Tag Archives: case

Designing Precision Cannabis Facilities: A Case Study

By Phil Gibson
No Comments

With data forecasting expert BDSA predicting that the global cannabis market will reach $56B by 2026, there is no time to waste. Whether it’s Oklahoma, New York or even Macedonia, the frenzy is on. Investment decisions are immediate, and you have to be correct out of the box. This is where an expert like Andrew Lange and his company, Ascendant Management, come in. Andrew has designed more than 1.5 million square feet of cannabis facilities and moved them into profitable production in North America and Europe. One of his active customers is Onyx Agronomics in Washington. Bailee Syrek is the director of operations at Onyx and this is the story of the key points in designing a precision cannabis facility with state-of-the-art efficiency.

Background

Andrew Lange, a navy veteran, runs a global cannabis consulting business based in Washington. With a “prove it to me” approach, he regularly tests the best new technologies in the facilities he designs. He integrates his knowledge of what works in practice into his subsequent facilities. One of his previous projects, Onyx Agronomics in Washington, started in 2014 and moved quickly into production in a retrofitted warehouse. Many of his best ideas started with Onyx, including some new innovations in the latest expansion there this month. Onyx is a tier 3 cannabis cultivator.

Bailee Syrek’s operation at Onyx currently produces 9,000 lbs. of dry trim bud per year in 8,000 square feet of canopy. She operates the state-of-the-art, clean room style, indoor grow facility around the clock, delivering 2.7 grams/watt from every square foot of canopy in her building. She runs a highly efficient facility.

Onyx has had an ongoing relationship with Ascendant Management and chose to leverage them again with their current expansion to increase their capacity further. Onyx uses a range of advanced technologies including aeroponic cultivation equipment and control software from AEssenseGrows to hit their metrics.

Precision, Quality & Consistency

“I look for ways that my clients can differentiate themselves,” says Lange. Maybe it’s his military background, but Andrew demands precision, quality and consistency in the operations he designs. “Cannabis is a just a plant really so we look for the highest performance grow methodology. I find that to be AEssenseGrows aeroponics,” says Lange. “The AEtrium Systems provides a good foundation to manipulate for grow recipes and business process. I add teamwork, communications, and operations procedures to that foundation.”

At Onyx, Bailee Syrek works closely with her channels. She invites her customers in regularly to review the Onyx cultivars and to cover their ideal requirements. These can range from bud size for their packaging to THC or terpene profiles (Yes, channels do want both higher and lower THC content for different consumers and price points). Based on that feedback, Bailee and Andrew work together to dial in the ideal grow recipe in the AEssenseGrows Guardian Grow Manager central control software. They push their target strains to optimize the results in the direction requested by their customers. For example, “How do you get the highest possible THC out of 9lb Hammer?” You’ll have to ask Andrew and Ascendant Management.

Driven by customer requests, Onyx is adding new strains to build on their innovative brand. Bailee expects to reach new levels of terpene bundles with Cheeseburger Jones, Koffee Breath, Shangri-La and OK Boomer. Utilizing Andrew’s expert knowledge, they can take typical sub-20% cannabinoid bundles and improve them using aeroponics and better controls, into standout aeroponic 30% packages.

The Onyx Vision

Andrew Lange, Ascendant Management

Bailee Syrek believes this is the most exciting time yet for Onyx. Delivering premium grade cannabis as a white label flower supplier for years, Onyx is a profitable and successful business. But even with doubling capacity every year, they are still having trouble keeping up with customer demand. Bailee wants to get to the point where she can always say yes and accept an order from their white label customers. With this objective, she again engaged Ascendant and Andrew to get beyond 15,000 lbs. of output in 2021 to make her customers happier. Beyond that basic expansion, she is also ambitious and is preparing plans for additional lines of revenue with their own proprietary flower, oil and derivative products.

“This expansion will be a new challenge,” says Syrek. “Flower production is in our wheelhouse. We have tighter operations, with the most consistent bud size, terpenes and test results in our state. These new products will require that same quality but now in new areas.”

Her Path to Leadership

Bailee started with Onyx in a compliance position that grew out of the constant demands for government licensing and reporting. In that compliance role, she had the opportunity to work a bit in every department, giving her a good understanding of all of the facility operations and workflows. All of that experience led her to eventually take over the operations leadership role. She instills care and effort to maintain the cleanest and most efficient operations possible. “With aeroponics, we don’t have to lug soil from room to room or in and out of the facility. This saves us a ton of work that we can redirect to plant health and maintenance,” says Syrek. “Medical precision and GMP quality is a given. Each room on average is 105 lights and one room manager and one cultivation technician take the room from clone/veg transfer to harvest as a two-person team.”

Bailee Syrek, director of operations at Onyx Agronomics

Bailee prides herself with results. “Medical grade precision is normal for us. We use medical grade SOPs for every aspect of our production.” Bailee has designed these guides into their control system that runs on the Guardian Grow Manager software. From sensor tracking, to performance graphs to time cards; everything is integrated in her performance monitoring.

A quality focus is very apparent in every Onyx flower room. Every watt of light energy is transferred to the pristinely manicured canopy. Naked stems feed nutrients up to the fat buds at the trained canopy surface. Fan leaves are removed and all possible energy turns into bud weight and potency. The room technician has a passion for plant health, table care and plant maintenance all the way through to the harvest bonanza.

What is the biggest challenge for Bailee as she drives the operation? Even at 105-110 grams per square foot per harvest, they are sold out. “Every customer wants to buy beyond our capacity. It is a good problem to have,” Bailee says. “Customers want our quality and love the consistency. This is the most exciting thing about our expansion. We will finally be able to make additional channels happy with high quality supply.”

