Tag Archives: civil

FAQs: How Cannabis Businesses Can Avoid TCPA Liability

By Artin Betpera
No Comments

As the cannabis industry continues to experience growth in markets across the country, cannabis businesses are becoming an ever-increasing target of plaintiff’s lawyers in Telephone Consumer Protection Act (TCPA) lawsuits. Text messaging provides a potent channel of customer engagement, but at the same time is subject to strict regulations under the TCPA, with violators subject to steep statutory penalties of $500-$1,500 per message. While one-off cases won’t typically break the bank, that’s far from the case when many thousands of texts are bundled together in a class action. And this potential for big paydays means plaintiff’s lawyers have a financial incentive to file cases as class actions whenever they can.

Some well-known names in cannabis have been the target of TCPA class action. Cannabis delivery service Eaze has battled some fairly well-publicized TCPA class actions in the past couple of years. There has also been an assortment of dispensaries across several western states that have been the targets of similar lawsuits. Notably, these lawsuits share a common thread: they are based on marketing or promotional text messages sent to consumers.

In this landscape, firing off texts without the proper compliance safeguards is a game of roulette. At some point in time, one or more messages will invariably land in the wrong hands, sparking an expensive, high-stakes class action. In this competitive space, there are far more productive things any cannabis business can be doing than spending the time and resources on this type of lawsuit.

So how can your business avoid being caught in a TCPA trap? The following Q&A will walk you through some of the questions you should be asking if you are currently texting, or planning to text your customer base for marketing purposes. One quick note before starting: the TCPA has different rules for different types of messages (such as informational versus marketing messages). This Q&A will cover the distinction between these types of messages, but focuses on the rules around marketing messages since these are rules cannabis businesses get tripped up in most frequently when sued for TCPA violations.

Question: How do I know if the TCPA applies to me?

Answer: Are you texting your customers? If so, are you using some kind of platform that lets you send multiple texts at once? If you answered yes to both, then the TCPA most likely applies to you.

In short, the TCPA prohibits calling or sending texts to cell phones using an Automatic Telephone Dialing System (ATDS). Without getting into the many nuances of how courts have interpreted the legal definition of that term (and risk boring you to death), you can assume that unless you’re hitting send on each and every single text that goes to your customers, that you’re using an ATDS, and your texts are subject to the TCPA.

Q: So it looks like the TCPA applies to me. What now?

A: If you don’t have a compliance plan in place, now’s the time to implement one. To start, take stock of (a) how you’re sending texts; (b) who you’re texting; (c) where you obtained their phone number; and (d) whether you have their prior express written consent. That last part is key: under the TCPA, if you’re sending any text messages to your customers for “telemarketing” purposes, you’ll need what the TCPA calls “prior express written consent”.

Q: But I’m a cannabis business, not a telemarketer. Why should I worry about the TCPA again?

A: The TCPA’s rules requiring prior express written consent apply when the text is sent for “telemarketing” purposes, defined as “the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person.” Put simply, if you are sending texts to market or promote something you sell, then it’s likely the message will be considered “telemarketing” under the law. In contrast, if you’re sending a text for purely information purposes, such as sending a receipt for a transaction, or advising on the status of a delivery, then those message are still regulated by the TCPA, but subject to a more relaxed consent standard (a topic for another article).

Q: What do I need to do to get prior express written consent from my customers?

A: It’s important to know that prior express written consent is a technical, legally defined term that requires the caller be provided a written disclosure containing certain information and disclosures, which they “sign.” There are three key components to prior express written consent:

First, the consent agreement has to be in a signed writing. The law affords some flexibility here, allowing callers to obtain consent digitally through a number of mediums including web-based and electronic forms. If structured properly, consent may even be obtained through a text message flow.

Second, the consent agreement has to say certain things. It must authorize the caller to deliver advertisements or marketing messages using an ATDS, it must specify the phone number to which messages are being authorized, and it must say that the consumer doesn’t have to provide their consent as a condition to receiving goods or services.

Third, the disclosures must be “clear and conspicuous”. There’s no real rocket science here, but this is a very important part of the rule. It’s challenging to enforce an agreement that’s hard for a consumer to find or see, meaning the consent disclosures can’t be hidden away, in imperceptible font, or baked into another legal document (such as terms and conditions).

Q: I have a great customer contact database, but I don’t think I check all the boxes for prior express written consent. Can I still text them with specials and promotions?

A: No. At least not with your usual automated or mass-texting platform. But with some legwork, you can leverage your existing database and obtain consent. It’s not ideal, but it’s better than taking the risk of texting in this situation.

Let’s start with the fact that people like to get deals and specials on cannabis products, so there will likely be interest across your customer base for signing up. And with the flexibility afforded by the E-SIGN Act, businesses can try multiple avenues in obtaining prior express written consent from existing customers. This could include a call-to-action campaign, where consumers can initiate a text message consent flow by texting a keyword to a short code. The TCPA does not regulate e-mails, so businesses can consider an e-mail campaign that encourages their customers to follow a link that takes them to a web-based consent form. For businesses with storefronts, customers can be encouraged to sign up for texts on-site by filling out and submitting a form on a tablet device. Bottom line, there’s room for some creativity in designing campaigns to enrich your existing customer database with the necessary consent to send marketing texts.

Q: What happens when a consumer opts out of receiving texts?

A: You should stop all texts to their phone number unless and until they opt back in to receiving texts. Under the TCPA, a consumer has the right to revoke their consent, and any text message sent after an opt-out will violate the TCPA. This means it’s important to have clear opt-out instructions in every message you send (i.e. text stop to stop), and to ensure you have the proper systems in place to automatically suppress any further texts to the consumer’s phone number following an opt out.

