Cannabis data discipline — what to lock down before someone makes you

Most operators underestimate the data footprint. The age-verification scan alone is heavier than what a grocery store touches. A typical loyalty member at a WA dispensary has the following live data on file:

• **Full legal name + DOB** (from the ID scan).
• **Driver’s license / state-ID number** (depending on POS retention policy).
• **ID-card photo** (the actual scan image).
• **Phone + email** (loyalty enrollment).
• **Full transaction history** — every product purchased, when, at what price.
• **Surveillance footage** — face on camera at every visit; per WAC 314-55-082, retained 45 days minimum.
• **Medical-cardholder cohort:** the medical card itself + endorsement number + (in OR) the patient’s registration data.
• **Industry-discount cohort:** photo of the prospect’s pay stub or employee badge per WAC 314-55-095.

1. 1**Encrypt at rest.** Every customer-PII column in the database, every uploaded ID-image. Postgres TDE / per-row encryption / S3 SSE-KMS for assets. Ask your POS vendor specifically; many cloud POSes encrypt the disk but NOT the columns — all PII is decrypt-on-read by any compromised app process. CannAgent uses Neon (encrypted-at-rest by default) + per-row crypto on the ID-image table.
2. 2**Audit the access log.** Every read of customer PII writes a row: who (staff member), when, what (customer_id, field-set), why (linked-transaction-id or reason-code). Quarterly review the log. The discipline catches insider threat AND gives you an answer when a complaint lands.
3. 3**Rotate vendor-portal credentials.** Cultivera / LeafLink / Growflow / DistroKid all have your wholesale data + customer-side info. When a buyer leaves, rotate the password the same day. Don’t share login between staff. CannAgent’s vendor portal uses HMAC-signed time-bound tokens (no shared password); whichever vendor portal you use, ask if it does the same.
4. 4**Limit ID-image retention.** Most operators don’t need the photographed ID after 30 days. Set a rolling delete; keep only the verification-success bool + the timestamp. WSLCB doesn’t require image retention beyond the visit — only proof that verification happened. Less data on file = smaller breach blast radius.
5. 5**Background-check + offboard staff cleanly.** WA hire = WSLCB-eligible-employee check. On termination, revoke POS access + any vendor-portal access + collect the device + change the alarm code, all the same day. Most insider-data-theft post-mortems trace to a fired employee who still had access for 48 hours.

• **WA HB 1155 (My Health My Data Act, 2024).** ‘Consumer health data’ includes the medical-cardholder cohort + any inference about consumption patterns from purchase history. Requires consent before collection, written privacy policy, ability to delete + export. Cannabis-specific carve-out is narrow; assume it applies to medical cardholders + safer to apply broadly.
• **OR ORS 646A.602 (Oregon Consumer Privacy Act, 2024).** Right to know + right to delete + right to correct + right to opt out of sale. Disclosure required if you sell PII (most cannabis ops don’t, but loyalty-data sharing with brand partners can cross the line).
• **CA CCPA + CPRA.** Same rights but with stiffer enforcement + a private right of action for breach. CA cannabis dispensaries are the highest-risk surface in the country for plaintiff lawsuits.
• **WAC 314-55-082 surveillance retention.** 45 days minimum. Footage IS data; treat the DVR like the database — physical lock + access log + retention floor.
• **Federal: no HIPAA.** Cannabis retail isn’t a covered entity (no PHI). But many operators incorrectly self-apply HIPAA discipline AND skip the actually-applicable state laws. Run state-specific.

• **Vendor-side breach where you didn’t do reasonable diligence.** ‘We didn’t know the POS stored unencrypted’ isn’t a defense. Ask the vendor in writing; keep the answer.
• **Insider data theft post-termination.** Plaintiffs argue you should have revoked access faster. Same-day revoke + access-log review is the floor.
• **Loyalty-data shared with brand partners without consent.** ‘We share aggregated insights’ isn’t aggregated if the cohort is <100 people. CCPA + WA HB 1155 both require explicit consent for any data sharing across business boundaries.
• **ID images retained past need.** ‘Why do you still have my driver’s license photo from 2 years ago’ — there’s no good answer that doesn’t cost you.
• **Surveillance footage shared with non-licensee third parties.** WSLCB-CCRS investigators yes; private detectives, journalists, opposing counsel without subpoena no. Have a written subpoena policy at the front desk.