You built the loyalty program to increase retention. Your customers love the points. Your marketing team loves the purchase history data. And somewhere, a class-action attorney just filed a motion in county court that’s going to cost you $2.3 million to settle.

This is the arc playing out for several cannabis retailers right now. While most of the industry’s attention on data privacy has focused on ID scanners and biometric data, a quieter but equally dangerous liability has been building in the loyalty program space—and most dispensary operators have no idea how exposed they are.

What Your Loyalty Program Actually Collects

Ask most dispensary owners what data their loyalty program collects, and they’ll say “email and purchase history.” The real answer is usually much more invasive than that.

A typical cannabis loyalty program implemented through platforms like Springbig, Alpine IQ, or similar cannabis-specific CRM tools collects some or all of the following:

  • Full legal name (required for cannabis purchase verification)
  • Date of birth
  • Phone number
  • Email address
  • Home address (often required for delivery or account verification)
  • Government-issued ID number (in some implementations)
  • Complete purchase history with product categories, THC/CBD percentages, and dollar amounts
  • Visit frequency and timing (when you come in, how often)
  • Preferred budtenders (many systems track this)
  • Abandoned cart data (for online ordering integrations)
  • Device identifiers and IP addresses (from online ordering and app-based programs)
  • Location data (GPS coordinates, in app-based programs)
  • Communication preferences and open rates (which marketing emails you open)
  • Referral relationships (who referred you to the dispensary)

Now add what some platforms collect without operators realizing it: behavioral analytics tracking how long you browse specific product pages, cross-location profiles that merge data across multiple dispensary locations under an MSO, and in some cases, third-party data enrichment that appends demographic and financial data purchased from data brokers.

That’s not “email and purchase history.” That’s a comprehensive consumer profile that, if it contains records of medical cannabis purchases, may constitute protected health information under some state frameworks.

California CPRA Enforcement Is Escalating

The California Privacy Rights Act has been in effect for years, but enforcement by the California Privacy Protection Agency (CPPA) escalated sharply in 2025 and is targeting retail in 2026. Key requirements that cannabis loyalty programs often violate:

  • Right to opt out of sale/sharing: If your loyalty platform shares customer data with third-party marketing partners—even as part of standard platform operations—you must offer California residents an easy opt-out mechanism. Most dispensary loyalty implementations don’t have this configured correctly.
  • Right to limit use of sensitive personal information: Cannabis purchase history is arguably sensitive personal information under CPRA. Customers must be able to limit how it’s used.
  • Data minimization: You can only collect data “reasonably necessary” for the disclosed purpose. Running analytics on customer behavioral data for product development purposes—without disclosing that in your privacy policy—is a violation.
  • Retention limits: Data must be retained only as long as necessary. Most loyalty programs default to indefinite retention.

Fines: Up to $7,500 per intentional violation. One class of affected consumers multiplied by one violation equals devastating exposure fast.

Illinois BIPA Extends to Loyalty Program Behavior Analysis

Illinois’s Biometric Information Privacy Act (BIPA) has generated more class-action litigation than any other privacy statute. While BIPA’s original application was facial recognition and fingerprints, courts have interpreted it expansively. If your loyalty program app uses device sensors for authentication, or if your in-store loyalty kiosk uses any form of behavioral analysis derived from physical characteristics, you may have BIPA exposure.

The litigation against PharmaCann over ID scanner biometric collection set a precedent: both the dispensary operator and the technology vendor were named as defendants. That model is being applied to loyalty program providers as well.

The Tracking Pixel Problem

Several cannabis retailers discovered in 2025 that their loyalty program and e-commerce platforms had embedded third-party tracking pixels—from Meta, Google, and marketing analytics vendors—that were transmitting customer purchase data without proper disclosure. One well-documented case involved Uncle Ike’s, a Seattle-area cannabis retailer, where customers alleged that data including medical appointment details and purchase history was shared with Google and third parties through tracking pixels installed on the dispensary’s website.

This isn’t an edge case. Loyalty program platforms frequently integrate with advertising networks as a revenue model or a feature for operators. If your platform does this and you haven’t disclosed it—and given customers a way to opt out—you’re running the same risk.

New State Privacy Laws in 2026

Multiple new comprehensive privacy laws took effect in January 2026, including in Indiana, Kentucky, and Rhode Island. These laws generally follow the Virginia CDPA model but with varying thresholds and requirements. Arkansas adds requirements effective July 2026.

Dispensaries operating in these states must now:

  • Provide privacy notices at or before collection
  • Honor consumer requests to access, correct, and delete their data
  • Conduct data protection assessments for high-risk processing activities (a loyalty program processing cannabis purchase history likely qualifies)
  • Avoid processing data in ways not disclosed in the privacy notice

How Class Actions Actually Start

Understanding how loyalty program privacy class actions get filed is useful because most dispensary operators picture a customer who felt wronged by their data being misused. That’s not usually how it happens.

