to further limit these provisions by their own decree. Compare N.J. Stat. Ann. § 24:6I-52a with Carla Baranauckas, NJ Pot Law Doesn’t Shield Cops’ Jobs, Jersey City Says, LAW360 (Oct. 17, 2023, 5:39 PM), https://www.law360.com/cannabis/articles/1733484/nj-pot-law-doesn-t-shield-cops-jobs-jersey-city-says.

[20] Cong. Rsch. Serv., The Federal Status of Marijuana and the Expanding Policy Gap with States 1 [Insert Date], https://crsreports.congress.gov/product/pdf/IF/IF12270 (“Marijuana use may subject an individual to a number of consequences under federal law . . .  [which] can include, but are not limited to, the inability to purchase and possess a firearm, [] being ineligible for federal housing, certain visas, and federal employment and military service.”).  While marijuana use remains prohibited for federal employees, the government has recently relaxed its policy about pre-employment cannabis use.  Ernesto Londoño, Needing Younger Workers, Federal Officials Relax Rules on Past Drug Use, N.Y. Times (Apr. 30, 2023), https://www.nytimes.com/2023/04/30/us/marijuana-drugs-federal-jobs.html.  In addition, federal legislation has been introduced to provide more employment protections for federal workers in this area.  See Cannabis Users’ Restoration of Eligibility (CURE) Act, H.R. 5527, 118th Cong. (2023) (preventing prior cannabis use from being grounds for denial of security clearance).  Further, in contrast to other federal agencies, Veteran Affairs will not deny an individual their veteran’s benefits due to marijuana use.  VA and Marijuana – What Veterans Need to Know, U.S. Dep’t of Veterans Affairs, https://www.publichealth.va.gov/marijuana.asp (last updated Aug. 1, 2023).

[21] Jeremy Berke, Cannabis Execs and Employees Are Struggling to Get Mortgages and Having Their Bank Accounts Canceled — Even Though the Industry is Legal in Many States, Bus. Insider (Jun. 6, 2022, 8:00 AM), https://www.businessinsider.com/cannabis-executives-and-employees-cant-get-mortgages-accounts-2022-6.  It is worth noting that marijuana businesses themselves also experience difficulties getting loans, owing to the barriers posed by federal banking regulations.  See Bea Sonnendecker, Opinion: Financing Challenges Continue to Plague Mainstream Cannabis Industry, MJBizDaily (May 26, 2022), https://mjbizdaily.com/opinion-financing-challenges-continue-to-plague-mainstream-cannabis-industry/.  A proposed federal law would reduce some of these financial barriers for the legal cannabis industry.  Dario Sabaghi, What Would The SAFER Banking Act Mean For The Marijuana Industry?, Forbes (Sept. 29, 2023, 6:00 AM), https://www.forbes.com/sites/dariosabaghi/2023/09/29/what-would-the-safer-banking-act-mean-for-the-marijuana-industry/?sh=4bad3eff338c; see also An Attorney’s Guide to the Cannabis Industry, Bloomberg L. (June 6, 2022), https://pro.bloomberglaw.com/brief/a-growing-industry-navigates-conflicting-state-and-federal-cannabis-laws/.

[22] Berke, supra note 21.

[23] Federal Housing Authority to Continue to Take Punitive Actions Against Marijuana Consumers, NORML (Nov. 11, 2021), https://norml.org/news/2021/11/11/federal-housing-authority-to-continue-to-take-punitive-actions-against-marijuana-consumers/; Andrea Steel & Lila Greiner, No Roof for Your Reefer! Medical Cannabis Tenants Need Patient Protections in Federally Assisted Housing, ABA, (May 11, 2022), https://www.americanbar.org/groups/tort_trial_insurance_practice/publications/tortsource/2022/spring/no-roof-your-reefer-medical-cannabis-tenants/.

[24] Johanna Catherine Maclean et al., Marijuana Legalization and Disability Claiming, 30 Health Econ. 453–69 (2020).

[25] Barry Sobel, When It Comes To Custody Issues, Smoking Pot Is Not Necessarily A Smoking Gun, JDSUPRA (Aug. 17, 2021), https://www.jdsupra.com/legalnews/when-it-comes-to-custody-issues-smoking-7284783/.

[26] Jill Applegate, Opinion, Their Pot Convictions Were Erased, But They Still Face Deportation, N.Y. Times (June 11, 2023), https://www.nytimes.com/2023/06/11/opinion/immigrants-deportation-marijuana.html. States where adult use cannabis is legal have issued guidance to this effect.  See, e.g., Not a U.S. Citizen? Don’t Use Marijuana, Immigrant L. Ctr. of Minn., https://www.ilcm.org/latest-news/not-a-u-s-citizen-dont-use-marijuana/.

[27] Kathy Brady et al., Immigrants and Marijuana 3 (2021), https://www.ilrc.org/sites/default/files/resources/immigrants_marijuana_may_2021_final.pdf.

