In states with regulated cannabis markets, marijuana shoppers might enjoy less privacy than many would hope for if the feds ever decided to crack down on dispensaries. With U.S. Attorney General Jeff Sessions’ rescission of the Cole Memo, state industries face the concern that federal prosecutors will start enforcing cannabis regulations. The consumption, possession, cultivation, sale and distribution of cannabis is still illegal at the federal level. Just how much personal information is shared varies from state to state and even city to city.
States collect personal information in different ways
At your average California dispensary, residents must present their ID to prove they’re over the age of 21. Medical marijuana patients must also present their doctor’s recommendation.
Dispensaries will often photocopy these documents for their records or have visitors directly enter their information into a digital system — all while a security camera looks on.
This type of detailed record keeping is often required by law; the extent of which is determined by the state agencies that create the recordkeeping rules. Often, this data is intended to measure the success of a program and ensure compliance with its regulations. Most often, regulatory agencies require data be taken at the point of sale, the results of which are reported in numbers and statistics — not individual purchasing information.
Colorado law mandates that recreational dispensaries keep recorded footage for 40 days and allow state officials to inspect it as they please. In the event of a raid, these records could be confiscated and used as evidence.
Arkansas is another medically legal state that’s strict with its reporting requirements. Dispensaries are banned from using promotion and marketing materials and are required to treat patient information as confidential medical records. In Oregon and Alaska, however, dispensaries simply take a look at a customers’ ID to confirm they’re of legal age. Customers are free to wander inside the shop without offering any personal information, though they still have the option to sign up for the store’s email list and receive promotional discounts.
Do medical patients enjoy any federal protections?
HIPAA protects patients’ medical information when they receive a medical marijuana recommendation, but dispensaries and delivery services aren’t obligated to treat patient and customer information with the same discretion.
Tamar Todd of the Drug Policy Alliance said the threat of a Federal crackdown on individuals is minimal. Additionally, the Rohrabacher-Farr amendment — called Rohrabacher-Blumenauer following the retirement of Senator Farr who originally co-authored the bill — prohibits the DOJ from prosecuting those who comply with state medical marijuana laws. These protections stick around so long as Congress chooses to renew the amendment every fiscal year. Thanks to bipartisan support, the amendment was reauthorized on Feb. 8.
No such federal-level policy exists to protect recreational users. It’s up to state regulatory measures to protect the average consumer’s privacy from both federal crackdowns and incursion by other interested parties. Some individual states have taken steps to protect customers’ personal information.
How are states protecting recreational users?
In April 2017, Oregon passed a law prohibiting dispensaries from keeping or sharing customer information. Oregon lawmakers passed the measure citing fears that the Trump administration would crack down on cannabis consumers. Similar laws exist in Alaska, Colorado and Washington. Twenty five states with medical cannabis regulatory frameworks still lack such protections, some of which are also recreational states.
Marijuana policy experts are skeptical that the federal authorities would spend the time and resources to target individual cannabis customers.
“It’s very, very unlikely that there’s going to be targeting of individual customers. Many, many other targets would come first,” Todd told Politifact.