GC’s Corner: The Cannabis Industry Has Potentially Explosive Growth – And a Unique Set of Data Privacy and Data Protection Concerns (Part I)

There have been numerous reports stating that the legal global cannabis market is expected to exceed 140 billion U.S. Dollars within the next 5 years, which some believe is a gross underestimation of the potential size for this global market.  Equally impressive is that the compound annual growth rate (“CAGR”) of the global cannabis market is forecast to be in the strong double digits every year for the next 5 years, with numerous sources reporting projected year-over-year growth of well in excess of 20%+.

It is important to note that these figures exclusively represent only the legal cannabis market, and do not factor in the illegal black market that has existed for decades, and which market to this day still dominates the overall cannabis marketplace by an exponential figure.  Prior to delving into the unique data privacy and data protection risks and concerns that the cannabis industry faces, it is important to first demystify what “cannabis” actually is.  This in turn will help explain why there is such a large potential global marketplace for it – and why some of the largest multinational corporations will likely be either actively engaged in it and/or tangentially connected to it in some form or another.

Demystifying the Big Three of Cannabis - Hemp, CBD and THC 

The Farm Bill of 2018 was passed by Congress on December 12, 2018 and was signed into law by the President on December 20, 2018, which legalized hemp throughout the entire United States. Hemp is itself a strain of the Cannabis Sativa plant.  With the passage of The Farm Bill of 2018 hemp is now treated as an agricultural product in the United States.  Hemp is rich in the cannabinoid cannabidiol(“CBD”) and is legal, so long as the plant contains .03% or less of the other well-known cannabinoid tetrahydrocannabinol (“THC”). 

Hemp has been introduced into American society centuries ago by some of our nation’s founding fathers.  A few interesting factoids are that President George Washington grew hemp and President Thomas Jefferson used hemp paper for both the Declaration of Independence and the U.S. Constitution.  Hemp has thousands of uses, from industrial to consumer products, to CBD byproducts.  

Marijuana is itself a strain of the Cannabis plant and contains the cannabinoids THC and CBD.  Currently, marijuana (commonly referred to as cannabis) is listed on Schedule I of the Controlled Substances Act, which includes some of the other more well-known controlled substances such as heroin, LSD, mescaline (or “peyote”), methylenedioxymethamphetamine (or “ecstasy”) and methaqualone (or “Quaaludes”).  The primary reason marijuana was placed on Schedule I of the Controlled Substances Act is because of the cannabinoid THC.

THC is the primary psychoactive constituent in cannabis.  Whereas, the cannabinoid CBD, which hemp is rich in has become increasingly popular in all 50 States in the U.S., as it has been found to have beneficial effects for such things as decreasing inflammation, reducing stress, improving sleep quality, as well as having an ameliorative effect with respect to chronic pain.      

Current Legal Market for Marijuana in the U.S.

In advance of discussing the data privacy and data protection risks that exist for the legal market for marijuana, we will first provide an overview of the status quo in this nation.  As the U.S. represents the largest single marketplace for marijuana use in the world, we will start with the current demographic landscape and then examine the law.

There are two broad categories for legalized marijuana in the U.S., which are (1) marijuana that is used for medical purposes, and (2) marijuana that is used for adult recreational purposes.  Currently, there are 33 States and the District of Columbia that have legalized marijuana for medical purposes.  Whereas, there are only 11 States and the District of Columbia that have legalized marijuana for recreational adult use.  

As marijuana is listed on Schedule I of the Controlled Substances Act it is illegal to transport legal marijuana across any state line in the United States.  This rule applies even if two states, where marijuana is fully legalized in both states, share a common border.  As an example, even though marijuana is fully legalized in both California and Nevada, it is against the law to drive or mail the legalized marijuana between those two states.  The number of laws, regulations and rules that exist in the cannabis space makes it a highly regulated and compliance intensive industry.

However, the probability that marijuana will become legalized on the federal level has been gaining steam in recent years.  Towards the end of 2018, there was a Gallup poll that reflected that 66% of Americans polled from a diverse demographic population approved the full legalization of marijuana in the United States.

The political climate in the U.S. is also pointing to a likelihood that marijuana will become legalized at the federal level at some point in time in the coming years.  It is therefore not surprising that there has been increased bi-partisan support in Congress to decriminalize marijuana at the federal level.  Even the former powerful Republican Speaker of the House John Boehner, whom was previously opposed to legalization, had a change of opinion after speaking to veterans that use marijuana to help treat post-traumatic stress disorder and other medical issues.  Former Speaker Boehner not only has now come out in favor of it, but he has joined the board of one of the largest cannabis companies in the market.

In July 2019, Congressman Jerold Nadler (D-NY), Chairman of the House Judiciary Committee, put forth a bill to legalize marijuana on the federal level, called the MORE Act of 2019 (Marijuana Opportunity Reinvestment and Expungement Act).  In addition, Senator Kamala Harris (D-CA), filed a companion version of Congressman Nadler’s Act in the Senate.

The Tide Has Even Shifted with Major Corporations 

When a major corporation, such as Microsoft, rolled out a software package in 2016 that was customized for the cannabis industry others took notice.  Then, in 2018 some of the world’s largest retailers Walmart, Amazon and Home Depot signed up to sell products that are commonly used in the cultivation process for growing cannabis.  

There are a number of large industries that are natural, complementary businesses for the cannabis market and the Big 3 of cannabis (hemp, CBD and THC).  Thus, as Canada passed full legalization of recreational and medical cannabis for their nation in 2018, it was logical that in the same year there were a number of notable cannabis developments in the corporate world.