This is where Andrew credits Onyx’s performance. “Most well running operations deliver 1.1-1.8 grams of dry trim bud per watt of electricity used in powering a grow room,” says Andrew. The Onyx grow formula results leave this in the dust. Running Fluence SPYDR 2i grow lights and the AEtrium System aeroponics, Onyx plants are delivering just shy of 4 lbs. per light with every harvest cycle. At 630 watts max output, that delivers ~2.7 grams/Watt, the most efficient operation he has seen. The Onyx process and execution works.

“Bailee is a great example as a professional. She builds a motivated team that executes better than her competition,” says Andrew.

At the same time, Onyx runs a highly space efficient nursery with just enough mother plants feeding energetic cuttings into the 4-layer stacked AEtrium-2.1 SmartFarms in their environmentally controlled clone room. They produce more than enough healthy clones to jump from veg to flower in the span of a week. Grow time, harvest turn time and no veg space, results in very efficient use of power in the complete operation.

Mirroring Onyx for Medical Grade Cannabis in Europe

Andrew Lange’s current passion is a green-field project in Portugal. Self-funded, Andrew says that this facility will be one of the first that is pure enough in operations to supply non-irradiated clean-room-level-quality cannabis beyond the precise standards required by European regulators. Current importers have not been able to clear the European standards for cleanliness without irradiating their buds. Other companies like Aurora have abandoned efforts to access the market due to the precision requirements. Typical methods used for fruit imports use gamma radiation to get bacterial counts down. This was tried with cannabis to sterilize buds, but the problem with cannabis is this degrades the quality of the flower.

Andrew’s Portugal facility will be using a sterile perimeter surrounding his grow space (mothers, clones/veg, flower rooms) and harvest and processing areas (dry, trim, packaging). Andrew creates a safe environment for healthy production. A steady harvest cleaning regimen is built into his operational designs from the beginning. All operators are trained in procedures to exclude pathogens and limit all possible transmission (airborne, physical/mechanical touching, or water carried). Every area is cleaned during and between harvests. Andrew is confident he will reach a consistent level of accuracy and purity beyond European requirements because it is routine in all of his designs.

Certified Efficiency is the Message

Good Manufacturing Practices (GMP) and Good Agricultural and Collection Practices (GACP) are required for certification and access to European markets. Andrew always builds tight operations, but in this case, his Portugal facility is designed with the fit and finish to be GMP and GACP compliant from day one with advanced air filtration and air management throughout.

Automated aeroponics is a foundation technology that Andrew recommends for his facility designs. The automatic data logging, report generation, cloud access and storage make this a foundational technology. Andrew does get some resistance from cultivators that are used to the classic soil media approaches but he explains that software configurable grow recipes, precision controls, zero soil/no pests and hyper-fast growth makes aeroponics the foundation of competitive advantage. Precisely controlled medical quality precision operations are built on top of this foundation.

The initial phase of the Portugal facility is 630 lights and this facility is Andrew’s latest personal investment. From secure perimeters to modular grow rooms and highly automated equipment, this location will be state-of-the-art in terms of grams/watt yields and renewable energy with an output of 6 metric tons per year. Solar powered electricity from a 4-megawatt farm will use Tesla megapacks for storage and be grid independent.

Technology & Innovation, Onyx & Ascendant

From his first experience with AEssenseGrows aeroponics, Andrew has been able to design complete grow recipes in the Guardian Grow Manager software with very tight precision on dosage. This makes it possible to create ideal recipes for each strain (nutrition, irrigation cycles, lighting and environmental management). This frees up the operations teams to focus on plant health and execution. The nutrients, pH, CO2, temperature and humidity, follow the Guardian directions that he sets.

Working with Bailee at Onyx, Andrew is now consulting on the post-harvesting side of operations (drying, trimming, extracts and packaging). In parallel with his efforts, Bailee is optimizing THC & terpene production on the cultivation side with UV lighting (considering far-right red frequency light recipe enhancements).

That is the Ascendant Management approach to innovation. Trial, test constantly, perfect ideas in practice. Optimize the results for consistent, high-quality results. Even while driving for the personal craft touch, use automation to increase efficiency of mundane, but important tasks. With these methods, Andrew believes that the Onyx labor cost is one third of typical soil media grow operations. Zero soil aeroponics offers many benefits. Bailee’s team is able to give each plant more attention and delivery better quality. Automation is a win-win for them.

Bailee finds that constant testing is useful for two things: one, great results, and two, surface the best talent with their hand’s-on approach.

Always Finish with People

Bailee says that her staff works incredibly hard. “We are a different grow, with better ergonomics on the job, aeroponics for precision and yields, and advanced technology at the leading edge in every part of our grow. No dirt up and down stairs. People are proud to work here. We are not your dad’s grow operation.”

“We promote from within. Everyone starts as a room tech and has the opportunity to move up. Teams are isolated by rooms so there is no contamination between rooms or humans. Put in the work, and you will get promoted with expansions, and grow with the company as we take a bigger share in the market.” Female employees make up almost half of the current staff, and Bailee encourages employees to refer their friends. “Good people invite good people,” she says.

Her training program introduces the technical aspects of their unique operation, the positive expectations and career path for every new employee. The social environment is friendly with good pay and regular raises. Each new employee fills a range of roles during their 1-month training circuit and are assigned to a cultivation space under a lead as an official cultivation tech at the end of 30 days. “One thing that we do more than at other grows is constant cleaning,” says Bailee. “This is an ever-present mantra for the staff.”

How Private-Sector-Led Information Sharing Can Transform Cybersecurity in the Cannabis Industry.

By Andy Jabbour, Ben Taylor
No Comments

The cannabis industry’s advancement towards legalization continues to dominate national headlines, from the stance of incoming Attorney General Merrick Garland to deprioritize enforcement of low-level cannabis crimes, Senate Majority Leader Chuck Schumer’s continued advocacy, to the recent passing of legislation in New York, New Mexico and Virginia (the first in the South) to authorize adult-use cannabis. While these updates are likely to intrigue customers and investors alike, they are also sure to draw the attention of cyber criminals who could look at the relative youth of the industry, as well as its rapid growth, as a prime target of opportunity for nefarious acts.

