As we wrote last year, Colorado is among the vanguard of privacy-focused states—including California, Washington, and Virginia—to adopt significant state-level privacy legislation. One year out from enforcement of the Colorado Privacy Act (which begins on July 1, 2023), businesses should begin to put their compliance frameworks in place, as some of the Colorado Privacy Act’s significant requirements will need substantial investment beforehand to afford consumers the rights that they are guaranteed under the Act.
Sizeable businesses that are part of Colorado’s over $2 billion cannabis market should take special note of the Act’s requirements, as cannabis businesses with a significant retail component often manage large amounts of personal information in relation to customers. While many smaller operations are likely to be exempt—the Act does not apply unless the business either processes the data of 100,000 consumers yearly or engages in the sale of personal data while also processing the data of 25,000 customers—larger businesses should be planning now to comply with the Act. Notably, some businesses may be within the ambit of the Act even if they do not think of themselves as primarily being in the business of selling information, as the Act’s broad definition of information selling includes receiving a discount on services in exchange for providing customer data, which is a common provision in many service agreements in the cannabis and other industries.
Notable too is the fact that many of the Act’s most significant exemptions would not apply in the cannabis context. For example, like many state data privacy statutes, the Act exempts from its own jurisdiction categories of data that are otherwise regulated by several federal statutes, most significantly HIPAA. But because most cannabis businesses would not be considered covered entities under HIPAA, neither would they benefit from that exemption even though they may handle substantial amounts of patient data. The same businesses may also not have in place the mechanisms needed to comply with the suite of rights afforded under the Act—such as the rights to inspect and correct data—that would be de rigueur in a covered entity.
The Act’s requirements go well beyond simply providing certain rights to customers and in theory apply to many aspects of a business’s operations. The Act requires companies to limit collection to that necessary to achieve purposes that are clearly specified at the point of collection, as well as to limit secondary transfers of data and protect sensitive data (including the kind of health data that many medical providers would necessarily have). Similar to HIPAA and to the GDPR, companies are also required to conduct periodic data protection assessments if they undertake certain types of processing activities, including targeted advertising and processing of sensitive data (e.g., health data).
Multi-state operators in particular should remain attuned to privacy developments not only in Colorado, but in the sizeable group of states that are currently advancing significant privacy legislation. Many of these—such as New York, New Jersey, and Pennsylvania—already are or are projected to become significant markets for both medical and adult use cannabis, and are taking privacy issues seriously at the legislative level.