AB 2402: Marijuana Consumer’s Personal Information 

When California legalized cannabis and implemented the Medicinal and Adult-Use Regulation and Safety Act (MAUCRSA), regulations as to how cannabis business licensees had to handle consumers’ personal information were unclear. Furthermore, since cannabis’ legalization there have been a number of legal cannabis businesses and ancillary service providers popping up that were not addressed in the state’s regulatory legislation.  

Amongst these are cannabis businesses that offer cannabis specific software and associated services that had little direction within the previous regulations. These emerging businesses present unforeseen complications with regard to privacy rights and the protection of consumers’ personal information.  

California passed Assembly Bill 2402 (AB 2402) in late September 2018 to address issues relating to the protection of consumers’ personal information. AB 2402 provides guidance with respect to who and to what extent cannabis businesses, and associated software providers, are responsible for medical marijuana (MMJ) consumers’ personal information.  

Under the new bill, medical marijuana (MMJ) ID cards and the information retained in MMJ recommendations are treated as “medical information” under the Confidentiality of Medical Information Act (CIMA), which subsumes the Health Information Portability and Accountability Act (HIPAA), and prohibits licensees from disclosing such information to third-parties unless they are a contracted software service provider.  

Businesses that maintain, manage, receive, or have received identification cards or physician recommendations, as well as their contracted software/hardware providers, are classified as providers of health care under AB 2402. Accordingly, any business that falls under the label of Health Care Provider must implement heightened measures, such as using HIPAA compliant servers to store information, to protect consumer information.  

These revised regulations have given clarity, especially to business licensees and their contracted software providers, as to how these types of sensitive information should be handled now and in the future. Of course, regulatory clarification also comes with heightened compliance requirements. This means that cannabis businesses dealing with MMJ ID cards should not only ensure that they implement proper safeguards, but also that their software providers have taken the necessary steps to protect consumers’ personal information. 

California Cannabis Legislation Links:

SB 1459: California Provisional Cannabis Business License 

AB 2020: Cannabis Event Licensing  

AB 2721: Cannabis: Testing Laboratories