In order to understand risk mitigation best practices across a wide spectrum of private sector industries, this article will first identify the current security environment in order to understand the threats, briefly highlight specific case studies and assess the risks and identify methods that individual organizations, as well as the cannabis industry as a whole, can take action to enhance security and preparedness and to develop resiliency against future attacks.

Understanding the Threats

For an industry that has operated in a largely cash-based system for much of its existence, the idea of security is not foreign. Typically, these concerns focused on physical security implementation. The topic has received plenty of coverage, including a recent article in this journal articulating Important Security Considerations When Designing Cannabis Facilities. While an audit of physical security measures is a valuable part to any all-hazards threat assessment, securing a growing online network – from email to online finances to connected devices within cannabis facilities – can pose more unfamiliar challenges. When consulted for this article, Patten Wood, a former VP of marketing for a prominent west-coast cannabis retail brand noted: “While the topic of cybersecurity is critically important to customers, businesses, and the industry at large, it isn’t top of mind for many of the cannabis companies that I’ve experienced.” Understanding what risks are present is the first step to mitigating them, so we must first discuss several common cyber threats for the cannabis industry.

  • Phishing: Phishing happens when cybercriminals impersonate a trusted individual or entity, typically through email. The goal in this instance is to get the target to share confidential information or download software that can allow unauthorized access into an organization’s network. Phishing is one of the most common types of cyberattacks as it is relatively easy to conduct and surprisingly effective.
  • Ransomware Attacks: Ransomware attacks are used to gain access to a computer network and then lock and encrypt either the entire system or certain sets of high-value files, which can compromise important business information, and impact client and vendor privacy. A ransom is then demanded for restoring access, but paying the ransom comes with its own risk as it doesn’t guarantee the files will be restored. 
  • Cyber Extortion: Similar to ransomware attacks in their design, cyber extortion typically deals with a threat of leaking personal information and will generally demand payment in cryptocurrency in order to maintain their anonymity. 
  • Lumu: 2020 Ransomware Flashcard

    Remote Access Threats: As 2020 has forced organizations to rethink how they conduct business and shift to more remote operations than they had in the past, it can open up several new threats. According to a survey by IT social network SpiceWorks.com, six out of every ten organizations allow their employees to connect their company-issued devices to public Wi-Fi networks. Utilizing unsecured Wi-Fi networks opens the user up to man-in-the-middle attacks, allowing hackers to intercept company data. Unsecure Wi-Fi also brings the threat of malware distribution. An additional consideration with remote workers is the uptick in cyber attacks against remote access software referred to as remote desktop protocol (RDP) attacks. According to Atlas VPN, RDP attacks skyrocketed 241% in 2020 and we’ve seen numerous RDP attacks against critical infrastructure throughout the pandemic and across all industries.

  • Internet of Things (IoT) Leaks: With IoT devices running everything from security systems to automated growing operations, the convenience has been a huge boost for the industry. Unfortunately, many IoT devices don’t have sophisticated built-in security. Another common problem is the tendency of users to keep default passwords upon installation, which can make devices easy for cyber criminals to access. Once they are inside the system, malware can easily be installed, and the actors can move laterally throughout the network.
  • Personal and Medical Record Security: Many cyberattacks expose some level of personal data, whether that be customer, employee or vendor information. An extra consideration for retail operations that either treat medical patients, or medical and adult-use customers, is the additional information they must store about their clients. Medical facilities will maintain protected health information (PHI), which are much more valuable on the dark web than personally identifiable information (PII). But even adult use facilities may keep government-issued ID or other additional information above that of a typical retailer, which makes the potential value of their information much more intriguing for a cybercriminal.

Assessing the Risks

Depending on where your organization lies in the seed to sale chain, you will have different levels of risk for various types of attacks. We briefly discussed ransomware attacks earlier. Ransoms can range widely depending on the size of the organization that is attacked, but the ransom alone isn’t the only risk consideration. Businesses must also factor in the cost of downtime (an average of 18 days in 2020) caused by the ransomware when evaluating the impact to business operations, as well as reputation. While small – medium businesses are absolutely at risk, especially given their relative lack of cybersecurity resources and sophistication, a recent trend involves “Big Game Hunting” where cybercriminals are targeting larger organizations with the potential for bigger paydays. Criminals understand that big business can rarely afford major delays, and may be more able and willing to pay, and pay big, for a return to normal operations.

Group-IB: Ransomware Uncovered

Below are several examples of attacks which have either directly impacted the cannabis industry, or have valuable lessons the industry can learn from.

GrowDiaries: In October 2020 researcher Bob Diachenko discovered that 3.4 million records including passwords, posts, emails and IP addresses were exposed after two open-source application Kibana apps were left exposed online. As a platform for cannabis growers around the world (who are not all growing legally), this type of exposure puts the community at great risk, and can lower user confidence in the product, as well as putting them at personal risk of harm or legal ramifications. The applications being left open is a prime example of either a lack of good cybersecurity policies, or not following through on those policies.

Aurora Cannabis: On December 25th, 2020 Canadian company Aurora Cannabis suffered a data breach when SharePoint and OneDrive were illegally accessed. Included in the data that was compromised was credit card information, government identification, home addresses and banking details. The access point coming through Microsoft cloud software is a prime example of some of the challenges facing businesses who have an increasingly remote workforce yet still need that workforce to access critical (and usually highly sensitive) information.

THSuite: A database owned by seed to sale Point-Of-Sale (POS) software provider THSuite was discovered by researchers in December 2019. The database contained PHI/PII for 30,000 people, with over 85,000 files being exposed. The information that was left accessible included scanned government IDs, personal contact information and medical ID numbers. Clearly this gets into HIPAA territory, which can result in fines of up to $50,000 for every exposed record.

