For hemp businesses operating in Kentucky and beyond, as well as medical cannabis licensees in Kentucky gearing up for sales in 2025/2026, an all-important component of their business will be a high-quality website. But while a website is a powerful tool for reaching potential customers, it is also a perennial source of risk—both from plaintiffs firms utilizing broad interpretations of the law to bring potential class action lawsuits, and from regulators enforcing state data protection and privacy law.

The Rise of “Wiretap” Lawsuits

In recent years, website operators across industries have been blindsided by a surge of lawsuits claiming that everyday online practices—like using chatbots, tracking user analytics, embedding videos, deploying session replay tools, or even installing common cookies and pixels—violate state and federal wiretap laws. These suits are attractive to plaintiffs due to private rights of action and statutory damages.

In all cases, the key affirmative defense available to businesses is consent; the business argues that the plaintiff had actual or constructive notice of the collection via a cookie banner, privacy notice, or both, and either impliedly or actually consented to the collection by continuing to use the website after receiving this notice.

However, website design heavily factors into whether the individual was adequately informed of the existence of the notice, and the analysis can turn on highly fact-dependent inquiries.

State Privacy Notice Requirements

While medical cannabis business in Kentucky are restricted to operating within state borders, hemp businesses have already started to navigate sales of hemp-derived beverages, edibles, and other products in multiple states, including direct-to-consumer online sales.  A business must navigate a patchwork of state laws and regulations in order to engage in commerce in multiple states. These companies need to focus not only on constantly evolving hemp-specific regulations that vary by state, but they must also comply with differing state laws that apply to all commercial businesses when it comes to privacy, cyber security, and a myriad of other topics.

 Four states have laws containing requirements for privacy notices generally applicable to any commercial website operators: California’s Online Privacy Protection Act (Cal. Bus. & Prof. Code §22575) and “Shine the Light” Law (Cal. Civ. Code § 1798.83), the Delaware Online Privacy and Protection Act (Del. Code Ann. 6.2, §1201C et seq.), Nevada’s untitled commercial website operator law (Nev. Rev. Stat. 603A.300 et seq.), and the Utah Notice of Intent to Sell Nonpublic Personal Information Act (Utah Code Ann. § 13-37-101-203).

These laws generally apply to any commercial website operators regardless of size, and require specific information regarding the information practices of the website operator, including data collection, use, and disclosure.

Comprehensive Consumer Privacy Laws: A Moving Target

Since the passage of the California Consumer Privacy Act in 2018, eighteen other states have passed consumer privacy laws and regulations governing the processing of personal data.1 One of the key obligations of these laws is to provide a compliant privacy notice.

Jurisdictional thresholds for these laws are in flux; although when initially introduced they required the organization to process the personal data of an appreciable percentage of the state’s population or have annual revenues above $25,000,000, subsequent amendments have both lowered the thresholds of applicability and introduced alternative bases for applicability. For example, the Connecticut Data Privacy Act was amended to apply to any “consumer health data controller,” meaning that any entity determining the “purpose and means” of processing “personal data… [used] to identify a consumer’s physical or mental health condition or diagnosis” must comply with applicable provisions.

Penalties for violations can range from $2,500 to $25,000 “per violation,” where violations are tabulated by “per-person affected.”

Data Breach Notification: No Room for Error

Commercial website operators must also take care to implement, maintain, and use physical, technical, and organizational measures designed to protect the privacy, confidentiality, integrity, and availability of the personal data they process. While medical cannabis businesses in Kentucky are not authorized to accept orders or payments through their websites (and can only maintain websites for certain limited informational purposes)[2]   hemp businesses are likely collecting personal data through payment processing, ordering portals, consumer loyalty programs, and/or other mechanisms.  

All fifty states have enacted data breach notification laws that require notice to individuals, and in some cases state regulators, credit reporting agencies, and the media, after discovery of the unauthorized access to or unauthorized acquisition of certain kinds of personal data.

