Are California Dispensaries required to store customer information?

November 12, 2024 Caleb Chen Department of Cannabis Control

California dispensary goers have privacy rights that are being trampled all over by cannabis tech companies. On January 1st, 2020, the California Consumer Privacy Act (CCPA) came into effect and gave California consumers some rights:

- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale or sharing of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.

In Janaury 1st of 2023, those rights expanded to include two more rights:

The right to correct inaccurate personal information that a business has about them; and
The right to limit the use and disclosure of sensitive personal information collected about them.

Despite these rules, going to a cannabis dispensary in California and asking to know what information is stored, how it is shared, and whether you can enter without having an ID number retained… is an interesting experience.

I’d like to know why you need my ID number

Specifically, I’ve asked many whether drivers license numbers and passport numbers are stored, and why. Given the width and breadth of answers I received, I realized that I’d have to seek clarification from the DCC before continuing conversations with dispensaries, and relevant cannabis tech companies.

Most affected cannabis tech companies that operate in multiple states, such as Treez and FlowHub, allow dispensaries to do everything they need to do without storing sensitive customer information such as ID numbers. These options are available to clients and turned on or off depending on what jurisdiction the client is in. Oregon as an example, has strong privacy protections for visitors to marijuana retailers. The CCPA is called on to highlight that those same privacy protections exist in California. While individual dispensaries may not meet the requirements to have the CCPA applied to them, the companies running POS systems around the state and country most certainly are.

There’s a green rush for cannabis consumer information, and as a cannabis consumer, it’s time to fight back.

The Department of Cannabis Control “does not have requirements related to storing customer information”

I asked about the widespread phenomenon of dispensaries, or the POS systems or marketplace systems that they use, storing customer information. Hafner commented:

“While DCC regulations require retailers to verify customers’ ages and purchases, DCC does not have requirements related to storing customer information.”

One thing I’ve often heard from dispensaries is that they need to scan my driver’s license because there is an online check to see if my ID is fake. While this is a service offered by some services – most dispensaries aren’t paying for it. DCC Media Manager David Hafner confirmed that the DCC does not require license holders to validate identification against a centralized database:

“While the Department of Cannabis Control’s (DCC) regulations state what forms of identification are acceptable, the exact method of inspection the retailer uses to confirm identity, age, and validity of the identification provided is within the retailer’s discretion so long as the method is reasonable and in good faith to ensure sale of adult-use cannabis goods only to individuals who are at least 21 years of age or sell medicinal cannabis goods only to individuals who are at least 18 years of age and possess a valid physician’s recommendation.”

All relevant regulations can be found on the DCC’s website.

I’ll leave y’all with this thought: It sure seems to me that some tech companies with cannabis dispensary clients have been playing fast and loose with their sales pitches and telling clients that they have data retention requirements that actually run counter to their (both the dispensary, and the tech company’s) California Consumer Privacy Act requirements.

Why does this matter?

One dispensary employee told me that citizenship seekers have been denied their applications because of discovered cannabis use and that in California, dispensary held customer records legally must be handed over to Immigration and Customs Enforcement. While I couldn’t find any reported instances of this having happened, there is advice from the UC Davis Immigrant Legal Services Center as well as the Immigrant Legal Resource Center which simply advise non-citizens to stay away from cannabis and cannabis dispensaries – or if they can’t because of medical reasons, to seek legal counsel.

There are of course many legit reasons for a dispensary to want to have contact information for customers on hand. Marketing purposes sure, but also to be able to reach out in case some products are recalled. Additionally, dispensaries need to store all transaction data for their own records, but the customer information is just used to make sure that the store doesn’t sell anyone more than their daily limit.

It’s entirely possible for dispensaries to maintain their reporting requirements, while not storing any personally identifiable information about customers which could harm the patient should their records fall in the wrong hands. Dispensaries can secure their customer records, but the best thing they can do is utilize differentiating but not uniquely identifiable bits of information – or allowing name changes as required by the CCPA. Specifically, there’s no reason why dispensaries need to collect drivers license numbers or passport numbers – and in fact quite a few reasons why they shouldn’t. The trend to force this collection with an ID scan is against the spirit of the CCPA, and DCC regulations for that matter.