The protection of one’s personal information is a touchy subject, especially when it comes to cannabis. Although legal in 35 states, it is still not legal at the federal level, and many employers still drug test for THC. For these reasons, many dispensary customers are concerned about retention and sharing of their personal information.
We frequently see Reddit threads asking for clarification on why dispensaries scan their ID and/or record their personal information:
Dispensary asked for my ID and took my info – should I be worried?
Do dispensaries record your license info?
Visited a dispensary – Is my security clearance screwed?
Are IDs being scanned at dispensaries for recreational purchase?
Often, the responses can be a bit alarmist.
As experts in dispensary ID scanning, and data retention policies, we want to clear up misconceptions, put consumers’ minds at ease, and share our knowledge about best practices for age verification for dispensaries. So what happens when your ID is scanned while purchasing cannabis or cannabis related products?
First, the answer depends on whether the cannabis you’re purchasing (or dispensary you’re visiting) is recreational use or medical use. Most states have different regulations and governing bodies for medical and recreational marijuana.
Data Privacy for Recreational Marijuana Dispensaries
As for recreational use, things get a bit tricky, and it often varies on a state by state basis with some states banning the sharing of personal information with the government entirely. All states require age verification of consumers before cannabis purchase, and three states (Nevada, Illinois, and New Jersey) require that age verification be performed digitally, using an ID scanner, to better detect fake IDs.
Currently, New Jersey is the only state we are aware of that requires that audit logs be shared with the state NJCRC. However, these audit logs contain no PII except for date of birth, so they could not be used to identify a specific customer or purchase at a New Jersey dispensary.
So while all states have very strict track-and-trace rules for chain of custody on the cannabis products that are sold, 0 states actually require any retention of PII on customers that enter the premises.
States such as Illinois, Montana, and California all have set limits for retention of PII, from Illinois (where no PII can be retained from an ID scan), to Montana (where data can be retained for up to 180 days). These states are taking active measures to ensure PII is regularly removed from the system, and that privacy of cannabis purchasers is a priority for dispensaries.
The other main reason that dispensaries gather your personal information is to ensure you stay within the legal purchase limits, which vary by state. By scanning your ID and storing your personal information in a general system for a short amount of time, it ensures that both you and the business are protected from exceeding your daily maximum. For dispensaries with multiple locations they will likely share your purchase amount with a centralized database to combat looping.However, this information is stored securely inside the cannabis retailer’s POS or customer tracking system. It is not integrated or uploaded to any government databases.
For dispensaries, if they are found to be violating daily maximum laws they can be fined, or even lose their license. So tracking daily maximums for each customer is crucial. Owners of a Colorado dispensary were sentenced to prison in 2019 for looping that allowed more than 2.5 tons of marijuana to hit the black market.
Whether or not the business is digitally scanning, they are likely still entering your information into their CRM or database for the purpose of internal marketing. The dispensary market is highly competitive, and sending marketing emails, SMS messages, or even direct-mail coupons, can help retain customers. By creating a customer profile and tracking your purchase habits, the company has a better chance of selling more to you in the future.
Data Privacy for Medical Marijuana Dispensaries
Data privacy and retention for medical marijuana vary by state.
Most states, such as Florida, have a Medical Marijuana Registry, which is used to issue a Medical Marijuana Card that includes a photo ID that is physically sent as part of the registration process. This card must be shown to gain entry to dispensaries (and in some cases swiped). However, because these HIPAA records are legally required to be kept private, thus protecting personal information related to prescribed cannabis purchase. To get a medical marijuana card, you must receive a recommendation from a certified physician upon diagnosis of a qualifying condition, and then apply with their government entity.
The following states issue medical marijuana cards and have centralized databases of all eligible patients, and do not offer recreational marijuana (and therefore no ability for legal purchase without sharing PII with the government).
- Alabama – patients must apply for approval from the Alabama Medical Cannabis Commission
- Arkansas – patients must apply for approval from the Arkansas Department of Health, and then can print their own ID card.
- District of Columbia – patients must apply for approval from the Alcoholic Beverage Regulation Administration
- Florida – patients must apply for approval from the Florida Department of Health
- Hawaii – patients must apply for approval from the State of Hawaii, Department of Health
- Maryland – patients must apply for approval from the Maryland Medical Cannabis Commission
- Minnesota – patients must apply for approval from the Minnesota Department of Health
- Mississippi – patients must apply for approval from the Mississippi State Department of Health
- Missouri – patients must apply for approval from the Missouri Department of Health & Senior Services
- New Hampshire – patients must apply for approval from the New Hampshire Department of Health & Human Services
- North Dakota – patients must apply for approval from the North Dakota Department of Health
- Ohio – patients must apply for approval from the Ohio Medical Marijuana Control Program
- Pennsylvania – patients must apply for approval from the Pennsylvania Department of Health
- South Dakota – patients must apply for approval from the South Dakota Medical Cannabis Program
- Utah – patients must apply for approval from the Utah Department of Health
- Virginia – Recreation use is LEGAL, but purchase is still limited to medical dispensaries.
- West Virginia – patients must apply for approval from the WV Office of Medical Cannabis
Louisiana is another example of a medical-only state, but one that does not use cards, or have a centralized database of any kind. After assessment by a physician, the recommendation may be made for cannabis to be part of your treatment plan. The doctor will then send the recommendation to a dispensary, thus allowing the patient to purchase medical marijuana – similar to the way a pharmacy works for prescription pills. The only records of the cannabis prescription and purchase are with the prescribing physician and the dispensary.
Because the vast majority of insurance companies do not cover prescribed cannabis, they do not hold any records for the prescription or coverage for the product. So there is less opportunity for a paper trail than other prescriptions where the insurance company will also hold a detailed record.
As many states legalize recreational cannabis, the need for stringent medical marijuana programs lessens, and fewer patients utilize the more stringent model of verification and product purchase. So if staying off of any government lists or databases is important you may want to forego a cannabis prescription and purchase via recreational channels.
Summary
The short answer to the question of whether or not recreational dispensaries are sharing your information with the government is: no. Why are we so confident?
- No state Cannabis Control Board requires that dispensaries share PII on their customers.
- Many state Cannabis Control Boards specifically require that dispensaries dump PII and/or require reasonable measures to ensure privacy of their customers.
- There is no federal Cannabis Control organization, and states do not share data between them.
- There is no mechanism or format for collection of customer information that could be readily exported and shared with any government or private entity.
- The largest POS systems are configured to save information that is relevant to customer loyalty and marketing.
So don’t worry: your cannabis purchases are not being tracked at either the state or federal level, and even if your favorite dispensary scans your ID, they are simply verifying your age and streamlining the creation of your customer profile. No PII is exported or shared with the government.
Either way, IDScan.net is here to help guide you in the selling process. To learn more about ID scanning in the cannabis industry, download your and be sure to contact one of our industry experts.