The California Consumer Privacy Act (CCPA) gives consumers who reside in California significantly more control over how companies use their personal information. As a result, all companies need to review their data, systems, and processes to ensure they’re in full compliance with the new laws.
For some companies, this could be a very big task, but the risks of noncompliance in terms of lawsuits and monetary penalties are just too big to ignore.
Every company, including cannabis businesses, should review and revamp their policies and procedures. Following are 10 actions cannabis businesses need to take in order to be compliant with CCPA now and in the future.
1. Define a CCPA Compliance Budget
Your cannabis business’ CCPA compliance budget depends on a number of factors. Importantly, you need to consider hiring new employees to manage compliance today and on an ongoing basis. In addition, you’ll need to train employees to follow new workflows in an effort to meet the requirements of the CCPA.
While the bulk of your budget will be used in the short-term to bring your company into compliance with the new regulations, you’ll also need to invest in ongoing compliance monitoring. The CCPA is likely to evolve, and other states are already ramping up efforts to pass more stringent privacy laws.
2. Hire Key Employees
If your business doesn’t already have a compliance expert on staff, now is the time to hire one. Furthermore, you’ll need experienced security staff to implement the necessary changes to your company’s website, systems, and so on.
The key is to have one person who is held accountable for leading compliance efforts in your company, and that includes CCPA compliance. Typically, this person would be at the executive level and may have a manager and other professionals on staff (or available as consultants) to assist them. Depending on the size of your business, compliance could require an entire team of people.
3. Develop Data Mapping and Retention Processes
Data governance is an important part of your cannabis business’ CCPA compliance. You must have processes in place to identify how personal information is collected, how it’s categorized, how it’s stored, where it’s stored, how it’s protected, and how your business prevents illegal sharing, sale, or distribution of that data.
The CCPA includes a provision that says companies must be able to provide consumers who request their personal information with the prior 12-months of data. If your business doesn’t have a process in place to identify and map personal information to its sources, responding to these requests could be extremely time-consuming if not impossible. In fact, if your processes are inadequate, your cannabis business could end up facing lawsuits and penalties.
4. Develop a Consumer Request Response System
The CCPA gives companies 45 days to respond to consumers’ requests for the personal information collected about them. If your company doesn’t have a response system in place and can’t produce the requested information (which must include 12-months of information), then you may not be able to respond adequately within that timeframe. Again, your business could face costly lawsuits and penalties as a result.
It’s essential that your business develops a consumer request response system, and as much of that system should be automated as possible. Imagine if you get 10 or 100 requests within a month. If systems aren’t automated, your business may not be able to respond to all of those requests in time and could get into a lot of trouble – legally and financially.CCPA gives companies 45 days to respond to California consumer requests for personal information and 12-months of data is required. Here's what cannabis businesses should do now to avoid costly lawsuits and penalties.Click To Tweet
5. Create a Consumer Opt-Out System
Under the CCPA, California consumers have the right to opt out of third party trackers and advertising technologies. As such, you need to fully understand all technology used on your website, mobile applications, and so on.
You also need to create a consumer opt-out system so consumers can opt out of tracking at any time. Like your consumer request response system (see #4 above), your consumer opt-out system should be automated to the extent possible. While this will include a higher cost today for development and implementation, you’ll save even more time and money later if you automate the system now.
6. Update Privacy Policies
Your cannabis business’ privacy policies need to be updated in order to comply with the CCPA. Keep in mind, updating privacy policies refers to updating both internal and external privacy policies and notices.
7. Develop Legal and Regulator Response Workflows
How will your company respond if a regulator requests information about your CCPA compliance processes? What if a consumer files a civil action against your cannabis business related to their personal information under the CCPA? Both could happen at some point in time, so you need workflows in place to streamline the response process, including automating systems to the extent possible.
Your cannabis business’ compliance leader (see #2 above) should oversee the response process, but all employees who have a role in collecting and providing the requested data need to understand what is expected of them. These workflows should include specific responsibilities and timelines.
8. Define Policies and Train Employees
Every cannabis business employee should be trained on the CCPA and understand its importance. They should fully understand their responsibilities and be trained on the workflows they’ll be expected to carry out in response to information requests from consumers, regulators, and court actions.
CCPA and privacy compliance training isn’t a one-time thing. As laws evolve and more states enact new privacy regulations, updated training will be required on an ongoing basis to ensure your cannabis business remains fully compliant at all times.
9. Review Third-Party Data and Service Providers for Compliance
If your company relies on service providers or third parties to provide, store, manage, or otherwise collect, share, sell, or distribute data with or on behalf of your business, then you need to review their CCPA compliance. In addition, contracts should be updated to address changes needed based on the CCPA regulations.
It’s imperative that your cannabis business audits service providers and third parties on an ongoing basis to ensure they continue to comply with the CCPA and all other federal and state privacy laws. This is a critical step that will reduce your company’s risk over the long-term.
10. Monitor California and Other States’ Privacy Laws
Not only will the CCPA continue to evolve, but other states are modifying privacy laws to put consumers in control of how their personal information is used by companies. Again, you need the right compliance leader and team in place to continually monitor these laws, so your cannabis business can take action as required.
Key Takeaways about CCPA Compliance
Cannabis businesses need to take action now to ensure they’re fully compliant with the CCPA and to reduce risks associated with noncompliance in the future. These 10 steps should help you get started. The key is to begin working on your company’s compliance strategy and implementation as soon as possible because enforcement of the CCPA begins on July 1, 2020.
For businesses that rely on the Cannabiz Media License Database to generate leads and grow, they can rest-assured it’s already fully compliant with the CCPA. You can follow the link to learn more about how to ensure your email marketing and CRM comply with CCPA.
Schedule a demo of the Cannabiz Media License Database to see how it can help your business grow.
Susan Gunelius, Lead Analyst for Cannabiz Media and author of Marijuana Licensing Reference Guide: 2017 Edition, is also President & CEO of KeySplash Creative, Inc., a marketing communications company offering, copywriting, content marketing, email marketing, social media marketing, and strategic branding services. She spent the first half of her 25-year career directing marketing programs for AT&T and HSBC. Today, her clients include household brands like Citigroup, Cox Communications, Intuit, and more as well as small businesses around the world. Susan has written 11 marketing-related books, including the highly popular Content Marketing for Dummies, 30-Minute Social Media Marketing, Kick-ass Copywriting in 10 Easy Steps, The Ultimate Guide to Email Marketing, and she is a popular marketing and branding keynote speaker. She is also a Certified Career Coach and Founder and Editor in Chief of Women on Business, an award-winning blog for business women. Susan holds a B.S. in marketing and an M.B.A in management and strategy.