Door Dash: As cannabis delivery apps become more prevalent, it’s good to reference how similar businesses in other industries have been targeted. In May of 2019 nearly 5 million user records were accessed by an unauthorized third party, exposing PII and partial payment card information.  

Taking Action 

On an organizational level, employee training, password hygiene and malware protection are some of the basic and most important steps that should be taken by all organizations. But, if “knowledge is power,” the best defense for any organization against cyber threats is a well-informed organization- including leadership down to the front-line employees. Excellent tools to assist in this are Information Sharing & Analysis Centers/Organizations (ISACs/ISAOs). ISACs were established under a presidential directive in 1998 to enable critical infrastructure owners and operators to share cyber threat information and best practices. The National Council of ISACs currently has over 20 member ISACs including Real Estate, Water, Automotive and Energy. ISAOs were created by a 2015 executive order to encourage cyber threat information sharing within private industry sectors that fall outside of those listed as “critical infrastructure”. Christy Coffey, vice president of operations at the Maritime and Port Security ISAO (MPS-ISAO) says information sharing enabled by the executive order is critical. “We need to accelerate private sector information sharing, and I believe that the ISAO is the vehicle.”

According to Michael Echols, CEO of the International Association of Certified ISAO’s (IACI) at the Kennedy Space Center, security experts have long understood that threat information sharing can allow for better situational awareness and help organizations better identify common threats and ways to address them. “On the other side, hackers in a very documented way are already teaming up and sharing information on new approaches and opportunities to bring more value (to their efforts).” The ongoing crisis surrounding the Microsoft Exchange Server Vulnerability demonstrates that different cybercriminal groups will work simultaneously to abuse system flaws. As of March 5th it was reported that at least 30,000 organizations in the U.S. – and hundreds of thousands worldwide – have backdoors installed which makes them vulnerable to future attacks, including ransomware.

Below are several links to recent products that have been shared by various ISACs/ISAOs, which are provided as an example of the type of information that is commonly shared via these organizations.

If organizations are interested in learning more about enhancing their cybersecurity resiliency through private-sector led information sharing, please reach out to the newly formed Cannabis ISAO at ben@cannabisisao.org 

FAQs: How Cannabis Businesses Can Avoid TCPA Liability

By Artin Betpera
No Comments

As the cannabis industry continues to experience growth in markets across the country, cannabis businesses are becoming an ever-increasing target of plaintiff’s lawyers in Telephone Consumer Protection Act (TCPA) lawsuits. Text messaging provides a potent channel of customer engagement, but at the same time is subject to strict regulations under the TCPA, with violators subject to steep statutory penalties of $500-$1,500 per message. While one-off cases won’t typically break the bank, that’s far from the case when many thousands of texts are bundled together in a class action. And this potential for big paydays means plaintiff’s lawyers have a financial incentive to file cases as class actions whenever they can.

Some well-known names in cannabis have been the target of TCPA class action. Cannabis delivery service Eaze has battled some fairly well-publicized TCPA class actions in the past couple of years. There has also been an assortment of dispensaries across several western states that have been the targets of similar lawsuits. Notably, these lawsuits share a common thread: they are based on marketing or promotional text messages sent to consumers.

In this landscape, firing off texts without the proper compliance safeguards is a game of roulette. At some point in time, one or more messages will invariably land in the wrong hands, sparking an expensive, high-stakes class action. In this competitive space, there are far more productive things any cannabis business can be doing than spending the time and resources on this type of lawsuit.

So how can your business avoid being caught in a TCPA trap? The following Q&A will walk you through some of the questions you should be asking if you are currently texting, or planning to text your customer base for marketing purposes. One quick note before starting: the TCPA has different rules for different types of messages (such as informational versus marketing messages). This Q&A will cover the distinction between these types of messages, but focuses on the rules around marketing messages since these are rules cannabis businesses get tripped up in most frequently when sued for TCPA violations.

Question: How do I know if the TCPA applies to me?

Answer: Are you texting your customers? If so, are you using some kind of platform that lets you send multiple texts at once? If you answered yes to both, then the TCPA most likely applies to you.

In short, the TCPA prohibits calling or sending texts to cell phones using an Automatic Telephone Dialing System (ATDS). Without getting into the many nuances of how courts have interpreted the legal definition of that term (and risk boring you to death), you can assume that unless you’re hitting send on each and every single text that goes to your customers, that you’re using an ATDS, and your texts are subject to the TCPA.

Q: So it looks like the TCPA applies to me. What now?

A: If you don’t have a compliance plan in place, now’s the time to implement one. To start, take stock of (a) how you’re sending texts; (b) who you’re texting; (c) where you obtained their phone number; and (d) whether you have their prior express written consent. That last part is key: under the TCPA, if you’re sending any text messages to your customers for “telemarketing” purposes, you’ll need what the TCPA calls “prior express written consent”.

Q: But I’m a cannabis business, not a telemarketer. Why should I worry about the TCPA again?

A: The TCPA’s rules requiring prior express written consent apply when the text is sent for “telemarketing” purposes, defined as “the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person.” Put simply, if you are sending texts to market or promote something you sell, then it’s likely the message will be considered “telemarketing” under the law. In contrast, if you’re sending a text for purely information purposes, such as sending a receipt for a transaction, or advising on the status of a delivery, then those message are still regulated by the TCPA, but subject to a more relaxed consent standard (a topic for another article).

Q: What do I need to do to get prior express written consent from my customers?

A: It’s important to know that prior express written consent is a technical, legally defined term that requires the caller be provided a written disclosure containing certain information and disclosures, which they “sign.” There are three key components to prior express written consent:

First, the consent agreement has to be in a signed writing. The law affords some flexibility here, allowing callers to obtain consent digitally through a number of mediums including web-based and electronic forms. If structured properly, consent may even be obtained through a text message flow.

