The United States now has 21 comprehensive state consumer privacy laws either in effect or enacted and pending activation β a number that has nearly tripled since 2023. Spring 2026 alone added Alabama and Oklahoma to the list, with four more state laws activating in July.
Cannabis dispensaries sit in the worst possible position in this landscape. They collect highly sensitive consumer data β purchase history tied to a state-regulated controlled substance, ID documents, sometimes biometric data, often health information for medical programs β while operating under federal legal ambiguity that complicates their ability to invoke standard legal defenses.
This article maps the 2026 state privacy law landscape, explains why cannabis operators face disproportionate exposure, and provides a practical compliance checklist.
The 2026 State Privacy Law Map
Active Since January 1, 2026
Indiana β Indiana Consumer Data Protection Act (ICDPA). Applies to controllers processing personal data of 100,000+ consumers, or 25,000+ consumers where data sales constitute more than 50% of revenue. Indiana has no private right of action; the AG enforces.
Kentucky β Kentucky Consumer Data Protection Act (KCDPA). Similar thresholds to Indiana. Notable for Kentuckyβs substantial medical cannabis program, which launched in 2025. Medical cannabis patient data likely qualifies as βsensitive dataβ requiring opt-in consent.
Rhode Island β Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA). Effective January 1, 2026. Applies to controllers processing data of 35,000+ consumers. Consumer health data receives heightened protection.
Enacted Spring 2026, Pending Activation
Alabama β Alabama Personal Data Protection Act (ALPDPA). Signed by Governor Kay Ivey on April 17, 2026. Takes effect May 1, 2027. Cannabis operators in Alabama have roughly one year to prepare.
Oklahoma β Oklahoma Consumer Data Privacy Act (OCDPA). Enacted spring 2026. Applies to controllers or processors conducting business in Oklahoma or producing products/services targeted to Oklahoma residents that process data of at least 100,000 consumers, or 25,000 consumers where data sales drive more than 50% of gross revenue.
Activating July 1, 2026
Connecticut β The Connecticut Data Privacy Act (CTDPA) has amendments activating July 1, 2026, expanding requirements around universal opt-out mechanisms and consumer health data.
Arkansas β Arkansas Personal Information Protection Act provisions activating July 1.
Utah β Utah Consumer Privacy Act (UCPA) amendments effective July 1.
California Updates β August 1, 2026
California continues to tighten its privacy framework on two fronts:
- Expanded data broker registration requirements: New mandatory disclosures and streamlined deletion request processing take effect August 1.
- Consumer health data protections: Californiaβs expanded health data privacy provisions add new restrictions on the collection and sharing of data that reveals a consumerβs health conditions or cannabis purchase history.
Why Cannabis Operators Are Disproportionately Exposed
You Collect Sensitive Data by Design
State cannabis licensing programs require operators to verify customer age and identity. Medical cannabis programs require proof of medical authorization. The data collected as a matter of routine compliance β government ID scans, birthdate, address, sometimes medical documentation β is precisely the category that comprehensive privacy laws treat as βsensitive dataβ requiring heightened protections.
Sensitive data under most state privacy laws requires explicit opt-in consent before processing, strict purpose limitations, and sometimes data minimization obligations. Cannabis operators who have been collecting this data as operational standard for years need to examine whether their collection practices meet the opt-in consent standard.
Purchase History Is Effectively Health Data
Most comprehensive state privacy laws define βconsumer health dataβ broadly enough to capture cannabis purchase history for medical patients β and arguably for adult-use consumers purchasing for health or wellness reasons. California explicitly updated its health data definitions to cover cannabis-adjacent data.
In several states β Washington, Nevada, Connecticut β there are consumer health data privacy acts that sit on top of comprehensive privacy laws and impose even stricter requirements, including prohibitions on geofencing near health-related locations and restrictions on sharing health data with third parties.
Loyalty Programs Are a Liability
Cannabis loyalty programs β which nearly every multi-location operator runs β collect behavioral data at scale: purchase frequency, product preferences, session spending patterns, and sometimes location data through app-based programs. This data, tied to a verified identity from your ID scan at the door, creates a rich consumer profile that most state privacy laws give consumers the right to access, correct, and delete.
CannaSecure has previously covered the loyalty program privacy exposure in detail. In the 2026 state privacy law landscape, that exposure has expanded materially.
ID Scanners and Biometric Exposure
Dispensary ID scanners that capture and store driverβs license data β and particularly any scanner that extracts or stores biometric data β face compounded exposure. Illinois BIPA remains the most dangerous biometric privacy statute in the country, with per-violation statutory damages that have produced nine-figure settlements. Dispensaries in or marketing to Illinois residents need to treat every ID scan as a potential BIPA trigger.
Oklahoma, Indiana, and several of the newer state laws include biometric data in their sensitive data categories requiring opt-in consent.
The Rights You Need to Honor
All 21 comprehensive state privacy laws share a common core of consumer rights. Your compliance program must be able to honor these rights for residents of every covered state:
Right to Know / Access β Consumers can request confirmation that you process their data and a copy of the personal data you hold on them. Your data map must be accurate enough to respond within the required timeframe (typically 45β60 days).
