Five new state comprehensive privacy laws took effect in early 2026. A sixth follows in July. Several existing laws received significant updates. If you operate a cannabis dispensary and you’re still running on a privacy policy your attorney wrote in 2022, you are out of compliance in multiple jurisdictions right now.

The fragmented landscape of U.S. state privacy law has always been challenging for multi-state cannabis operators. Federal preemption doesn’t apply—there’s no national privacy law—which means every state where you sell cannabis has its own rules about what data you can collect, how long you can keep it, what rights your customers have, and what happens if you get it wrong.

In 2026, that landscape got significantly more complicated. Here’s the complete map.

Why Cannabis Is Disproportionately Affected

Before the state-by-state breakdown, it’s worth naming why these privacy laws hit cannabis harder than most retail categories:

Cannabis purchase data is sensitive by nature. Most state privacy laws define a category of “sensitive personal data” that receives heightened protection—typically including health information, biometric data, genetic data, and precise location. Cannabis purchase history sits in a gray zone in most frameworks: it’s not explicitly defined as health data unless it’s medical cannabis, but it can reveal significant health and lifestyle information.

Regulators are increasingly treating cannabis purchase data as sensitive. California’s CPPA has explicitly signaled that medical cannabis purchase records are sensitive under CPRA, and that recreational purchase data warrants careful handling due to its sensitive nature. Other states are following.

Cannabis dispensaries collect more data than they realize. ID verification requirements, METRC integration, loyalty programs, online ordering, age verification apps, and payment processing all generate data flows most operators haven’t fully mapped. A dispensary that “just collects email addresses for marketing” usually has eight to twelve active data flows it hasn’t accounted for.

The audit trail vs. data minimization tension. State cannabis regulations require records retention—transaction logs, customer purchase records, METRC reports. State privacy laws require data minimization—collect only what you need, retain only as long as necessary. These obligations conflict, and navigating the tension requires deliberate policy choices that most dispensaries have never made.

The 2026 Privacy Law Wave: State by State

Indiana (INCDPA) — Effective January 1, 2026

Indiana’s Consumer Data Protection Act follows the Virginia CDPA model closely, giving Indiana consumers the right to:

  • Access and obtain a copy of their personal data
  • Correct inaccuracies
  • Delete personal data they provided
  • Opt out of targeted advertising, the sale of personal data, and profiling

Cannabis-specific implications: Indiana dispensaries must honor deletion requests from customers who previously enrolled in loyalty programs or provided data for marketing, subject to retention requirements for regulatory compliance. You cannot refuse a deletion request by citing regulatory retention—you must retain what regulations require and delete everything else.

What to do: Review your loyalty platform and marketing CRM to confirm you can execute deletion requests and export personal data in response to access requests. If you use a loyalty platform that stores data only in its proprietary format with no export capability, you may not be able to comply with access requests—that’s a platform problem you need to fix.

Enforcement: Indiana Attorney General enforcement. No private right of action.

Kentucky (KCDPA) — Effective January 1, 2026

Kentucky’s Consumer Data Protection Act is one of the most business-friendly frameworks in the 2026 wave, with thresholds similar to Virginia (100,000 consumers annually, or 25,000 with revenue from data). For dispensaries in a state where cannabis retail is still emerging, many operations may fall below the threshold—but check carefully.

Consumer rights are similar to Indiana: access, correction, deletion, opt-out of targeted advertising and sale.

Cannabis-specific implications: Kentucky’s law includes protections for sensitive data that includes data about health conditions. Medical cannabis purchase records are clearly covered; recreational cannabis purchase records may be depending on interpretation. Conservative compliance means treating all cannabis purchase data as sensitive.

Sensitive data processing requires opt-in consent rather than just an opt-out right. If you’re running targeted advertising using cannabis purchase data and customers haven’t explicitly opted in to that use, you’re not in compliance.

What to do: Audit your advertising and marketing practices. If you’re using purchase history to target advertising—including through loyalty program platforms that use your customer data for ad targeting—you need opt-in consent from Kentucky customers.

