The state-legal cannabis industry has been slowly crawling into existence over the past decade. Despite federal illegality, most states have legalized medical cannabis and about a dozen states have legalized adult-use cannabis. For compliant cannabis businesses, becoming operational is no easy endeavor and may lead to myopic compliance that fails to consider essential business practices, such as compliance with data security laws.
For background, in almost all states that have medical or recreational cannabis programs, becoming licensed and operational is a grueling process that can easily cost hundreds of thousands of dollars. Prospective cannabis businesses will need to negotiate and secure leases, undergo facility build outs and improvements, endure local land-use and permitting processes, navigate state licensing processes, pay state and local application and annual license fees, compile dozens of business plans and standard operating procedures, and comply with regulations from usually at least a few different state agencies and local governments. Licensing is also often competitive, exponentially raising the cost on applicants.
All of the foregoing combined can impose tunnel vision on licensing applicants when it comes to regulatory compliance. Meaning, given what it takes to just get licensed, licensees often overlook other, important laws and regulations that apply to any other business, especially if they are not directly incorporated directly into cannabis laws and regulations.
This kind of thinking can be incredibly dangerous for new cannabis companies. For example, companies who do not consider the impact of federal employment laws risk serious and costly employee litigation. The same goes for virtually any other kind of federal or state law that applies to every single business in the U.S. One such area where cannabis companies are likely to face a host of issues in the next few years is data security. The U.S. does not have an omnibus data protection law, and because most states and local jurisdictions do not impose independent data protection requirements on cannabis licensees, cannabis companies oftentimes do not even consider data security. The likely result of this will be (1) data breaches, (2) consumer litigation, and (3) government enforcement actions.
Published: March 17, 2020
Founder & Interim Editor of L.A. Cannabis News