Right to Correct β Consumers can request correction of inaccurate personal data. If your POS system or loyalty platform contains consumer data errors, you must be able to correct them on request.
Right to Delete β Consumers can request deletion of their personal data. This is the most operationally complex right for cannabis operators because purchase records may also be required for regulatory record-keeping under your state cannabis license. You need a legal analysis of where deletion rights conflict with regulatory retention obligations.
Right to Opt Out of Data Sales β If you share customer data with third parties in exchange for value β including some advertising technology arrangements β you are likely engaged in βdata salesβ under most state privacy laws. You must provide a clear opt-out mechanism.
Right to Non-Discrimination β You cannot deny service or provide inferior service because a consumer exercised a privacy right.
Sensitive Data Opt-In Consent β Before collecting or processing sensitive data (which includes your cannabis purchase history and any health-related data), you generally need affirmative opt-in consent under the newer state laws.
State-by-State Key Dates for Cannabis Operators
| State | Law | Effective Date | Key Risk for Cannabis |
|---|---|---|---|
| California | CPRA + Health Data | Ongoing + Aug 1 updates | Health data, data broker rules, loyalty programs |
| Colorado | CPA | July 1, 2023 | Social equity and health data |
| Connecticut | CTDPA | July 1, 2023 + July 2026 updates | Health data geofencing |
| Virginia | VCDPA | January 1, 2023 | Biometric, sensitive data |
| Texas | TDPSA | July 1, 2024 | No private right of action; AG enforcement |
| Florida | FDBR | July 1, 2024 | 100,000 consumer threshold |
| Montana | MCDPA | October 1, 2024 | Small state, but medical cannabis program |
| Oregon | OCPA | July 1, 2024 | Health data, opt-out |
| Indiana | ICDPA | January 1, 2026 | Medical cannabis data |
| Kentucky | KCDPA | January 1, 2026 | Medical cannabis program data |
| Rhode Island | RIDTPPA | January 1, 2026 | Health data heightened |
| Alabama | ALPDPA | May 1, 2027 (enacted April 2026) | Prepare now |
| Oklahoma | OCDPA | Enacted spring 2026 | Adult-use adjacent market |
Practical Compliance Steps for Cannabis Operators in 2026
1. Map Your Data
You cannot comply with rights you cannot operationalize. Build or update a data map covering:
- What personal data you collect (ID scans, purchase history, loyalty data, health documentation)
- Where it is stored (POS system, loyalty platform, METRC, email lists, ad platforms)
- Who you share it with (vendors, marketing partners, advertising technology)
- How long you retain it and whether you can delete it selectively
2. Audit Your Sharing Arrangements
Every third-party relationship that involves consumer data needs review. Loyalty program technology vendors, advertising platforms, SMS marketing providers, and analytics tools are all potentially involved in data βsalesβ under state privacy law definitions. Review your vendor contracts and data processing agreements against the opt-out requirements.
3. Build Your Consumer Rights Response Process
You need a documented process for responding to access, correction, deletion, and opt-out requests within the statutory timeframe (typically 45 days with a 45-day extension). This process should be tested before you face a real request.
4. Update Your Privacy Policy
Your privacy policy must accurately reflect the categories of data you collect, your sharing practices, and the rights consumers have. Many cannabis operators have outdated privacy policies that do not address state-specific rights, sensitive data disclosures, or opt-out mechanisms. Review and update for every state where you have customers.
5. Add a Universal Opt-Out Mechanism
Several states now require businesses to honor Global Privacy Control (GPC) signals as an opt-out of data sales. If your website does not recognize GPC, you are non-compliant in those states. Many privacy tools integrate GPC recognition; verify your current setup.
6. Address Sensitive Data Opt-In Consent
For customers in states with opt-in sensitive data requirements, you need a clear consent mechanism before processing sensitive data. This is operationally complex when your ID scan and purchase capture happen simultaneously at the point of sale. Work with your POS vendor and legal counsel to build a workable consent flow.
7. Review Medical Patient Data Separately
If you operate a medical cannabis program, patient data likely qualifies as sensitive health data under every applicable state law β and potentially under HIPAA if your program involves healthcare providers. Medical patient data requires stricter controls, shorter retention windows, and heightened breach notification obligations.
Multi-State Operators: The Patchwork Problem
If you operate in multiple states, you are subject to multiple state privacy regimes simultaneously. The practical approach most large operators take is to build to the most stringent standard β typically California or Washington state consumer health data requirements β and apply that standard uniformly.
This is not legally required, but it is operationally simpler than maintaining 21 separate compliance tracks. Given that Californiaβs framework is the most comprehensive and the most actively enforced, using it as your baseline provides the greatest protection against enforcement action in any state.
CannaSecure will publish state-specific breakdowns of privacy law compliance for cannabis operators over the coming months, beginning with the highest-risk states for the industry.