Rhode Island (RIDPA) — Effective January 1, 2026

Rhode Island’s Data Transparency and Privacy Protection Act covers entities processing personal data of 35,000+ Rhode Island residents or 10,000+ residents with revenue from data. Rhode Island has a smaller population than most states, but cannabis dispensary loyalty programs aggregate data over time—check whether your historical database crosses the threshold.

Rhode Island’s law has a notable provision: it requires data protection assessments for processing activities that present a “heightened risk.” Cannabis purchase history—especially if used for profiling or targeted advertising—likely falls into this category. A data protection assessment is a documented analysis of the risks of a processing activity and the safeguards you’ve implemented.

What to do: If you haven’t conducted a formal data protection assessment for your loyalty program and marketing practices, do so and document it. This isn’t just a good practice—under RIDPA, it’s a legal requirement for high-risk processing.

Arkansas (ACPA) — Effective July 1, 2026

Arkansas is a unique case for cannabis data privacy: it’s one of the few states where both a comprehensive privacy law (the Arkansas Consumer Privacy Act) and an active medical cannabis program exist simultaneously. The ACPA includes explicit heightened protections for data related to health conditions—and medical cannabis data falls clearly within that definition.

The ACPA also includes notable protections for minors’ data, restricting the sale and use of personal data for anyone under 18 and prohibiting targeted advertising to minors. Cannabis dispensaries are legally prohibited from selling to minors, but if your online presence or loyalty program collects data from anyone under 18, you need controls.

Effective July 1, 2026: You have until then to come into compliance. That’s enough time if you start now, and not enough time if you wait until June.

Key requirements:

  • Privacy notice must be clear and conspicuous at the point of data collection
  • Opt-out rights for sale and targeted advertising
  • Opt-in consent for sensitive data (medical cannabis records)
  • Data protection assessments for high-risk processing
  • Contracts with data processors must include specific privacy provisions

What to do for Arkansas medical dispensaries: Review your patient records practices immediately. Medical cannabis data is the most clearly protected category under ACPA. Ensure you have opt-in consent for any use of patient data beyond the core dispensing function, and that your vendor contracts include the required privacy provisions.

Updates to Existing Frameworks in 2026

California (CPRA) — Enforcement Escalating

The California Privacy Protection Agency has significantly expanded its enforcement posture in 2026. Key developments cannabis operators need to know:

Biometric data enforcement focus: The CPPA has made biometric data collection without proper consent an enforcement priority. Cannabis dispensaries using ID scanners that collect biometric data—facial geometry, fingerprints, or other biometric identifiers—without proper CPRA disclosure and consumer rights mechanisms are at elevated enforcement risk.

Automated decision-making: California regulations now include provisions around automated decision-making and profiling. If your dispensary uses AI-driven product recommendations, risk scoring, or any automated process that makes decisions affecting consumers, you may need to provide notice and opt-out rights.

Data broker regulation: California’s Delete Act, which took effect in 2024, established a centralized opt-out mechanism for data brokers. If your loyalty platform or marketing vendor qualifies as a data broker under California law, they’re subject to this regime—and your contracts with them need to reflect that.

What to do: If you have California locations and haven’t conducted a full CPRA compliance review in the last 12 months, do one now. The enforcement environment has changed materially.

Connecticut (CTDPA) — Minors’ Data Tightened

Connecticut amended its Data Privacy Act effective January 1, 2026 to significantly strengthen protections for minors’ data. Dispensaries that collect any data that might be from or about individuals under 18—even in the context of age verification processes—need to review their compliance.

Connecticut also updated its rules around consent for sensitive data, making opt-in consent requirements clearer. Cannabis purchase data is being interpreted as sensitive by Connecticut regulators.

Oregon (OCPA) — Enforcement Active

Oregon’s Consumer Privacy Act has been in enforcement phase and the state has signaled that cannabis businesses are in scope. Oregon’s law includes one of the stronger private rights of action provisions among state privacy laws, creating exposure not just to AG enforcement but to individual lawsuits.

Oregon dispensaries that haven’t fully mapped their data flows and implemented consumer rights mechanisms are operating with meaningful litigation risk.

