Cannabis, CBD, and Cybersecurity
Fueled by increased legalization and the growing popularity of derivatives like Cannabidiol (CBD), Cannabis is aiming to become a multi-billion dollar industry by 2024.
Policymakers are paying attention and have continued to explore the economic and potential therapeutic benefits of cannabis. But the legality of CBD and other derivative products remains uncertain due to tension between federal and state laws. This lack of clarity is further compounded by the myriad of privacy laws that may apply to businesses in the industry, from state laws governing the collection and use of personal health information(PHI) and personal information (PI), to the federal Health Insurance Portability and Accountability Act (HIPAA) rules.
As the regulatory landscape continues to evolve, the current attitudes toward cannabis and CBD provide insights as to where cannabis regulation is going, and how privacy laws apply now and in the future.
What is Cannabidiol?
Cannabidiol is one of the many active ingredients in the Cannabis sativa plant. The most commonly known types of Cannabis sativa are marijuana and hemp. Hemp has a high percentage of CBD and a low concentration of tetrahydrocannabinol (THC), the mood-altering component associated with marijuana use. THC concentration is a key distinction between marijuana and hemp and serves as a line between the approved and prohibited uses of CBD and its derived products and extracts.
What is the Legal Status of Cannabidiol?
Since 1970, parts of the cannabis plant (marijuana) have been regulated under Schedule I of the Controlled Substances Act. The definition of Schedule I substances is as having no accepted medical use and having a high potential for dependency. Despite this illegal federal status, in 1996 California became the first state to approve the recreational use of marijuana. Since then, 33 of the 50 U.S. states and Washington D.C. have legalized the medicinal use of marijuana and 11 states and D.C. have approved marijuana for recreational use.
The 2018 Farm Bill legalized the production and sale of hemp and its extracts– including CBD. By this federal bill, the FDA maintains the power to regulate products containing CBD, and only the FDA-approved medical use of CBD to date is the drug Epidiolex, which contains a purified form of CBD for the treatment of seizures. Federal prohibition of CBD use includes:
- Not adding CBD to dietary and food products
- Not adding CBD to health products
- Not making unsubstantiated health claims about CBD products
- Not exceeding 0.3 THC levels in CBD products
- Not extracting or using CBD from marijuana (must be derived from hemp)
What Do State Laws Say About Cannabidiol?
Although 17 states have passed laws authorizing the sale of specified CBD products or cannabidiol oil, the approved THC level varies across them – for example, from no THC (Kansas) to no more than 5% THC (Georgia). Some state laws require prescriptions for CBD products, while other state laws allow the sale of food and health products containing CBD from both hemp and marijuana.
Confused yet? As of now, the complex disparities in federal and state law haven’t slowed down the cannabis industry. The good news is that the FDA acknowledges the conflicts between federal and state medical CBD laws and emphasizes the importance of conducting medical research and investigating the beneficial uses of CBD. But, the agency states it will continue to monitor and take action against unsubstantiated claims and unapproved CBD products in the marketplace and has sent several warning letters to companies marketing unapproved food products containing CBD, although it has yet to take enforcement action.
What Do Privacy and Cybersecurity Have to Do with the Cannabis and CBD Industry?
Privacy and cybersecurity regulations are an important piece of the cannabis compliance pie. Cannabis businesses process a tremendous amount of PI and PHI from consumers and patients. It has not always been understood by these businesses that HIPAA and state law privacy statutes apply, but they likely do.
In fact, all states agree that Cannabis and CBD businesses must safeguard the personal data of consumers.
The scope of such protections may vary. Certain states, like California, have established special data security standards for cannabis customers. The federal HIPAA requirements may apply to CBD products marketed for medical use and to patient registries. Further, all states have data breach laws that apply in the event of unauthorized access to cannabis company consumer data.
Legal counsel with expertise in cannabis privacy law can help navigate these risks and challenges. In general, cannabis companies operating in this highly regulated industry should evaluate the administrative, physical, and technical controls in place to safeguard consumers' personal information.
Two emerging issues for cannabis business owners to keep in mind include:
- All 50 states and the District of Columbia have data breach notification laws and privacy standards that regulate company data practices. These laws may apply even when a cannabis company does not operate within a state but collects personal information from a resident of that state.
- Recreationally medical designation matters: Dispensing or selling CBD products for medical use may invoke HIPAA federal law. A cannabis company that collects personal health information of patients prescribed medical CBD may be considered a covered entity under HIPAA and will be subject HIPAA rules similar to those of healthcare providers and healthcare facilities. Cannabis shops that cater to medical and recreational users must separate health data from recreational information to stay in line with federal rules.
What’s Ahead for The Cannabis Industry?
Despite the federal and state discrepancies, legal trends in the cannabis industry are promising. These three developments show federal policymakers have an interest in exploring the potential of cannabis:
- Rescheduling of the Epidiolex CBD Drug
- The FDA’s public hearing on CBD products last spring
- The FDA’s issuance of warning letters instead of enforcement actions
Whether state and federal regulations around cannabis and CBD converge or diverge in the future, other legal obligations such as data security and privacy compliance should continue to be top of mind for anyone working in the cannabis industry.
An experienced team, like the Octillo CannaPrivacy practice, can help cannabis businesses develop strategies to keep sensitive information secure and business practices compliant with state, federal, and international standards. Contact our team with questions regarding the three C's of Cannabis, CBD, and Cybersecurity.