Over the last few months, cannabis and CBD companies have been subject to some pretty massively publicized cases. We’ve seen partnership disputes, consumer class actions, shareholder suits, agency enforcement actions, intellectual property cases, and more. One thing virtually nobody is talking about—or prepared for—are the inevitable wave of CCPA suits.
Before I explain what CCPA is and why this will be significant, I should caution that readers shouldn’t stop reading just because they aren’t in California. CCPA is shorthand for the California Consumer Privacy Act. The law is pretty much exactly what it sounds like: a consumer privacy law.
What makes CCPA different from many other consumer privacy laws is: (1) it can apply anywhere in the world so long as a business “does business in California” (this term is not well defined) and meets a few other criteria, (2) is almost as broad as the EU’s extremely broad GDPR privacy regulation; (3) requires all companies subject to it to commit to certain privacy practices; and (4) most importantly, is going to lead to some pretty big deal lawsuits.
CCPA provides that in the event of a data breach—which can range from malicious hacking to something as simple as