Second, the consent agreement has to say certain things. It must authorize the caller to deliver advertisements or marketing messages using an ATDS, it must specify the phone number to which messages are being authorized, and it must say that the consumer doesn’t have to provide their consent as a condition to receiving goods or services.

Third, the disclosures must be “clear and conspicuous”. There’s no real rocket science here, but this is a very important part of the rule. It’s challenging to enforce an agreement that’s hard for a consumer to find or see, meaning the consent disclosures can’t be hidden away, in imperceptible font, or baked into another legal document (such as terms and conditions).

Q: I have a great customer contact database, but I don’t think I check all the boxes for prior express written consent. Can I still text them with specials and promotions?

A: No. At least not with your usual automated or mass-texting platform. But with some legwork, you can leverage your existing database and obtain consent. It’s not ideal, but it’s better than taking the risk of texting in this situation.

Let’s start with the fact that people like to get deals and specials on cannabis products, so there will likely be interest across your customer base for signing up. And with the flexibility afforded by the E-SIGN Act, businesses can try multiple avenues in obtaining prior express written consent from existing customers. This could include a call-to-action campaign, where consumers can initiate a text message consent flow by texting a keyword to a short code. The TCPA does not regulate e-mails, so businesses can consider an e-mail campaign that encourages their customers to follow a link that takes them to a web-based consent form. For businesses with storefronts, customers can be encouraged to sign up for texts on-site by filling out and submitting a form on a tablet device. Bottom line, there’s room for some creativity in designing campaigns to enrich your existing customer database with the necessary consent to send marketing texts.

Q: What happens when a consumer opts out of receiving texts?

A: You should stop all texts to their phone number unless and until they opt back in to receiving texts. Under the TCPA, a consumer has the right to revoke their consent, and any text message sent after an opt-out will violate the TCPA. This means it’s important to have clear opt-out instructions in every message you send (i.e. text stop to stop), and to ensure you have the proper systems in place to automatically suppress any further texts to the consumer’s phone number following an opt out.

Q: If I don’t follow these rules, what are the odds of getting sued for a violation?

A: Pretty high in my opinion. As mentioned, the TCPA is a very lucrative statute for Plaintiff’s lawyers. There are several thousand TCPA cases filed in federal courts each year, and lately cannabis businesses are becoming an increasing share of the defendants named in those suits. Additionally, the TCPA has a four-year statute of limitations, meaning exposure for non-compliant practices has a really long tail. It’s far easier to develop and execute a compliance plan up front, than to take on the risk that comes without one.

Q: Is there anything else I can be doing to protect my business?

Absolutely. Your TCPA compliance policy should be one layer of a holistic approach to legal compliance. Businesses have other tools at their disposal, such as arbitration provisions and class action waivers, that they can build into their consent-gathering process to further protect themselves in the event of a legal dispute.

Q: Any other tips to help keep my business out of the TCPA fracas?

A: Yes. Lots. More than I could fit into just this one article. But my goal here was to get you to think in the right direction when it comes to the TCPA, if you aren’t already. While I tried to make the basics of this as straightforward as possible, there are plenty of grey areas and nuance when it comes to compliance (especially when you inject the real world into the situation). This is where having lawyer experienced in this arena can come in really handy to vet your disclosures, review your compliance processes, and help you implement other risk mitigation strategies.

TCPA claims have become the cost of doing business when contacting consumers on their cell phones. But by being proactive, businesses have ample opportunity to mitigate their risk, and protect themselves in the event the legality of their text message campaigns is challenged.

Biros' Blog

Judge Dismisses Claims in Vaping Illness Lawsuit

By Aaron G. Biros
3 Comments

In September of 2019, Charles Wilcoxen fell seriously ill after vaping cannabis oil from a cartridge. Just days after he began experiencing symptoms he was hospitalized and later diagnosed with lipoid pneumonia, the mysterious lung illness now known as EVALI associated with the 2019 vape crisis.

Wilcoxen spent three days in the hospital and ever since he was diagnosed, he has been unable to exercise, return to work full time or even play with his daughter. Attorneys for Herrmann Law Group representing Wilcoxen filed a product liability lawsuit, Wilcoxen v. Canna Brand Solutions, LLC, et al., in Washington State Court, naming six cannabis companies as defendants: Canna Brand Solutions, Conscious Cannabis, Rainbow’s Aloft, Leafwerx, MFused and Janes Garden.

This image came from the complaint filed, alleging that Mr. Wilcoxen believes this was a CCELL product.

This case was allegedly the first lawsuit in the wake of the 2019 vape crisis. The Vanderbilt University Law School Blog has a very comprehensive post on this case that has the original complaint and a lot of information on the lawsuit.

Canna Brand Solutions, the primary defendant named in the complaint, is a packaging supplier and distributor for CCELL vaping products (heating elements, pens and batteries) in the state of Washington. The complaint alleges that Wilcoxen believes he used a CCELL vape. CCELL is a Chinese company, which makes it notoriously difficult to pursue legal action against them, hence why Canna Brand Solutions was listed as a defendant instead.

On August 31, 2020, Judge Michael Schwartz dismissed all claims against Canna Brand Solutions. “All claims asserted by Plaintiff against Canna Brand in the above-mentioned matter shall be voluntarily dismissed without prejudice and without costs or fees to any of the parties to this litigation,” Judge Schwartz says in the dismissal. Judge Schwartz dismissed the case without prejudice, meaning it could be brought to the court again should the plaintiff’s attorneys decide to do so.

With the allegations against Canna Brand Solutions focusing on CCELL products, it seems that the case was dismissed largely due to a lack of evidence connecting exactly which product resulted in the illness, as well as the lack of culpability for a distributor of products they did not manufacture.

These are the vape cartridges that Mr. Wilcoxen purchased

Daniel Allen, founder and president of Canna Brands Solutions, claims that the product mentioned in the complaint did not come from his company. “We stand by our high quality and customizable CCELL vaporization products,” says Allen. “We feel vindicated in this case by the judge’s decision, which shows the claims against our company and products were completely unfounded from the beginning.”