Q: If I don’t follow these rules, what are the odds of getting sued for a violation?

A: Pretty high in my opinion. As mentioned, the TCPA is a very lucrative statute for Plaintiff’s lawyers. There are several thousand TCPA cases filed in federal courts each year, and lately cannabis businesses are becoming an increasing share of the defendants named in those suits. Additionally, the TCPA has a four-year statute of limitations, meaning exposure for non-compliant practices has a really long tail. It’s far easier to develop and execute a compliance plan up front, than to take on the risk that comes without one.

Q: Is there anything else I can be doing to protect my business?

Absolutely. Your TCPA compliance policy should be one layer of a holistic approach to legal compliance. Businesses have other tools at their disposal, such as arbitration provisions and class action waivers, that they can build into their consent-gathering process to further protect themselves in the event of a legal dispute.

Q: Any other tips to help keep my business out of the TCPA fracas?

A: Yes. Lots. More than I could fit into just this one article. But my goal here was to get you to think in the right direction when it comes to the TCPA, if you aren’t already. While I tried to make the basics of this as straightforward as possible, there are plenty of grey areas and nuance when it comes to compliance (especially when you inject the real world into the situation). This is where having lawyer experienced in this arena can come in really handy to vet your disclosures, review your compliance processes, and help you implement other risk mitigation strategies.

TCPA claims have become the cost of doing business when contacting consumers on their cell phones. But by being proactive, businesses have ample opportunity to mitigate their risk, and protect themselves in the event the legality of their text message campaigns is challenged.

Why Does GDPR Matter for The Cannabis Industry?

By Marguerite Arnold
2 Comments

The global cannabis industry is hitting thorny regulatory challenges everywhere these days as the bar is raised for international commerce. First it was recognition that the entire production industry in Canada would basically have to retool to meet European (medical and food) standards. And that at least for now for the same reasons, American exports are basically a no go.

However, beyond this, the battle over financial reporting and other compliance of a fiscal kind has been a hot topic this year on European exchanges.

As of this summer, (and not unrelated to the other two seismic shifts) there is another giant in the room.

If you haven’t heard about it yet, welcome to the world of EU GDPR (European Union General Data Privacy Regulation).

The German version is actually Europe’s highest privacy standard, which means for the cannabis industry, this is the one that is required for operations here across the continent if you are in this business.

What is it, and what does it mean for the industry?

GDPR – The Elevator Pitch

Here is why you cannot ignore it. The regulation affects bankers as much as growers, distributors as much as producers and of course the entire ecosystem behind medical production and distribution across Europe and actually far beyond it. Starting of course, with patients but not limited to them. The law in essence, applies to “you” whoever you are in this space. That is why it becomes all that much more complicated in the current environment.

While this is complex and far reaching, however, there are a couple of ways to think about this regulation that can help you understand it and how to manage to it (if not innovate with it).

The first is, to American audiences at least, that GDPR is sort of like HIPAA, the federal American privacy civil rights statute that governs medical privacy law. Except, of course, this being Europe, it is far more robust and far reaching. It touches every aspect of electronic privacy including data storage, retention, processing and security that is applicable to modern life. And far, far, beyond just “patients.”

On the marketing side, GDPR is currently causing no end of headaches. Broadly, the legislation, which came into force this year, with real teeth (4% of global revenues if you get it wrong), applies to literally every aspect of the cannabis industry for two big reasons beyond that. Medical issues, which are the only game in town right now in Europe (and thus require all importers to also be in compliance) and financial regulatory requirements.

The requirements in Germany are more onerous than they are in the rest of Europe. Therefore, they also affect the cannabis industry in a big way, especially since there is at this point a great deal of European cultivation with the German (and now British) medical market in mind. Further Germany is becoming European HQ for quite a few of the Canadian LPs. That means German standards apply.

The UK, for those watching all Brexit events with interest, will also continue to be highly affected by this. Whether it stays in the EU or not, it must meet a certain “trusted nation” status to be able to transact with the continent in any kind of favoured nation status.

Bottom line? It is big and here and expensive if you screw it up. If considering doing any kind of business with European customers, start hitting the books now. Large mainstream media organizations in the United States and Canada right now are so afraid of the consequences of getting this wrong that they have blocked readership from Europe for the present. Large financial institutions also must not only be in compliance but compliance of companies also guides their investment mandates on the regulatory front.

For all of these reasons, the cannabis industry would do well to take note.

What Does This Mean for The Cannabis Industry?

The Canadian and rest of the global industry is still struggling with compliance and this will have some interesting repercussions going forward.patient data must be handled and stored differently

Immediately, this means that all websites that are targeted to German eyes (read Canadian LPs and international, even English-only press) should hire German side compliance experts for a quick GDPR audit. There are few European experts at this point, and even fewer foreign ones. It is worth a call around to find out who is doing this auf Deutschland and bite the bullet.

It also means that internally, patient data must be handled and stored differently. And furthermore, it is not just “patients” who have this right, but everyone who transacts with your electronic or other presence. That includes consumers, subscribers to email newsletters and other stakeholders in the industry.

As the cannabis industry also starts to embrace technology more fully, it will also have highly impactful influence on what actually passes for a compliant technology (particularly if it is customer facing) but not limited to the same.

On the marketing side, GDPR is currently causing no end of headaches. Starting with PR and customer outreach teams who are trying to figure out how much of their master mailing lists they can keep and which they cannot. On this front, Mail Chimp is undeniably the go-to right now and has also implanted easy to understand and use technology that is being adopted by European marketers and those targeting Europe.

Stay tuned for more coverage on GDPR as we cover how data protection and privacy regulations will impact cannabis businesses, their marketing and outreach, plus service design efforts (in particular to patients) and other areas of interest.