Medical buyers are used to having their personal information collected. Recreational buyers should expect privacy, and in fact there is protection written into the law however it only binds the Department of Taxation (direct quote, emphasis mine):
5. To ensure that individual privacy is protected:
(a) The Department shall not require a consumer to provide a retail marijuana store with identifying information other than government-issued identification to determine the consumer’s age; and
(b) A retail marijuana store must not be required to acquire and record personal information about consumers other than information typically acquired in a financial transaction conducted at a retail liquor store.
Have you ever had a retail liquor store scan your ID or enter personal information into their database? Of course not. If you want to purchase from any of the following be prepared:
- Sierra Wellness: Records information from ID in their database, possible ID scan however contact was not forthcoming with details
- Kanna: Wanted to scan my ID using unidentified device
- Greenleaf: Wanted to scan ID and enter personal information into their database
- Silver State Relief: Enters info from DL and scans
- Reef: “We don’t take a photo scan of your ID, but it is our policy to scan it with a barcode scanner. This pulls your name, address, DOB, and DL # & expiration date into our database.”
- Blum: “We collect name, date of birth and ID number. We just need to prove that you were over the age of 21.”
- Mynt: Unknown: after long FB messenger conversation (the only way I could get any responses) little details are clear. Last message was “all they need to do in the store is verify that you have a valid ID and are over the age of 21. No information is saved.” That could be taken to mean only a visual inspection, but there is a lot of detail hidden in the phrase “valid ID”.
- Blackbird logistics (the company that handles wholesale and retail delivery): They require you upload an image of your ID to their system, first person I contacted claimed it was required by law which is a lie. When I called her on it, she backed off and said it was policy. Eventually gave me to a ‘supervisor’ who claimed it was to assure orders are legitimate, which is a joke….
You can see that some are greedier than others, so far the least invasive seems to be Blum.
Why should you care? Name and DOB are PII (Personally Identifiable Information) prized by data thieves. What can someone do with your name and DOB and the fact that you buy cannabis?
- Medical industry commonly uses name and DOB, with that someone can have full access to your medical history.
- Some banks are still using name + DOB and address to identify customers (common at credit unions).
- Some online services will allow you to reset your password with name and DOB.
- Many court systems will give you arrest/criminal reports using just a name and DOB…
- Name and DOB are powerful bits of information for social engineering attacks.
- Blackmail by threatening to tell your employer that you purchase cannabis.
- Threatening to turn you into the feds as a dealer, ever seen what happens when they raid the wrong house?
That’s just a short list, the more PII a bad actor has the more damage they can do. Imagine what they can do with everything on your DL? Say for example you have a motorcycle endorsement. How could that be useful? Imagine a call to one of your relatives claiming to be a from a hospital, you’ve been in a motorcycle accident and they need a CC number to start treatment until they can verify your insurance. These kind of social engineering scams work very well, the more PII they have the more effective the attack is.
If you think your information is safe, think about all the high profile breaches recently (Anthem/BlueCross, Home Depot, Target). I had one dispensary tell me that the data is safe because they are HIPPA compliant, er.. Anthem is HIPPA compliant and spends millions of dollars a year on security. If I were a dispensary owner there is no way I’d want to collect this toxic information unless absolutely necessary.
The intent of the law is clear, recreational marijuana sales should be no more invasive than purchasing a beer. A visual inspection of ID is all that’s necessary to establish that someone is 21+. Hand over your ID at your own risk. Data breaches are a common occurrence, why willingly increase the chance that your data is stolen?