[28] U.S. Citizenship & Immigr. Srvs., Policy Alert on Controlled Substance-Related Activity and Good Moral Character Determinations (Apr. 19, 2019), https://www.uscis.gov/sites/default/files/document/policy-manual-updates/20190419-ControlledSubstanceViolations.pdf.

[29] Michelle A. Kain, The Impact of Marijuana Decriminalization on Legal Permanent Residents: Why Legalizing Marijuana at the Federal Level Should be a High Priority, 62 B.C. L. Rev. 2057, 2084 (2021).

[30] Here, “voluntary” is meant to encompass all situations where an individual knowingly makes the disclosure, which may include situations where the disclosure is unwanted but the individual nonetheless discloses—such as complying with employer-mandated drug test or submitting pay stubs required as part of a property rental application.

[31] See, e.g., Chris Roberts, Why Legal Cannabis Can Still Get You Fired, LEAFLY (Aug. 28, 2018), https://www.leafly.com/news/politics/labor-day-blues-why-legal-cannabis-can-still-get-you-fired (detailing the results of one survey that found 30% of a group of California cannabis consumers had “been either been denied employment or terminated because they tested positive for medical cannabis”).

[32] See, e.g., infra note 39.

[33] See, e.g., 935 CMR 500.140(2)(c) (“[A] [Massachusetts] Marijuana Retailer may not acquire or record Consumer personal information other than information typically required in a retail transaction, which can include information to determine the Consumer’s age . . . [or] retain any additional personal information from Consumer without the Consumer’s voluntary written permission.”).

[34] See, e.g., 410 Ill. Comp. Stat. 705/15-30 (2022) (requiring Illinois dispensary employees to share information regarding their completion of a cannabis workplace safety program with a state-approved third party); see also Kimberly A. Houser & Janine Hiller, Medical Marijuana Registries: A Painful Choice?, 57 Am. Bus. L.J. 827, 836–38 (2020) (discussing an example of required data collection in the medical cannabis context—registries).

[35] See, e.g., 935 CMR 500.820(2)(a), (e) (carving out an exception to the prohibition on sharing “personal data” for the purposes of complying with a state or federal law, or to “other government officials and agencies acting within their lawful jurisdiction”).

[36] See, e.g., David Hodes, How to Capitalize on Consumer Data to Personalize Marijuana Marketing, MJBizDaily (June 13, 2023), https://mjbizdaily.com/how-to-capitalize-on-consumer-data-to-personalize-cannabis-marketing/.

[37] Id. While this example implicates a Canadian cannabis company, the results are instructive for the U.S. because certain technical solutions are used across borders.

[38] Id.

[39] Margaret Jackson, Cannabis Companies Considered Ripe Targets for Ransomware Attacks, MJBizDaily (Mar. 16, 2022), https://mjbizdaily.com/cannabis-companies-considered-ripe-targets-for-ransomware-attacks/.

[40] Matthew R. Kittay, Data Breach Exposes Cannabis Industry Security Vulnerabilities, Fox Rothshchild (Feb. 25, 2020), https://www.foxrothschild.com/publications/data-breach-exposes-cannabis-industry-security-vulnerabilities.

[41] Id.

[42] See, e.g., Solomon Israel, Aurora Cannabis Breach Exposes Personal Data of Former, Current Workers, MJBizDaily (Jan. 4, 2021), https://mjbizdaily.com/aurora-cannabis-breach-exposes-personal-data-of-former-current-employees/.

[43] See, e.g., Tori Bedfordf, Cannabis Regulators Putting Out ‘A Series of Fires’ Involving a Russian Oligarch and Data Breach, GBH (Mar. 22, 2023), https://www.wgbh.org/news/local/2023-03-22/cannabis-regulators-putting-out-a-series-of-fires-involving-a-russian-oligarch-and-data-breach.

[44] See, e.g., 935 CMR 500.030(1)-(2) (requiring Massachusetts cannabis businesses to submit an application for registration for all their employees which includes name, date of birth, and address).

[45] See, e.g., 935 CMR 500.105(9)(e) (requiring Massachusetts cannabis business to maintain business records which include sales).

[46] See, e.g., DCC Privacy Policy, Dep’t of Cannabis Control Cal. (June 14, 2023), https://cannabis.ca.gov/dcc-privacy-policy/ (“The [Department of Cannabis Control of California] does not distribute or sell any electronically collected personal information about users to any third party without prior written permission from the user.”).

[47] See, e.g., 935 CMR 500.820(3) (“Nothing in [the regulations governing confidentiality] shall prevent the Commission from acting in accordance with its authority.”).

[48] See Thorin Klosowski, The State of Consumer Data Privacy Laws in the US (And Why It Matters), N.Y. Times (Sept. 6, 2021), https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.