The actual sequence:

  1. A plaintiff’s attorney—typically a firm that specializes in consumer privacy class actions—identifies a category of potential violations
  2. They look for a named plaintiff: one person who was a customer at the dispensary, enrolled in the loyalty program, and whose data may have been handled improperly
  3. They analyze the dispensary’s privacy policy, app behavior, and data flows—often using technical tools that inspect what data the app or website is transmitting
  4. They file a class action claiming the named plaintiff and all similarly situated class members suffered the same violation
  5. The dispensary faces not just the cost of any settlement or judgment, but also massive legal defense costs before the case ever goes to trial

The firms doing this work are not naive about their targets. They look for:

  • Large customer databases (MSOs with multiple locations are attractive)
  • Weak or vague privacy policies that don’t clearly describe what’s collected and how it’s used
  • Third-party data sharing that isn’t disclosed
  • No opt-out mechanisms for data sale or sharing
  • Long data retention without disclosed retention periods

Most cannabis dispensary loyalty programs have at least one of these. Many have all of them.

What You Need to Audit Right Now

1. Map What Your Loyalty Platform Actually Collects

Call or email your loyalty program vendor and ask for a complete list of every data element they collect, where it’s stored, who it’s shared with, and how long it’s retained. Get this in writing. If they can’t answer clearly, that’s itself a problem.

Pay particular attention to:

  • Third-party integrations (advertising networks, data enrichment services)
  • Analytics platforms with access to customer-level data
  • Any “data monetization” features in the platform’s terms of service

2. Audit Your Privacy Policy Against What’s Actually Happening

Your privacy policy describes what you collect and how you use it. Your loyalty platform may be doing things your privacy policy doesn’t mention. That gap is your liability. Common mismatches:

  • Policy says you don’t sell data; platform shares with ad networks under a “service provider” carve-out that functions like a sale
  • Policy doesn’t mention behavioral analytics; platform collects browsing patterns
  • Policy doesn’t mention third-party enrichment; platform appends purchased demographic data

3. Verify You Have Working Consumer Rights Mechanisms

If a California or Colorado or Connecticut resident asks to access, correct, or delete their loyalty program data, can you actually fulfill that request? Do you know which systems hold their data? Can you delete it from all of them, including backups? Do you have a documented process?

If the answer to any of those is “I’m not sure,” you don’t have a working consumer rights mechanism—you have a compliance checkbox without the compliance.

4. Review Your Retention Policy

Most loyalty programs default to keeping customer data forever, or until the customer explicitly closes their account. Under multiple state privacy laws, you’re required to retain data only as long as necessary for the disclosed purpose. If someone hasn’t visited your dispensary in three years, is retaining their complete purchase history and location data “necessary”?

Establish explicit retention periods and configure your platform to enforce them automatically.

5. Remove or Disclose Every Tracking Pixel

Audit your website and any web-based ordering portal for third-party pixels. Tools like Privacy Bee, Ghostery, or a qualified privacy engineer can identify pixels that are transmitting data to third parties. For each one:

  • Determine if it can be removed without operational impact
  • If it must stay, ensure it’s disclosed in your privacy policy and covered by your cookie consent banner
  • Ensure California residents have a functioning “Do Not Sell or Share My Personal Information” link that actually prevents the transmission

The Cannabis-Specific Risk Multiplier

One factor that makes cannabis loyalty program privacy violations more serious than retail equivalents: cannabis purchase history is sensitive data.

In multiple state privacy frameworks, data about health conditions, prescription medication use, or medical treatment is treated as a heightened-protection category. Medical cannabis purchases can reveal significant health information—conditions being treated, severity, treatment frequency. Even recreational purchase data can reveal sensitive lifestyle information.

Courts and regulators are increasingly treating cannabis purchase data as sensitive personal information that warrants stricter protection than, say, your Starbucks order history. If your loyalty program is treating cannabis purchase data like any other retail transaction data, you’re running ahead of where the law is going—and you’re running in the wrong direction.

The Vendor Responsibility Trap

One more critical point: your loyalty program vendor being “CCPA compliant” doesn’t make you compliant.

Vendor compliance certifications cover the vendor’s own operations. Your privacy obligations as the data controller—the entity that decided to collect the data and determines its use—remain yours. Even if Springbig or Alpine IQ has their own privacy certifications, you remain responsible for:

  • Ensuring you have a proper legal basis to collect what you collect
  • Disclosing that collection accurately in your privacy policy
  • Honoring consumer rights requests affecting data those vendors hold on your behalf
  • Having a Data Processing Agreement (DPA) with the vendor that allocates responsibilities correctly

If you don’t have a current DPA with your loyalty platform provider, get one before you do anything else.

Bottom Line

The same legal infrastructure that produced the PharmaCann/ID scanner biometric lawsuits, the Uncle Ike’s tracking pixel case, and a wave of BIPA litigation against cannabis retailers is now looking at loyalty programs. The exposure is real, the plaintiffs’ bar is experienced, and the statutory damages in some frameworks don’t require proving harm—just proving a violation.

The good news: this is fixable. A thorough privacy audit of your loyalty program, a clean privacy policy, proper consumer rights mechanisms, and a vendor DPA won’t eliminate all risk, but they dramatically change your legal posture from “sitting duck” to “defensible operation.”

The dispensaries that get sued over loyalty programs won’t be the ones with the most data. They’ll be the ones that never bothered to find out what their platforms were actually doing with it.

CannaSecure conducts cannabis loyalty program privacy audits and helps operators achieve compliance with CPRA, state comprehensive privacy laws, and biometric privacy statutes. Contact us to schedule an assessment.