Do Dispensaries Share My Information with the Government?

The protection of one’s personal information is a touchy subject, especially when it comes to cannabis. Although legal in X states, it is still not legal at the federal level, and many employers still drug test for THC. For these reasons, many dispensary customers are concerned about retention and sharing of their personal information. 

We frequently see Reddit threads asking for clarification on why dispensaries scan their ID and/or record their personal information:

Dispensary asked for my ID and took my info – should I be worried?

Do dispensaries record your license info?

Visited a dispensary – Is my security clearance screwed?

Are IDs being scanned at dispensaries for recreational purchase?

Often, the responses can be a bit alarmist. 

As experts in dispensary ID scanning, and data retention policies, we want to clear up misconceptions, put consumers’ minds at ease, and share our knowledge about best practices for age verification for dispensaries. So what happens when your ID is scanned while purchasing cannabis or cannabis related products? 

First, the answer depends on whether the cannabis you’re purchasing (or dispensary you’re visiting) is recreational use or medical use. Most states have different regulations and governing bodies for medical and recreational marijuana. 

Data Privacy for Recreational Marijuana Dispensaries

As for recreational use, things get a bit trickier, and it often varies on a state by state basis with some states banning the sharing of personal information with the government entirely. All states require age verification of consumers before cannabis purchase, and three states (Nevada, Illinois, and New Jersey) require that age verification be performed digitally, using an ID scanner, to better detect fake IDs.

Currently, New Jersey is the only state we are aware of that requires that audit logs be shared with the state NJCRC. However, these audit logs contain no PII except for date of birth, so they could not be used to identify a specific customer or purchase at a New Jersey dispensary. 

States such as Illinois, Montana, and California all have set limits for retention of PII, from Illinois (where no PII can be retained from an ID scan), to Montana (where data can be retained for up to 180 days). These states are taking active measures to ensure PII is regularly removed from the system, and that privacy of cannabis purchasers is a priority for dispensaries. 

The other main reason that dispensaries store your personal information is to ensure you stay within the legal purchase limits, which vary by state. By scanning your ID and storing your personal information in a general system for a short amount of time, it ensures that both you and the business are protected from exceeding your daily maximum. For dispensaries with multiple locations they will likely share your purchase amount with a centralized database to combat looping. 

For dispensaries, if they are found to be violating daily maximum laws they can be fined, or even lose their license. So tracking daily maximums for each customer is crucial. Owners of a Colorado dispensary were sentenced to prison in 2019 for looping that allowed more than 2.5 tons of marijuana to hit the black market. 

Whether or not the business is digitally scanning, they are likely still entering your information into their CRM or database for the purpose of internal marketing. The dispensary market is highly competitive, and sending marketing emails, SMS messages, or even direct-mail coupons, can help retain customers. By creating a customer profile and tracking your purchase habits, the company has a better chance of selling more to you in the future. 

Data Privacy for Medical Marijuana Dispensaries

Data privacy and retention for medical marijuana vary by state. 

Most states, such as Florida, have a Medical Marijuana Registry, which is used to issue a Medical Marijuana Card that includes a photo ID that is physically sent as part of the registration process. This card must be shown to gain entry to dispensaries (and in some cases swiped). However, because these  HIPAA records are legally required to be kept private, thus protecting personal information related to prescribed cannabis purchase. To get a medical marijuana card, you must receive a recommendation from a certified physician upon diagnosis of a qualifying condition, and then apply with their government entity.

The following states issue medical marijuana cards and have centralized databases of all eligible patients, and do not offer recreational marijuana (and therefore no ability for legal purchase without sharing PII with the government). 

Louisiana is another example of a medical-only state, but one that does not use cards, or have a centralized database of any kind. After assessment by a physician, the recommendation may be made for cannabis to be part of your treatment plan. The doctor will then send the recommendation to a dispensary, thus allowing the patient to purchase medical marijuana – similar to the way a pharmacy works for prescription pills. The only records of the cannabis prescription and purchase are with the prescribing physician and the dispensary. 

Because the vast majority of insurance companies do not cover prescribed cannabis, they do not hold any records for the prescription or coverage for the product. So there is less opportunity for a paper trail than other prescriptions where the insurance company will also hold a detailed record. 

As many states legalize recreational cannabis, the need for stringent medical marijuana programs lessens, and fewer patients utilize the more stringent model of verification and product purchase. So if staying off of any government lists or databases is important you may want to forego a cannabis prescription and purchase via recreational channels. 

Summary

The short answer to the question of whether or not recreational dispensaries are sharing your information with the government is: no. Why are we so confident?

  • No state Cannabis Control Board requires that dispensaries share PII on their customers. 
  • Many state Cannabis Control Boards specifically require that dispensaries dump PII and/or require reasonable measures to ensure privacy of their customers.
  • There is no federal Cannabis Control organization, and states do not share data between them.
  • There is no mechanism or format for collection of customer information that could be readily exported and shared with any government or private entity.
  • The largest POS systems are configured to save information that is relevant to customer loyalty and marketing.

So don’t worry: your cannabis purchases are not being tracked at either the state or federal level, and even if your favorite dispensary scans your ID, they are simply verifying your age and streamlining the creation of your customer profile. No PII is exported or shared with the government. 

Either way, IDScan.net is here to help guide you in the selling process. To learn more about ID scanning in the cannabis industry, download your ID Scanning & Compliance Guide for Dispensaries and  be sure to contact one of our industry experts.

SHARE YOUR CART