He also added that the quality and safety of the products they distribute is their highest priority. “The product in question involved in this case did not come from Canna Brand Solutions,” says Allen.

Wilcoxen’s illness and subsequent long-term lung injury is extremely unfortunate. Thousands of people have been hospitalized and 68 deaths have been confirmed by the CDC. The CDC is still calling the illness EVALI (e-cigarette, or vaping, product use-associated lung injury). According to the CDC, there is no real known cause of EVALI, but they have found that vitamin E acetate is “strongly linked” to the outbreak. Knowing that, it is entirely possible that Mr. Wilcoxen’s illness was a result of one of the cannabis products he consumed, just most likely not anything that came from Canna Brand Solutions. A closer look at the contents with an independent lab test of the THC oil he consumed could shed some more light on what exactly caused the illness.

I would venture to guess that one of the products he consumed did have vitamin E acetate. Because the case was dismissed without prejudice, it could be brought to the court again if, say, Mr. Wilcoxen’s attorneys were to obtain more evidence, such as an independent lab report showing vitamin E acetate in the contents of one of the products he consumed. If Mr. Wilcoxen’s attorneys can figure out which product actually contained vitamin E acetate, perhaps the lawsuit could get a second shot and Mr. Wilcoxen could have a greater chance at getting some long-overdue and much-deserved restitution.

CBD You in Court: Consumer Class Actions Involving Hemp-Derived CBD Products

By David J. Apfel, Nilda M. Isidro, Brendan Radke, Emily Notini, Zoe Bellars
No Comments

Consumer demand for products containing cannabidiol (CBD) is on the rise across the country, with industry experts estimating that the market for CBD products will reach $20 billion by 2024. This boom in consumer demand has outpaced the regulatory framework surrounding these products. While the 2018 Farm Bill decriminalized hemp, it left much up to individual states and preserved the FDA’s jurisdiction over dietary supplements, foods and cosmetics. The FDA has not yet issued any specific rulemaking for CBD products.

The structure of cannabidiol (CBD), one of 400 active compounds found in cannabis.

Against this background, it is not surprising that consumer class actions regarding hemp-derived CBD products are flourishing. Over the past year alone, the plaintiffs’ bar has filed approximately twenty putative class action lawsuits against manufacturers of hemp-derived CBD products. The cases are primarily in federal court in California and Florida, with additional cases in Illinois and Massachusetts. Plaintiffs challenge the marketing and advertising of a variety of CBD products, including oils, gummies, capsules, creams, pet products and more.

The cases so far follow a familiar pattern seen in prior consumer class actions, especially in the food and beverage industry. Read on to learn what plaintiffs have claimed in the CBD lawsuits, how companies are defending their products, and how best to position your hemp-derived CBD products in light of lessons learned from past litigation.

What These Lawsuits Are Claiming, and How Companies Are Defending Their Products

In most of the recent CBD lawsuits, plaintiffs claim either that: 1) product labels over- or understate the amount of CBD in the products; and/or 2) the sale of CBD products is inherently misleading to consumers because the products are purportedly illegal under federal law. Regardless of which theory underlies the claims, plaintiffs typically frame their claims as consumer fraud, false advertising, breach of warranty, unjust enrichment, and/or deceptive trade practices.

Just some of the many CBD products on the market today.

In most cases, defendants have filed motions to dismiss seeking to have the cases thrown out. In these motions, defendants argue that plaintiffs’ claims are “preempted” by the Federal Food Drug and Cosmetic Act (FDCA), and that only the federal government can enforce the FDCA. Some defendants have additionally argued that if the court is not prepared to dismiss the claims as preempted, the doctrine of “primary jurisdiction” applies. This means that the issues raised regarding CBD are for the FDA to decide, and the cases should be stayed until the FDA finalizes and issues rules on products containing hemp-derived CBD. Many defendants have also advanced dismissal arguments for lack of standing, claiming that the individuals bringing the lawsuits are trying to sue for conduct that never harmed them personally (e.g., because they never purchased a particular product), or will not harm them in the future (e.g., because plaintiffs have stated they will not buy the product again). The standing arguments often apply to particular claims or products within the lawsuit, rather than to the lawsuit as a whole.

Current Status of the Cases

Of the approximately twenty consumer class actions filed over the last year, about half remain pending:

  • Five have been stayed pursuant to motions filed by defendants;
  • Two have motions to dismiss pending;
  • One has a pending motion to vacate a default judgment against defendants;
  • One was filed earlier this month, and defendant’s deadline to respond has not yet elapsed.

FDAlogoTo date, none of the cases (currently pending or otherwise) has proceeded to discovery, and no class has yet been certified. That means that no court has yet determined that these cases are appropriate to bring as class action lawsuits, rather than as separate claims on behalf of each individual member of the putative class. This is significant, because plaintiffs’ ability to achieve class certification will likely influence whether these CBD lawsuits will continue to be filed. Consumer fraud cases like these typically do not claim any physical injury, and the monetary damages per individual plaintiff are relatively low. As such, the cases often are not worth pursuing if they cannot proceed as class actions.

Of the cases that are no longer pending, all but two were voluntarily dismissed by plaintiffs. While the motivation behind these dismissals is not always announced, approximately half of the voluntary dismissals came after defendants filed a motion to dismiss, but before the court had ruled on it. One Florida case was mediated and settled after the court denied defendant’s motion to dismiss.1 A California court spontaneously dismissed one matter (without the defendant having filed any motion) due to a procedural defect in the complaint, which plaintiffs failed to correct by the court-imposed deadline.2

Early Outcomes on Motions to Dismiss 

Of the thirteen motions to dismiss filed to date, only five have been decided. So far:

  • No court has dismissed a case based on federal preemption grounds. Courts have either deferred ruling on preemption, or denied it without prejudice to re-raising it at a later time.
  • Four courts have stayed cases based on primary jurisdiction.3
  • Only one court has denied the primary jurisdiction argument.4
  • Standing arguments have been successful in three cases,5 and deferred or denied without prejudice to later re-raising in the other two cases.6 However, the standing arguments applied only to certain products/claims, and were not dispositive of all claims in any case.