[49] Which States Have Consumer Data Privacy Laws?, Bloomberg L. (Nov. 27, 2023), https://pro.bloomberglaw.com/brief/state-privacy-legislation-tracker/.

[50] Kris Janisch, Marijuana Laws by State: Employee Protections, GovDocs (Aug. 2, 2023), https://www.govdocs.com/marijuana-laws-by-state-employee-protections/; See also Celine Chan, Six State Bans on Discrimination Against Recreational Marijuana Users May Impact Employer Drug Testing Programs, Weil (Oct. 4, 2022), https://www.weil.com/articles/bans-on-discrimination-against-recreational-marijuana-users-may-impact-employer-drug-testing.

[51] See discussion infra Sections II.C.i–iii.

[52] See Anne Godlasky, Data Privacy Act Has Bipartisan Support. But …, Nat’l Press Found. (Dec. 28, 2022), https://nationalpress.org/topic/data-privacy-act-adppa-us-lacks-law-eu-standard/ (“The American Data Privacy Protection Act (ADPPA) has bipartisan support and is the closest the U.S. has come to passing a comprehensive consumer data privacy law. But it hasn’t passed.”).

[53] California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 to 1798.199.100.

[54] See id. §§ 1798.100(a)-(f), 140(d).

[55] See id.

[56] Id.

[57] Id.

[58] Id.

[59] See 410 Ill. Comp. Stat. 705/10-20, 55-30 (2022).

[60] Ill. H.R. Tran. 2019 Reg. Sess. No. 62.

[61] 410 Ill. Comp. Stat. 705/10-20(a).

[62]  Id. at 705/55-30(a).

[63] Alex Malyshev & Sarah Ganley, Emerging Trends in Cannabis Litigation: 2023 Update, Reuters (May 9, 2023 1:00 PM), https://www.reuters.com/legal/litigation/emerging-trends-cannabis-litigation-2023-update-2023-05-09/.  Ironically, the impacted company in this case, Aurora Cannabis, is the same company that has developed a cannabis-tracking app that is collecting, storing, and using consumers’ demographic data. See Jackson, supra note 39.

[64] See Cannabis and Cannabis-Derived Compounds: Quality Considerations for Clinical Research Guidance for Industry, U.S. Food & Drug Admin. (Jan. 2023), https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cannabis-and-cannabis-derived-compounds-quality-considerations-clinical-research-guidance-industry.

[65] Patricia Brum, TCPA Multi-Million Dollar Class Action Suits Continue to Batter the Cannabis Industry,  JDSUPRA (Jan. 25, 2021), https://www.jdsupra.com/legalnews/tcpa-multi-million-dollar-class-action-2324843/.

[66] FTC Sends Warning Letters to Companies Advertising Their CBD-Infused Products as Treatments for Serious Diseases, Including Cancer, Alzheimer’s, and Multiple Sclerosis, Fed. Trade Comm’n (Sept. 10, 2019), https://www.ftc.gov/news-events/news/press-releases/2019/09/ftc-sends-warning-letters-companies-advertising-their-cbd-infused-products-treatments-serious.

[67] Bella Caracta, Nebraska Files Consumer Protection Lawsuits Over Delta 8 Products, 6 News WOWT (Oct. 25, 2023, 5:27 PM), https://www.wowt.com/2023/10/25/nebraska-files-consumer-protection-lawsuits-over-delta-8-products/.

[68] See generally Michael Walsh, Emerging Threats: A Primer on Unfair and Deceptive Trade Practices in Data Breaches, 27 U.S.F. Intell. Prop. & Tech. L.J. 173 (2023); Prentiss Cox et al., Strategies on Public UDAP Enforcement, 55 Harv. J. on Legis. 37 (2018).

[69] U.S. Dep’t of Health, Educ. & Welfare, Records, Computers and the Rights of Citizens (1973).

[70] The Fair Information Practice Principles (FIPPS), U.S. Dep’t of Housing & Urban Dev., https://www.hud.gov/program_offices/officeofadministration/privacy_act/documents/privprin (last visited 12/11/23).

[71] See supra Section II.B.

[72] U.S. Dep’t of Housing & Urban Dev., supra note 71.

[73] Id.

[74] Id.

[75] 410 Ill. Comp. Stat. 705/55-30(a) (2022).

[76] Id. at 55-30(b).

[77] Forms for Dispensaries and Agents / 15-36 Application Packet, IDFPR, https://idfpr.illinois.gov/profs/adultusecan/forms-for-dispensaries-and-agents-15-36-application-packet.html (last visited Dec. 11, 2023).

[78] See supra Section II.C.

[79] Chan, supra note 48.

[80] Joy C. Rosenquist et al., California Laws Come into Effect Regarding Off-Duty Marijuana Use, Littler (Oct. 27, 2023), https://www.littler.com/publication-press/publication/california-laws-come-effect-regarding-duty-marijuana-use.