Some of the most noteworthy corporate activity included, but was not limited to: (1) Constellation Brands invested $4 billion in Canopy Growth, (2) Altria invested $1.8 billion in Cronos Corp., and (3) Molson Coors Canada teamed up with Canadian cannabis producer, The Hydropothecary Corporation.  Then, in 2019 BlackRock became the largest institutional investor in Curaleaf Holdings, which operates dozens of cannabis dispensaries in a number of states located in the United States.

California Has the Largest Cannabis Market in the U.S. – It Also Has One of the Most Powerful Data Privacy and Data Protection Laws in the Nation

For decades, California has been the source where a disproportionate supply of the nation’s black market marijuana came from.  Even today, as California is cracking down on its own black market for marijuana, the state has become the largest single market for legal marijuana in the United States.  Of note, California was the first state in the nation to legalize medical marijuana in 1996, and in 2016 it also legalized recreational marijuana for adult use.

With almost 40 million residents, California has more than 12% of the nation’s population, and is a thriving market for legal cannabis.  The year-round climate in California has made it an ideal location to grow marijuana both outdoors and indoors (in all enclosed facilities, as well as in greenhouses).  

However, as the legal market for marijuana in California has begun to takeoff, the regulatory, legal and compliance landscape in that state is being carefully watched by the global cannabis marketplace, given the sheer importance of California to the cannabis industry as a whole.  Of import, as of January 1, 2020, compliance with the California Consumer Privacy Act (“CCPA”) became effective.  Therefore, all cannabis entities that are covered by the CCPA are legally mandated to be fully compliant with the law and all of the amendments to the CCPA, which were signed by California Governor Gavin Newsom on October 11, 2019.

Cannabis companies doing business in the State of California will have heightened regulatory and compliance requirements mandated by the amended CCPA, which itself was heavily influenced by the de facto global data privacy and data protection law set forth in the European Union’s General Data Protection Regulation (“GDPR”).  One does not need to look any further than the legal language contained within the CCPA to understand the GDPR’s importance.

For example, the GDPR strongly influenced one of the pillars of the CCPA’s section 1798.100 (a), which states “A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.” As compliance with the CCPA is mandatory, there are data protection aspects of the CCPA that cannabis companies should pay careful attention to.  In particular, a data breach could potentially result in a violation of the California law, and also expose a company to a private right of action and/or governmental enforcement.

Similar to the EU GDPR and the cybersecurity regulation promulgated by the New York Department of Financial Services (23 NYCRR 500), California’s Act imposes a duty for businesses to “… implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”

California Consumers’ Private Right of Action

The CCPA allows California’s consumers to institute a civil action if the business violated its duty to implement and maintain reasonable security procedures and practices - and a data breach ensues.  The private right of action against a business is permissible, specifically if the consumer’s non-encrypted or non-redacted personal information is “… subject to an unauthorized access and exfiltration, theft, or disclosure.”

A California consumer may bring a civil action for any of the following:

·     To recover damages in an amount, whichever is greater, for (a) an amount not less than $100 and not greater than $750 per consumer incident, or (b) the actual damages;

·     Injunctive or declaratory relief; and

·     Any other relief that the court deems proper.

The Potential Exposure of a Class Action Based on Statutory Damages

As there are tens of millions of consumers in the State of California, the potential monetary exposure for a class action based solely on statutory damages can be extremely large.  Since statutory damages can range from $100 to $750 per consumer per incident, if the class size consists of 2.5 million consumers in California, and the award is for the $100 minimum, that would still translate into an award against the business of $250 million.

Of note, the number of data breaches has been rising over the years.  In addition, the number of incidents that have affected millions, tens of millions and even in excess of a hundred million individuals has been expanding.  As an example, if one were to look back at Yahoo’s large-scale data breach, in that single incident there were approximately 3 billion user accounts that had been compromised by a state-sponsored attack.  As such, the potential risks and liabilities for cannabis companies doing business in California is substantial. 

To continue reading, please go to Part II of this article, which has also been posted on LinkedIn. 

About the Authors:  

Jerry Barbanel is a highly experienced legal technologist, General Counsel, Chief Compliance Officer, Data Privacy Officer and founded one of the nation’s top legal technology consulting firms.  He is a seasoned attorney and former prosecutor with the Manhattan DA’s Office with over 30 years of legal, risk mitigation, data privacy and data protection, operational, law enforcement, forensic accounting, investigative, eDiscovery and consulting expertise.  In addition, Jerry has extensive experience in conducting highly sensitive and complex investigations, both domestically and internationally.  He has attained a number of data protection and privacy certifications including Certified Information Privacy Professional / Europe (CIPP/E), E.U. General Data Protection Regulation Foundation (GDPR F) and E.U. General Data Protection Regulation Practitioner (GDPR P).  In addition, he is a seasoned forensic accountant, certified public accountant, certified fraud examiner, certified anti-money laundering specialist and certified insolvency restructuring advisor.

Rich Corvinus is a highly skilled and knowledgeable digital forensics expert. His knowledge and expertise come from his 28 years in law enforcement in both supervisory and investigative positions. The latter part of his law enforcement career was spent as a member of the Westchester County District Attorney’s High Technology Crimes Bureau where he led hundreds of investigations and participated in high profile investigations with both State and Federal Agencies. Rich is a recognized expert in the field of digital forensics having been certified as such in both the New York Superior courts and the Southern District of New York where he has been called upon to testify. After retiring from Law Enforcement in 2016 he embarked on a career providing digital forensic services and consultation in the private sector and has lead a forensics practice for a nationwide E-Discovery vendor for the past several years. Rich holds numerous certifications from both national and international organizations in the field of digital forensics including. In his free time Rich volunteers for the International Association of Computer Investigative Specialists (IACIS) to teach and guide applicants for certification through the 5-month long process.