In its January 14, 2021 Notice of Proposed Emergency Regulations, the California Bureau of Cannabis Control (“BCC”) announced its finding of an emergency related to the cannabis industry’s limited access to banking and financial services. The proposed text of Assembly Bill AB 1525 seeks to address that emergency with what some critics call overbroad language.
The proposed regulatory text and supporting documents can also be viewed at the following links:
AB 1525 provides cannabis licensees with the ability to grant financial institutions access to the licensees’ data retained by the BCC. The BCC’s proposed list of shareable information includes the following:
“The license application(s), including renewal applications, excluding information required to be kept confidential pursuant to Penal Code section 11105 and confidential personal information of individual owners of the licensed business;”
“Information captured in the track-and-trace system established pursuant to Business and Professions Code section 26067, including, but not limited to, aggregated sales or transfer information, as applicable;”
“Documents issued to the licensee pursuant to disciplinary or enforcement proceedings.”BCC AB1525 Proposed Text, 16 Cal. Code Regs. 4 Sec. 5037.1(b)
AB 1525 seems well-intended and aimed at providing a level of assurance and certification to financial institutions which may otherwise be skeptical about providing services to the cannabis industry. Indeed, some licensees may quickly jump at the opportunity to share data with a potential financial-service provider. But below the surface, AB 1525 presents some serious issues worthy of a licensee’s consideration before granting access to sensitive data. Consider the points below and judge for yourself.
Under AB 1525, a licensee may authorize a financial institution to receive otherwise confidential data belonging to the licensee. A licensee may also withdraw that authorization. But there is no language in AB 1525 governing how the financial institution might use that data once it is acquired. Therefore the licensee should expect to have no control over subsequent data sharing by the financial institution. Remember, data is worth money and a marketplace exists for data of every type.
By granting access to track and trace information, a licensee that grants authorization to a financial institution may inadvertently grant access to sensitive third-party information.
For example, a cannabis retailer that grants access to track and trace information will necessarily also be granting access to data showing the entire distribution chain. What if your distributor does not want its data revealed to a financial institution? What if your customer’s name is within that data set? What if your customer is a medical patient? Each of these sample situations should be seriously considered when granting unfettered access to sensitive track and trace data.
In connection with the examples provided in #2, above, licensees should consider whether granting access to data under AB 1525 may place the licensee in violation of laws related to data disclosure. The California Consumer Privacy Act, the Gramm-Leach-Bliley Act of 1999, the Fair Credit Reporting Act, and the Right to Financial Privacy Act all provide for liability to consumers in connection with unauthorized data transfers. Similarly, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, adopted standards that provide for the privacy of individually identifiable health information. The release of track and trace records related to medical patients may subject a licensee to liability under HIPAA.
Additionally, licensees should review their vendor contracts for confidentiality clauses which may prohibit disclosure of information allowed by AB 1525. For example, an existing agreement between cultivator and distributor may provide for confidentiality of the parties’ identities and sales data. Allowing the release of track and trace records or disciplinary proceedings may violate such clauses and expose the authorizing party to liability.
Before granting a financial institution access to your data, consult with the attorneys at KVK to determine whether disclosure of your data may subject you to liability.
By GianDominic Vitiello, January 15, 2021.