top of page
  • Writer's pictureGreenCP

AB 2402: Marijuana Consumer’s Personal Information

Updated: Feb 11, 2020

When California legalized cannabis and implemented the Medicinal and Adult-Use Regulation and Safety Act (MAUCRSA), regulations as to how cannabis business licensees had to handle consumers’ personal information were unclear. Furthermore, since cannabis’ legalization there have been a number of legal cannabis businesses and ancillary service providers popping up that were not addressed in the state’s regulatory legislation. 

Amongst these are cannabis businesses that offer cannabis specific software and associated services that had little direction within the previous regulations. These emerging businesses present unforeseen complications with regard to privacy rights and the protection of consumers’ personal information. 

California passed Assembly Bill 2402 (AB 2402) in late September 2018 to address issues relating to the protection of consumers’ personal information. AB 2402 provides guidance with respect to who and to what extent cannabis businesses, and associated software providers, are responsible for medical marijuana (MMJ) consumers’ personal information. 

Under the new bill, medical marijuana (MMJ) ID cards and the information retained in MMJ recommendations are treated as “medical information” under the Confidentiality of Medical Information Act (CIMA), which subsumes the Health Information Portability and Accountability Act (HIPAA), and prohibits licensees from disclosing such information to third-parties unless they are a contracted software service provider. 

Businesses that maintain, manage, receive, or have received identification cards or physician recommendations, as well as their contracted software/hardware providers, are classified as providers of health care under AB 2402. Accordingly, any business that falls under the label of Health Care Provider must implement heightened measures, such as using HIPAA compliant servers to store information, to protect consumer information. 

These revised regulations have given clarity, especially to business licensees and their contracted software providers, as to how these types of sensitive information should be handled now and in the future. Of course, regulatory clarification also comes with heightened compliance requirements. This means that cannabis businesses dealing with MMJ ID cards should not only ensure that they implement proper safeguards, but also that their software providers have taken the necessary steps to protect consumers’ personal information.

GreenCP California Cannabis Legislation Article Links:

AB 873: CDFA Agents Power of Peace Officer

AB 1793: Overturning Prior Cannabis Convictions

AB 2020: Cannabis Event Licensing

AB 2215: Cannabis for Pets

AB 2721: Cannabis Testing Laboratories

AB 2799: Cal OSHA Cannabis Business Requirements

AB 2899: Cannabis Marketing & Advertisement

AB 2914: CBD & THC Infused Beverages

SB 1294: California’s Cannabis Equity Act

SB 1409: Commercial Hemp Cultivators

SB 1459: California Provisional Cannabis License

111 views0 comments


Green Consulting Partners
Phone: (949) 291-0587
Address: 23 Corporate Plaza Drive #150
Newport Beach, CA 92660
bottom of page