These rulings show a clear trend towards staying the cases pursuant to primary jurisdiction. In granting these stays, courts have noted that regulatory oversight of CBD ingestible products, including labeling, is currently the subject of FDA rulemaking, and that FDA is “under considerable pressure from Congress” to expedite the publication of regulations and guidance.7

Any label claims need to meet FDCA regulations and applicable FDA guidance.

Plaintiffs may be recognizing the trend towards primary jurisdiction as well, since there is now at least one case where plaintiffs agreed to a stay after defendant filed a motion to dismiss asserting, among other things, primary jurisdiction.8 But some plaintiffs are still resisting. For example, in the first case to have been stayed plaintiffs have since filed a motion to lift the stay. The motion—which was filed after the case was reassigned to a different judge—argues that primary jurisdiction does not apply, and that the FDA’s recent report to Congress suggests no CBD-specific rulemaking is forthcoming.9 The motion is pending.

Lessons Learned From Food Industry Consumer Class Actions

The motions to dismiss that have been filed to date in CBD-related class actions follow a tried and true playbook that has been developed by defense counsel in other food and beverage industry class actions. For example, the primary jurisdiction arguments that have been gaining traction in the CBD consumer class actions are very similar to primary jurisdiction arguments that were successful years earlier in cases involving the term “natural” and other food labeling matters.10

Similarly, the standing arguments that have succeeded in the early motions to dismiss CBD consumer class actions followed similar standing arguments made years earlier in food and beverage class actions.11

Work with reputable labs to ensure the potency stated on the label is accurate

The preemption arguments that have largely been deferred in CBD consumer class actions to date could become a powerful argument if and when the FDA completes its CBD rulemaking. The preemption defense has been particularly effective when the preemption arguments focus on state law claims that require defendants to omit or add language to their federally approved or mandated product labeling, or where plaintiffs otherwise seek to require something different from what federal standards mandate.12 These arguments could be particularly compelling once the FDA issues its long-anticipated rulemaking with respect to CBD products.

Until then, primary jurisdiction will likely continue to gain traction. The FDA’s comprehensive regulatory scheme over food, dietary supplement, drug, and cosmetic products, combined with the FDA’s frequently-expressed intention to issue rulemaking with respect to CBD-products, and a need for national uniformity in how such rulemaking will interface with state requirements, converge to make primary jurisdiction especially appropriate for CBD-related class actions.13

How to Best Position Your Products

Until the FDA issues its long-awaited rulemaking regarding CBD products, companies can take the following steps to best position their products to avoid litigation and/or succeed in the event litigation arises:

  • Work with reputable labs to ensure the amount of CBD stated on product labeling and advertising is accurate;
  • Ensure that the product is manufactured according to appropriate current Good Manufacturing Processes (cGMPs);
  • Ensure that any claims made on product labeling and/or in advertising are consistent with FDCA requirements and applicable FDA guidance to date – for example, if the product is a dietary supplement, avoid making express or implied claims that it can cure or prevent disease;
  • Maintain a file with appropriate substantiation to support any claims stated in product labeling and advertising;
  • Work with legal counsel to stay abreast of developments in federal and state laws applicable to hemp-derived CBD products, and how any changes might impact potential class action defenses; and
  • If a lawsuit arises, work with legal counsel to develop a strategy that not only resolves the current litigation as efficiently as possible, but also positions the company strategically for any future consumer claims that may arise.

