In May we published a 21-state privacy law compliance checklist for cannabis operators. It took less than two months for the number in the headline to go stale.

In June 2026, Vermont enacted a comprehensive consumer privacy law — the 23rd or 24th state to do so, depending on whether you count Florida’s narrower Digital Bill of Rights — and Louisiana passed a comprehensive privacy framework of its own. Delaware, which has had a privacy law on the books since 2025, passed amendments that were pending the governor’s signature at the end of the month. And on July 1, as Vermont rang in its new fiscal year, the state simultaneously doubled its legal cannabis purchase limit from one ounce to two.

That last pairing is worth sitting with. The same legislature, in the same session, expanded legal cannabis activity and tightened the rules on what businesses can do with personal data. That is the direction the entire country is moving: more legal cannabis commerce, under more privacy regulation, at the same time. If your compliance program treats those as separate workstreams, this is the year they collide.

What Vermont actually passed

Vermont’s Act 145 is a comprehensive consumer privacy law in the now-familiar state mold: consumer rights to access, correct, and delete personal data; obligations on businesses that control or process it; and heightened duties around sensitive categories. Two things make it worth a cannabis operator’s specific attention.

First, its reach into health-adjacent data. Coverage of the law has highlighted that it protects personal data including names, addresses, and medical information as granular as weight and height. That is a signal about how broadly “health data” is being drawn in the newest state laws. Cannabis purchase histories — particularly medical cannabis records, but increasingly adult-use records tied to a loyalty account — sit squarely in the blast radius of that definition. We have written before about how medical cannabis patient data falls through the HIPAA gap; laws like Vermont’s are exactly the state-level instruments closing that gap, and they close it by putting obligations on you.

Second, the timeline. The law’s main provisions take effect January 1, 2028. That sounds comfortable. It is not. The pattern from every prior state — Colorado, Connecticut, Oregon, Texas — is that businesses that started mapping data flows when the law passed cruised through the effective date, and businesses that started six months before it did not. Eighteen months is roughly what a real data inventory, vendor-contract remediation, and consumer-rights intake process takes for a multi-state operator doing it for the first time.

Louisiana and Delaware: the map keeps redrawing itself

Louisiana’s new comprehensive law puts a state that many operators treated as a privacy afterthought onto the compliance map. Louisiana has a medical cannabis program; operators there now face the same dual reality as operators in Connecticut or New Jersey — state cannabis regulators on one side, a state privacy regime on the other.

Delaware’s amendments are a different kind of lesson: the states that already have laws keep changing them. A privacy program built as a one-time project against a 2024 snapshot of the law is already out of compliance somewhere. This is a maintenance discipline, not a milestone.

June also brought a broad Connecticut statute covering AI and online safety — a reminder that the states are not stopping at privacy. Age-assurance requirements, AI-transparency rules, and consumer-health-data acts are all landing on the same retail operators.

Why cannabis operators feel this more than most retailers

A garden-variety retailer holds names, emails, and purchase histories. A cannabis operator holds government-ID data from age verification, medical card details, purchase histories that map directly to a federally scheduled substance, and — in too many cases — retained ID scans that were never needed after the age check. Under the new state laws, most of that is either “sensitive data” requiring consent-grade handling or health data with its own heightened rules.

Three obligations in the newest laws deserve special attention:

  1. Universal opt-out mechanisms. The 2026 wave of laws and amendments increasingly requires honoring browser-level opt-out signals like Global Privacy Control. If your e-commerce and loyalty stack doesn’t recognize these signals, that is now a gap in multiple states, not a nice-to-have.
  2. Sensitive-data consent. Several regimes require opt-in consent before processing sensitive categories. If cannabis purchase data tied to an identifiable person is treated as health-adjacent — and the trend line says it will be — your marketing database may need a consent basis it doesn’t currently have.
  3. Consumer rights at scale. Access and deletion requests are trivially easy for consumers to file and operationally painful to fulfill if your customer data is scattered across a POS, a loyalty vendor, an e-commerce platform, a marketing tool, and a seed-to-sale system. The operators that struggle with deletion requests are the ones who never mapped where the data lives.

The checklist, updated

Everything in our May checklist still stands. Add these items to it:

  • Add Vermont and Louisiana to your applicability analysis now. Applicability thresholds vary by state (resident counts, revenue, data-sale percentage). Multi-state operators and delivery platforms should assume they will cross Vermont’s and Louisiana’s thresholds and plan accordingly.
  • Diarize January 1, 2028 — and work backward from it. A realistic Vermont readiness plan starts with a data inventory in 2026, vendor and contract remediation in early 2027, and rights-request tooling live well before the effective date.
  • Re-verify the states you already “finished.” Delaware just amended its law; others will follow. Assign someone — internal or outside counsel — to own a quarterly review of amendments in every state where you operate or ship.
  • Treat purchase history as sensitive by default. Rather than litigating each state’s definition, the cheapest defensible posture is to handle cannabis purchase data everywhere the way the strictest state requires. One standard is cheaper than 24.
  • Shrink the problem. The less you hold, the less any of these laws can demand of you. The single highest-leverage move remains the one we detailed in Verify, Don’t Store: stop retaining identity documents and data you no longer need. Every record you delete is a record no state’s rights-request, consent, or breach-notification regime can ever touch.

The bottom line

The number in our May headline was 21. It is 23 or 24 now, and it will be wrong again before the year is out. The specific states matter less than the operational truth they add up to: for a cannabis operator, comprehensive privacy law is no longer a coastal phenomenon or a big-company problem. It is the default legal environment of American retail, and cannabis retail carries more sensitive data than almost any other kind.

Vermont gave its cannabis consumers a bigger purchase limit and stronger privacy rights in the same week. Assume your customers — and your regulators — expect both.

This article is provided for informational purposes only and does not constitute legal advice.