As a dispensary owner or CMO, you know there’s a long list of regulations you have to deal with. From where you can set up shop to what you have to report to the state, it’s pretty easy to get lost in the weeds. These regulations differ across state lines and even between cities in the same state, which can easily trip up a multi-location dispensary. At the same time, you need to ensure that your dispensary’s digital presence is also compliant. It’s a lot to stay on top of, so here’s a quick guide on the different data compliance laws you need to know about.
US Data Compliance Laws
The Health Insurance Portability and Accounting Act governs the collection and use of protected health information. And if you’re a medical dispensary or serve patients, you need to abide by it.
According to the CDC, to be compliant, you must:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information
- Detect and safeguard against anticipated threats to the security of the information
- Protect against anticipated impermissible uses or disclosures
- Certify compliance by their workforce
Basically, make sure the computer you use to check in patients, verify their prescription or recommendation, and catalog their purchases is secure. Install anti-virus software and run regular checks on your system to mitigate the chance of a data breach. Anything that has personal identifying info should only be accessible to personnel trained in HIPAA. Teach staff to close out of windows immediately so no one encounters data they shouldn’t have access to.
You can certainly talk about medical conditions in your blogs and newsletters and even highlight patient stories. Just don’t share personally identifiable information unless a patient has given you permission to do so (even then, an alias is a good idea).
Quick Tip: Be Careful with Segmentation
While your state’s database may give you info on a patient’s medical condition or symptoms, don’t use this as a tool for segmenting them into different groups. Instead, ask patients to identify what they’re interested in using cannabis for and segment them that way. That way, you’re not disclosing medical information through your segmentation, you’re simply allowing your customers to share their area of interest. For example, they can choose from general topics, such as anxiety, nausea, sleep, and pain relief.
CAN-SPAM Act of 2003
CAN-SPAM is all about emails, and most email providers have processes in place to protect themselves, and to some extent, to protect you. However, you still need to be mindful.
Your email platform should:
- Have an obvious opt-in box or text (preferably express consent)
- Collect your opt-outs and remove them from your mailing list
- Have an easy-to-see unsubscribe link
- Only email people who have opted to receive messages from you
- Remove contacts who ask to be removed from your list
- Be clear about how often you send messages and what will be in them—and then stick to that
- Send emails with clear subject lines (misleading ones will get you in trouble)
- Always identify yourself or your company in the from line
- Have an accurate business address in your email
- Control who has access to your email list
- Set a strong password for your email account so you don’t get in trouble for a hacker’s actions
Even if you’re headquartered outside of the US, if you’re using a US-based email marketing company or are primarily sending emails to US addresses, you need to comply with CAN-SPAM or you face large fines (up to $16,000 per instance with no max).
The Telephone Consumer Protection Act (TCPA)
SMS marketing is crucial for dispensaries, but if you don’t comply with TCPA, you’ll face hefty fines. Initially instituted as a may to reign in telemarketers, TCPA has a major impact on text marketing.
To be compliant, you need to get express written consent from subscribers, share how frequently you’ll be sending messages, and provide opt-out options.
You can’t purchase phone numbers—everyone on your list must opt in to receive your texts.
In addition, you need to ensure that you’re only capturing data from individuals of age in your state. Make sure that your text signup pops up after your age gate.
When it comes to content, skip gifs and images that use licensed materials, even if it’s your favorite movie quote. They can land you in hot water.
Data Compliance Outside the US
If you have locations in Canada or are thinking of expanding to Canada, you’ll need to abide by The Fighting Internet and Wireless Spam Act (CASL), which is similar to the CAN-SPAM act. If you’re following CAN-SPAM, you’re CASL compliant.
You’ve probably noticed that some platforms are GDPR-compliant. They may allow you to choose whether or not to use the GDPR compliant settings or they may force you to use them (especially if they do a lot of business in the EU). GDPR is all about the personal data of EU citizens. You can learn more about it here.
Data Privacy at the State Level
Many individual states have followed in the footsteps of the EU by enacting legislation similar to—and sometimes based on—the GDPR. California, Nevada, Illinois, New York, Oregon, Texas, Maine, Washington, and more have all developed—or are in the process of developing—updated data collection and privacy laws. To date, 25 US states have, or will soon have, some kind of law governing the collection and use of personal data. Here’s a sampling of some of these laws. Make sure to check for such laws in every state you operate in.
The California Consumer Privacy Act went into effect on January 1, 2020. This piece of legislation seeks to give Californians greater control over how their personal information is collected and used. Under the CCPA, Californians have the right to restrict an organization’s use of their personal data and to request the deletion of any personal data previously given to an organization. It’s worth noting that the CCPA has no cap on penalties for non-compliance, making it extremely important that all businesses in California operate within the law.
The CCPA applies to businesses that make more than $25 million annually or that “buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.”
Considered by some to be a ‘copycat’ of the CCPA, the New York SHIELD Act seeks to provide New Yorkers with more protections for their data. This law goes into effect on March 23rd and requires that businesses take adequate measures to protect private data and notify users of a breach.
Nevada’s Senate Bill 220 places restrictions on what organizations can do with collected data—namely, you can’t sell it without an individual’s consent. If you want to be able to sell your email list at some point, you’ll need to make that clear in order to be compliant.
Privacy is a big concern for consumers and politicians have taken note. Look for more upcoming bills at the state level.
Cannabis Data Compliance Best Practices
Stay on top of compliance—implement processes that ensure your site and online activities abide by or exceed current regulations.
Make Clear Processes
Have a process in place to help ensure compliance at every stage: data collection, data storage, and data use. Ensure that everyone that needs to have access to it can find it quickly and get the answers they need so their activities are in-line with company policy.
Get Express Consent
When collecting emails or phone numbers, make sure that the opt-in process is clear. For example, if you’re collecting phone numbers, you can ask customers to send a text to your shortcode with a particular phrase to opt in. This counts as “express consent”. The first text they receive should let them know how many messages to expect from you and how to unsubscribe.
Make it Clear Who You Are
Your emails should have your dispensary’s name and address at the bottom. If you’re sending a text, you should also identify your dispensary.
Save $10 on two Cresco cartridges when you stop by Herbology today. Reserve yours now!
Make it Easy to Unsubscribe
All of your emails should have a link at the bottom for your customers to unsubscribe. If you’re using a mail platform like MailChimp or Active Campaign, they add this in for you.
Service providers can be a useful resource for identifying how your marketing can be compliant, but it’s up to you to ensure that your messages meet any legal guidelines. For example, even if you’ve set your MailChimp to share your address and unsubscribe info, you need to verify this yourself. Ultimately, you’ll be held responsible if it’s missing, not the service provider.
Set Up a Google Alert
Stay on top of any changes to regulations by setting up a Google alert. For example, if you’re following the status of the Illinois Data Transparency And Privacy Act, set an alert so you’re notified of any changes to the law that may affect your dispensaries.
What Does the Future Hold?
I’m no Zoltar, but if I had to place a bet, I think we’ll be seeing more states implementing data privacy laws. Plus, the federal government may also get in on the action. While they’re unlikely to enact something on par with the EU’s GDPR, they may use it as a model for protecting privacy rights.
Multi-state operators would be wise to implement the strictest of data privacy policies to ensure compliance across the board. This will hopefully save you time in the future since you’ll know that your robust policy will likely cover additional regulations that pop up. Some tech providers like SMS, webinar, and email platforms already allow you to implement GDPR regulations, which isn’t a bad idea if you want to be ahead of the curve.
Want help creating compliant dispensary advertising campaigns? Let’s talk! Give us a call at 650-822-7506.