California Weed Dispensaries Can Legally Sell Customer Information to Data Brokers

In the days before the marijuana legalization movement, the relationship between a pot dealer and their customers was a sacred one. Both were at risk of running afoul of the law, so it was important to be discreet about each other’s information. Fake names were used, secret meetings were arranged, and the product itself was referred to by all sorts of codes, as if the cops wouldn’t be able to figure out what you were up to when you texted your “friend” for an eighth of “burritos” at 1 AM on a Tuesday.

In states with legal weed things are a bit different today. Every gram of legal weed is tracked using sophisticated surveillance networks and many dispensaries keep meticulous records of their customers’ information, including their phone number and address, even if they aren’t required to by law. Privacy groups like the Electronic Frontier Foundation are concerned this customer data may be sold to third-party data brokers or handed over to federal law enforcement officers.

Some states with legal pot, such as Oregon and Alaska, have explicitly prohibited the collection and sale of cannabis customer data. But until recently the privacy implications of legal pot have mostly gone unchecked in California, which is expected to become home to the largest marijuana industry in the United States.

In February, California Assembly member Evan Low introduced Assembly Bill 2402 as the latest proposed legislation in the US specifically designed to protect the privacy of recreational cannabis users. The bill would prohibit dispensaries from selling this information to data brokers—companies which generally use customer data for targeted advertising—without the customer’s consent. It would also prohibit dispensaries from denying their services to customers who choose not to provide their data to third parties.

“At best, this information can be used to target consumers with unwanted marketing materials,” reads a recent EFF letter in support of AB 2402. “At worst this information could be used to discriminate against lawful cannabis consumers in housing, hiring, credit, and benefits. This information would also more easily make its way into the hands of federal drug enforcement investigators.”

There is some precedence for cannabis consumer privacy laws in other states where weed is legal. In April 2017, Oregon passed a law that prohibited dispensaries from sharing or storing information about their customers’ identities or their purchase history. This law was similar to laws in Alaska and Colorado and was a reaction to US Attorney General Jeff Sessions’ promise to crackdown on legal pot.

California medicinal marijuana patients’ data already comes with some protections against these violations. For example, cops and employers can’t look up cannabis patients in the registry, thus protecting medical patients from discrimination. If passed by the California Senate, Low’s bill would extend these protections by turning medical marijuana cards into “medical information,” which comes with even more stringent privacy protections under the Health Insurance Portability and Accountability Act.

In May, the bill was overwhelmingly approved in the California Assembly 61-5, and is now awaiting a vote in the California Senate.

“California voters passed Proposition 64 because they wanted to legalize recreational marijuana, not because they wanted their consumer data exposed to their employers, family members, or others,” Low told me in an email. “Good actors should be happy to comply with this bill, but as this new industry grows, more nefarious businesses will enter the market with no hesitation about profiting off the exploitation of consumer privacy.”

Selling customer information to data brokers is a huge industry, but there’s little data available on how much information is currently being bought and sold when it comes to cannabis consumers. Both Politifact and the Fresno Bee conducted surveys of California dispensaries and found that all of the contacted dispensaries kept customer profiles, even though this isn’t required by Proposition 64, which legalized pot in the state.

“When asked why customer profiles were created, several dispensary workers incorrectly stated the information was required under Proposition 64,” the Fresno Bee reported. “Others cited it as a customer convenience.”

EFF supported California’s bid for more explicit privacy laws around cannabis consumption on the grounds that privacy concerns could be exacerbated when cannabis sales are taken online, which allows for even more fine-grained profiling of customers.

This law would nip the practice in the bud, so to speak, and stop the collection of cannabis customer data online before it starts.