Utah (UCPA) — Narrower But Active

Utah’s Consumer Privacy Act has narrower thresholds and exemptions than most state frameworks but is in active enforcement. Multi-state operators that have been deprioritizing Utah compliance due to the law’s relatively business-friendly structure should note that enforcement actions have begun.

The Multi-State Operator Compliance Matrix

If you operate dispensaries in multiple states, you’re managing multiple compliance frameworks simultaneously. A practical approach:

1. Build to the strictest requirement: For most data practices, build your processes around the most restrictive applicable law, then verify you meet the requirements in every other state where you operate. California’s CPRA is typically the most demanding, so California-compliant practices are a reasonable baseline.

2. Identify state-specific requirements that exceed the baseline: Some requirements are state-specific and can’t be generalized. Arkansas’s heightened medical cannabis data protections, Connecticut’s minors’ data rules, and Rhode Island’s data protection assessment requirements need specific attention.

3. Map data flows per jurisdiction: Know where your customers’ data is processed and stored, and which state’s law governs it. If you’re a Nevada-based MSO with a loyalty platform hosted on servers in California, California law may apply to your data processing regardless of where your dispensaries are located.

4. Build consent flows that work across states: Design your consent mechanisms for the strictest opt-in requirement (sensitive data) and offer opt-outs for everything else. A consent system that works in California and Arkansas will generally work everywhere else too.

The Compliance Tension That Keeps Attorneys Up at Night

The most difficult compliance challenge for cannabis dispensaries in 2026 isn’t any single state law—it’s the fundamental tension between regulatory record-keeping requirements and privacy law data minimization requirements.

Consider: Your state cannabis regulator requires you to retain transaction records for five years. A customer submits a deletion request under the state privacy law and asks you to delete their purchase history. What do you do?

Most state privacy laws include exemptions for data retained to comply with legal obligations. So the answer is generally: retain the regulatory minimum required by the cannabis regulator, delete everything beyond that. But this requires you to:

  1. Know exactly what your cannabis regulation requires you to retain and for how long
  2. Know exactly what data you’re holding beyond that minimum
  3. Have systems capable of deleting the excess while preserving the required records

This is non-trivial technically and most dispensary data systems weren’t designed with this distinction in mind. If you can’t distinguish between “regulatory retention minimum” data and “excess data that should be deletable,” you have a compliance gap that needs to be resolved.

Practical Steps for the Next 90 Days

April (Now):

  • Map every data collection point in your operation: ID verification, METRC integration, POS, loyalty program, website, online ordering, marketing
  • Identify which states’ laws apply to each data flow
  • Pull your current privacy policy and compare it to what your systems actually collect and share

May:

  • Update your privacy policy to accurately reflect current data practices
  • Confirm your loyalty platform and marketing CRM can execute access, correction, and deletion requests
  • Review your vendor contracts for required data processing provisions (DPAs)
  • Audit tracking pixels on your website and ordering portals

June:

  • Implement or update consumer rights request handling procedures
  • Conduct data protection assessments for high-risk processing activities
  • Establish data retention schedules that distinguish regulatory minimums from excess
  • Train relevant staff on the new consumer rights obligations

July 1: Arkansas ACPA effective. You’re ready.

The Cost of Not Doing This

Fines under state privacy laws range from $2,500 per violation under some frameworks to $7,500 per intentional violation under California’s CPRA. Class action exposure under frameworks with private rights of action (Oregon, California) can dwarf regulatory fines. And the reputational cost of a data breach or regulatory enforcement action in an industry that depends on consumer trust for its legal existence is difficult to quantify but clearly significant.

More than the legal exposure: cannabis businesses already face enough scrutiny from regulators, law enforcement, and political opponents. A data privacy enforcement action—or worse, a publicized customer data breach—provides ammunition to opponents of cannabis legalization and gives regulators reasons to tighten licensing requirements across the board.

The dispensaries doing this work now are protecting their licenses, their customers, and frankly, the industry’s ability to operate.

CannaSecure provides cannabis-specific data privacy compliance assessments, privacy policy review, and multi-state compliance program development. Contact us to schedule a compliance audit before the July 2026 Arkansas effective date.