California is expected to become the largest weed industry in the United States, but unlike other legalized states, it has no laws in place to protect cannabis consumer data.
In the days before the marijuana legalization movement, the relationship between a pot dealer and their customers was a sacred one. Both were at risk of running afoul of the law, so it was important to be discreet about each other's information. Fake names were used, secret meetings were arranged, and the product itself was referred to by all sorts of codes, as if the cops wouldn't be able to figure out what you were up to when you texted your "friend" for an eighth of "burritos" at 1 AM on a Tuesday.
In states with legal weed things are a bit different today. Every gram of legal weed is tracked using sophisticated surveillance networks and many dispensaries keep meticulous records of their customers' information, including their phone number and address, even if they aren't required to by law. Privacy groups like the Electronic Frontier Foundation are concerned this customer data may be sold to third-party data brokers or handed over to federal law enforcement officers.
Some states with legal pot, such as Oregon and Alaska, have explicitly prohibited the collection and sale of cannabis customer data. But until recently the privacy implications of legal pot have mostly gone unchecked in California, which is expected to become home to the largest marijuana industry in the United States.
In February, California Assembly member Evan Low introduced Assembly Bill 2402 as the latest proposed legislation in the US specifically designed to protect the privacy of recreational cannabis users. The bill would prohibit dispensaries from selling this information to data brokers—companies which generally use customer data for targeted advertising—without the customer's consent. It would also prohibit dispensaries from denying their services to customers who choose not to provide their data to third parties.