What All Cannabis Businesses Need to Know About Protecting Customer Information

There’s no denying that the cannabis industry is booming, and over the next few years, it’s expected to continue growing at a rapid rate. However, most states are starting to increase their expectations and oversight of cannabis businesses – aiming to ensure consistency in terms of the end-product and the operations leading up to its development and sale. For existing cannabis businesses, it’s challenging to keep up with increasingly stringent regulations and laws. Unfortunately, even after you’ve obtained your license, record-keeping and reporting needs to continue, in order to ensure compliance throughout all day-to-day operations.

Protecting Customer Information According to Regulations Must Be Treated as an Ongoing Project to Maintain Your License…

It’s not enough to follow all of the rules until you’ve obtained your license. Regulatory compliance needs to be treated as an ongoing project to maintain your license. So what do you need to know about regulatory compliance to avoid potential fines resulting from an audit? Here are two of the main laws you should be aware of when it comes to protecting customer information:

California AB-2402 Cannabis: Personal Information

On September 20, 2018, AB-2402 was signed into law to ensure cannabis licensees protect the personal information of their customers. This law states that all cannabis licensees must:

  • Avoid disclosing a consumer’s personal information to third-parties, except in the event that the disclosure relates to payment, facilitating the official duties of the city/county/state or the consumer has consented to have their information shared.
  • Avoid refusing service to consumers who have not given their consent to have their information shared.

Personal information refers to an individual’s first name or initial and last name in combination with one or more of the following:

  • Driver’s license number
  • California identification card number
  • Social security number
  • Account number/credit or debit card number with password/code
  • Medical information
  • Health insurance information

Under this law, marijuana identification cards are categorized as “medical information” – meaning they fall under the CMIA (California’s Confidentiality of Medical Information Act) and those who receive marijuana identification cards are considered “providers of healthcare” for the purpose of complying with the CMIA – meaning penalties for improper use and disclosure of medical information may be imposed.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is an information security standard that applies to all organizations that handle branded credit cards. This law was created to help prevent the risk of credit card fraud with six groups that contain various requirements within them. The six groups are as follows:

  • Protect cardholder data
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy
  • Build and maintain a secure network and systems
  • Maintain a vulnerability management program

Complying with regulations relating to data security requires an experienced technology partner that knows and understands the cannabis industry. It’s vital to have enterprise-grade security measures above and beyond cameras to monitor your location. You need intrusion detection software, encryption, web content filtering, and more to keep the private information of your customers safe.

Veo Verde is your go-to team of cannabis information technology experts. Call (831) 272-0669 to get started with us.

Like this article? Keep reading…

Are You Secure From Today’s Major Cybercrime Threats In The Cannabis Industry?

Cannabis 280E Audits Incoming

Do You Know What To Expect?

Category tag

Introducing the Microsoft Teams Schedule Send Feature

Learn more

Category tag

Cardiologist Turns Hacker

Learn more

Category tag

6 Timely Tips To Help Businesses Avoid Phishing Emails

Learn more