An important component of ensuring your cannabis business or cannabis-related business is compliant with the California Consumer Protection Act (CCPA), which will be enforced starting on July 1, 2020, is updating and publishing compliant privacy notices.
All businesses should review their privacy policies on an annual basis. However, to comply with the privacy notice requirements of the CCPA, businesses must review their privacy notices within a 12-month period to ensure the following things are fully disclosed to consumers in a conspicuous and easily accessible way before or after any information is collected:
- Why personal information is being collected or sold
- Specific pieces of personal information collected
- Categories of personal information being collected
- Categories of the sources where data was collected
- Categories of third parties that personal information is shared with
- Categories of personal information that is disclosed for a business purpose
- List of categories of personal information disclosed for business purposes in the preceding 12 months and whether or not the information was actually disclosed
- Categories of personal information being sold
- Categories of third parties that personal information is sold to by category (or categories) of personal information (see #1 above) for every third party that information is sold to
- List of categories of personal information sold in the preceding 12 months and whether or not the information was actually sold
- Description of the rights consumers have regarding their personal information
In addition, businesses must update their privacy notices whenever there is a change to how consumers’ personal information is collected and why the information is collected.
Sale vs. Disclosure in a CCPA Compliant Privacy Notice
One of the most frequently asked questions that businesses have related to creating and publishing their privacy notice to be CCPA-compliant is what differentiates a sale of personal information from a disclosure for business purposes (per # 6 and #7 in the list above).
Broadly speaking, the CCPA defines the act of selling data for a business that is covered by the law as communicating or transferring consumers’ personal information to a third party “for monetary or other valuable consideration.”
On the other hand, disclosing information for a business purpose could include a number of different activities based on how the law is written. It could include disclosing personal information for certain auditing, to detect or prevent security incidents, or so a third party can provide a service to the business such as customer service, payment processing, fulfilling orders, advertising, marketing, and finance.
A business purpose also includes disclosing personal information for internal research, to develop or demonstrate technology, to verify or maintain quality or safety, or to improve or upgrade a service or device that is either manufactured or controlled by or for the business.
Keep in mind, there are many business purposes defined within the CCPA, so it’s important to review the law and make sure you understand how it impacts your business. Among the things businesses should do to comply with the CCPA is hiring key employees to help you get compliant and stay that way.
Key Takeaways about Writing a CCPA Compliant Privacy Notice
As part of your cannabis or cannabis-related business’ CCPA compliance efforts, you need to make sure you have the right privacy notice available to consumers when and where they should see it. If you haven’t reviewed yours yet, you should do so as soon as possible so your business is compliant before enforcement of the CCPA begins in July.
While California was the first state to approve strict privacy laws related to consumers’ personal information, other states are reviewing their privacy laws and are likely to follow California in enacting legislation that gives consumers more control over how their personal information is used by businesses.
RELATED: Is Your CRM and Email Marketing Compliant with CCPA? Learn more here.
Susan Gunelius, Lead Analyst for Cannabiz Media and author of Marijuana Licensing Reference Guide: 2017 Edition, is also President & CEO of KeySplash Creative, Inc., a marketing communications company offering, copywriting, content marketing, email marketing, social media marketing, and strategic branding services. She spent the first half of her 25-year career directing marketing programs for AT&T and HSBC. Today, her clients include household brands like Citigroup, Cox Communications, Intuit, and more as well as small businesses around the world. Susan has written 11 marketing-related books, including the highly popular Content Marketing for Dummies, 30-Minute Social Media Marketing, Kick-ass Copywriting in 10 Easy Steps, The Ultimate Guide to Email Marketing, and she is a popular marketing and branding keynote speaker. She is also a Certified Career Coach and Founder and Editor in Chief of Women on Business, an award-winning blog for business women. Susan holds a B.S. in marketing and an M.B.A in management and strategy.