References

  1. Final Mediation Report, Potter v. Potnetwork Holdings, Inc., 1:19-cv-24017-RNS, (S.D. Fla. July 30, 2020).
  2. Court Order, Davis v. Redwood Wellness, LLC, 2:20-cv-03273-PA-JEM (C.D. Cal. Apr. 10, 2020).
  3. Electronic Order, Ahumada v. Global Widget LLC, 1:19-cv-12005-ADB (D. Mass. Aug, 11, 2020); Memorandum and Order, Glass v. Global Widget, LLC, 2:19-cv-01906-MCE-KJN (E.D. Cal. June 15, 2020); Order Granting in Part Defendant’s Motion to Dismiss and Staying Remaining Causes of Action, Colette et al. v. CV Sciences Inc., 2:19-cv-10227-VAP-JEM (C.D. Cal. May 22, 2020); Order on Motion to Dismiss, Snyder v. Green Roads of Florida LLC, 0:19-cv-62342-AHS (S.D. Fla. Jan. 3, 2020).
  4. Order on Motion to Dismiss, Potter v. Potnetwork Holdings, Inc., 1:19-cv-24017-RNS, (S.D. Fla. Mar. 30, 2020).
  5. Order Granting in Part Defendant’s Motion to Dismiss and Staying Remaining Causes of Action, Colette et al. v. CV Sciences Inc., 2:19-cv-10227-VAP-JEM (C.D. Cal. May 22, 2020); Order on Motion to Dismiss, Potter v. Potnetwork Holdings, Inc., 1:19-cv-24017-RNS, (S.D. Fla. Mar. 30, 2020); Order on Motion to Dismiss, Snyder v. Green Roads of Florida LLC, 0:19-cv-62342-AHS (S.D. Fla. Jan. 3, 2020).
  6. Electronic Order, Ahumada v. Global Widget LLC, 1:19-cv-12005-ADB (D. Mass. Aug, 11, 2020); Memorandum and Order, Glass v. Global Widget, LLC, 2:19-cv-01906-MCE-KJN (E.D. Cal. June 15, 2020).
  7. Order on Motion to Dismiss at 12, Snyder v. Green Roads of Florida LLC, 0:19-cv-62342-AHS (S.D. Fla. Jan. 3, 2020).
  8. Minute Entry, Pfister v. Charlotte’s Web Holdings, Inc., 1:20-cv-00418 (N.D. Ill. Aug. 11, 2020).
  9. Plaintiff’s Motion to Lift Stay, Snyder v. Green Roads of Florida LLC, 0:19-cv-62342-AHS (S.D. Fla. July 13, 2020).
  10. See, e.g., Astiana v. Hain Celestial Grp., Inc., 905 F. Supp. 2d 1013 (N.D. Cal. 2012), rev’d on other grounds, 783 F.3d 753 (9th Cir. 2015); Taradejna v. Gen. Mills, Inc., 909 F. Supp. 2d 1128 (D. Minn. 2012).
  11. See Miller v. Ghirardelli, 912 F. Supp. 2d 861, 869 (N.D. Cal. 2012) (holding that the named plaintiff lacked standing where the products purchased by the putative class members were not “substantially similar” enough to those purchased by the named plaintiff); Colucci v. ZonePerfect Nutrition Co., No. 12-2907-SC, 2012 WL 6737800 (N.D. Cal. Dec. 28, 2012) (finding one of two named plaintiffs lacked standing because, even though the other named plaintiff (his fiancée) purchased the nutrition bars for him, he himself did not purchase any of the bars); Veal v. Citrus World, Inc., No. 2:12-CV-801-IPJ, 2013 WL 120761 (N.D. Ala. Jan. 8, 2013); Robinson v. Hornell Brewing Co., No. 11-2183 (JBS-JS), 2012 WL 6213777 (D.N.J. Dec. 13, 2012) (holding that there was no Article III standing because the named plaintiff had testified and stated in written discovery that he would not purchase the product in the future).
  12. See, e.g., Turek v. Gen. Mills, Inc., 662 F.3d 423 (7th Cir. 2011); Lam v. Gen. Mills, Inc., 859 F. Supp. 2d 1097 (N.D. Cal. 2012); Veal v. Citrus World, Inc., No. 2:12-CV-801-IPJ, 2013 WL 120761, at *9-10 (N.D. Ala. Jan. 8, 2013).
  13. See, e.g., Astiana v. Hain Celestial Grp., Inc., 905 F. Supp. 2d 1013 (N.D. Cal. 2012), rev’d on other grounds, 783 F.3d 753 (9th Cir. 2015); Taradejna v. Gen. Mills, Inc., 909 F. Supp. 2d 1128 (D. Minn. 2012).

Practical Advice on How to Avoid a TCPA Suit

By Paul Gipson
1 Comment

Texting consumers is a very effective means to drive engagement and ultimately sales. Text messages have outpaced emails when looking at conversion and click-thru rates. In fact, 95% of texts are read in ninety seconds or less! While text messages can be a great way to engage with prospects and customers, the FCC’s Telephone Consumer Protection Act (TCPA) is a regulation you need to be mindful of. In fact, the average cost of a TCPA settlement is over $6m dollars, which doesn’t include legal fees or reputational damage.

Over the past few years, there have been about 4,000 TCPA cases filed annually. Take a look at the growth:

Companies are being targeted for various reasons, but there are a few that I’ll cover below along with some advice on how to avoid TCPA suits.

See if you can spot the trend in these cases:

  • Papa Johns: $16.5m settlement due to texting pizza specials to consumers without their consent.
  • Abercrombie & Fitch: $10m settlement due to texting store promotions to consumers without their consent.
  • Rack Room Shoes: $26m settlement for texting their reward program members with various sales without their consent.

Do any of these campaigns sound like something your company is engaged in?

So, you’ve got someone who has signed up for a rewards program, wants to receive deals, or has provided their number to your company for other purposes, but you are concerned about the TCPA (hopefully). Based on my experience working with hundreds of clients at CompliancePoint, here’s where I think you should start. But first…

Quick assumption: Your company is using an automated system to send both informational and promotional texts. Examples include “blast campaigns” (upcoming sale) or “triggered campaigns” (signed up for rewards).

Quick point: Just because the text message says your store is having a sale but doesn’t ask the consumer to buy anything on the message, you may think it’s not considered “telemarketing”. This is wrong. Any plan to sell now or in the future through direct marketing is telemarketing and subject to the TCPA.

Here are my top 5 things to consider:

  1. Obtain consent. This is not achieved by simply having a number provided by the consumer. Instead, the consumer must affirmatively agree to receive promotional calls/texts by automated means. This is done through a clear disclosure and often accompanied by an unchecked checkbox.
  2. Honor opt-outs. This seems obvious right? Provide instructions on how to opt-out and look for other phrases like “stop/quit/cancel”. Opt-outs should occur immediately with most common texting platforms.
  3. Keep records. If you receive a complaint, you want to be able to respond confidently and records help you do that. The key records to maintain are your texting records (the phone numbers you texted, the date/time of the text, and the content of the text), your consent opt-in forms, and opt-out requests from consumers with dates. Ask yourself: what records do you need to prove you had consent, and what records prove you didn’t text a consumer after they opted out.
  4. Only text consumers between the hours of 8AM and 9PM according to their time zone. I always recommend going off address and not phone number due to cellphone mobility. If you text a California number at 8PM, but the phone owner lives in New York, you might get a few complaints.
  5. Monitor compliance with these items. Another one that seems obvious, yet most companies fail to do so, and you see above what happens. I guarantee you’ll find issues with most audits.

Bonus – here is a more comprehensive checklist on how to achieve a Safe-Harbor defense.

This article is not intended to be a scare tactic. The TCPA legal landscape is rampant and consumers are more aware now than ever of their rights. A quick Google search of “Cannabis TCPA” helps to illustrate the fact that this industry, like most, is not immune. However, with proper compliance parameters in place, your company can enjoy the benefits of texting with consumers with peace of mind.