In the age of information, data is king. Keeping that point in mind, cannabis companies are flocking to build defensible market positions through cannabis loyalty programs. Cannabis loyalty programs are becoming more popular as dispensaries strive to build everything from average ticket size to customer retention. In creating and maintaining a compliant cannabis loyalty program, companies should consider these three issues:
1. Compliance Beyond the TCPA.
Is the company’s program compliant with not only the Telephone Consumer Protection Act (TCPA), but also with the Health Insurance Portability and Accountability Act (HIPAA)?
Several companies have faced TCPA non-compliance issues, and the industry has quickly taken note and adapted to ensure adequate consent documentation is collected. However, besides the TCPA, companies should ensure that their loyalty programs comply with HIPAA and data privacy laws and regulations. In addition, companies licensed for medical marijuana operations must be aware of the requirements of safeguarding Protected Health Information (PHI) and deploying up-to-date Business Associate Agreements (BAAs) with vendors and third parties where PHI is shared. HIPAA’s Security Rule also requires covered entities to maintain reasonable and appropriate administrative, physical and technical safeguards for protecting electronic PHI.
Retailers accepting, handling, transmitting or storing credit or debit cardholder data also should ensure that they adhere to the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS contains various security standards that ensure organizations that accept, handle, process, transmit and store cardholder information do so within a safe and secure environment.
Maintaining a safe and secure environment includes, but is not limited to:
• maintaining vulnerability management programs,
• implementing strong access control measures,
• regularly monitoring and testing networks, and
• maintaining an information security policy.
2. With Big Data Comes Big Responsibility.
In collecting consumers’ demographic data, companies must answer:
• Who is the data collected from?
• Who collects the data?
• What data is collected?
• When is the data collected?
• Where is the data stored?
• Why is the data collected?
• How do you use the data?
The answers to these questions should be laid out in a company’s Terms of Use. The Terms of Use should also be available for users to consent to as a prerequisite to enroll in a company’s loyalty program. Consent should be added as an “opt-in” function and have an easy “opt-out” function for users. Additionally, consent should be documented via Prior Express Written Consent (PEWC).
3. Who’s Running the Show?
Is the company’s loyalty program regularly updated? Is there a designated person in charge to ensure your loyalty program is up-to-date and compliant with current rules and regulations? Who would be an ideal candidate?
Essentially, if companies deal with large data sets containing electronic PHI, it would be wise to designate a Privacy Officer as the company’s primary stakeholder to regularly assess risks associated with its loyalty program. Setting up a loyalty program is not a one-and-done situation. Companies need to ensure that their loyalty programs are updated periodically to comply with current rules and regulations. They also need to document employee training associated with data collection, and whether it is done online, through text or at the point of sale.
Cannabis loyalty programs will continue to grow as more and more states come online. In a parallel path, however, compliance regulations will continue to grow as well.
Understanding your customer is half the battle. Staying compliant on all fronts is the other half.
[View source.]