In addition to state data breach notification law, federal data breach notification laws may apply. Although health information is commonly thought of as covered by the Health Information Portability and Accountability Act (HIPAA), certain non-HIPAA covered website operators may within the scope of the Federal Trade Commission (“FTC”) Health Breach Notification Rule.

What Should Hemp and Cannabis Businesses Do Next?

Every detail of your website matters when it comes to legal compliance.

The wording of your privacy notice, the placement and design of your cookie banner, and even the contrast between your text and background can make a difference in court. Proactive steps now can help you avoid costly litigation and regulatory headaches down the road.

Are you confident your website is compliant with the latest privacy laws? Have you reviewed your consent mechanisms and privacy notices recently? What steps are you taking to protect customer data and respond to potential breaches? These are critical questions for any cannabis business looking to thrive in a complex legal landscape.

If you’re unsure where to start, Dentons can advise on best-practices based on real-world experience to help you identify risks and implement best practices tailored to your business. While this post focuses on privacy and cybersecurity, there are also cannabis-specific regulations that impose various restrictions on marketing and advertising (including through websites). Dentons covered key requirements/restrictions for Kentucky medical cannabis businesses in a prior post, available here, and will continue to provide content on these topics.

1 California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100–199.100), the California Privacy Protection Agency Regulations (Cal. Code Regs. tit. 11. §§ 7000—7600), collectively the “CCPA,”  the Colorado Privacy Act (Colo. Rev. Stat. §§ 6-1-1301–1313) and the Colorado Privacy Act Rules (4 CRR 904-3), the Connecticut Data Privacy Act ( Conn. Gen. Stat. § 42-515—527), the Delaware Personal Data Privacy Act (Del. Code tit. 6 12D-101–111), the Indiana Consumer Data Protection Act (Ind. Code  § 24-15),  the Iowa Consumer Data Protection Act (Iowa Code § 715D.1–715D.9), the Kentucky Consumer Data Protection Act (Ky, Rev. Stat § 367.3611–367.3629), the Maryland Online Data Privacy Act (Md. Commercial Law Code § 14-4701—4714), the Minnesota Consumer Data Privacy Act  (Minn. Stat. §§ 325M.01–325M11), the Montana Consumer Data Privacy Act (Mont. Code § 30-14-2801–2817), the Nebraska Data Privacy Act (Neb. Rev. Stat. § 87-1101–1130), the New Hampshire Data Privacy Act (N.H. Rev. Stat. tit. LII, Ch. 507-H:1–12), the New Jersey Data Privacy Act (N. J. Stat. § 56:8-166), the Oregon Consumer Privacy Act (Or. Rev. Stat. § 646A.570—589), the Rhode Island Data Transparency and Privacy Protection Act (6 R.I. Gen. Laws § 6-48.1-1–10), the Tennessee Information Protection Act (Tenn. Code § 47-18-3301–3315), the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code § 541.001—107), the Utah Consumer Privacy Act (Utah Code §§ 13-61-101—404), the Virginia Consumer Data Protection Act (Va. Code §§ 59.1-575—584).

2 915 KAR 1:090, Section 2(1); 915 KAR 1:070, Section 4(1); 915 KAR 1:090, Section 1(1); 915 KAR 1:080, Section 2.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Andrew Clearwater

About Andrew Clearwater

Andrew Clearwater, a member of Dentons’ Privacy and Cybersecurity Team, is a recognized leader in privacy and artificial intelligence governance. With extensive experience helping businesses implement technology responsibly, Andrew combines deep technical capabilities with practical solutions. As a founding leader at OneTrust, he oversaw privacy and AI governance, contributed to the development of industry-leading data protection best practices, and is an inventor on more than 20 of the company’s patents.

Full bio

Dalton Cline

About Dalton Cline

Dalton Cline is a member of the Dentons global Data Privacy and Cybersecurity Group. As a Certified Information Privacy Professional (CIPP/US, CIPM, CIPT), he routinely advises businesses in a variety of industries and sectors regarding compliance with domestic and international data privacy and cybersecurity laws and regulations. Organizations value Dalton’s detailed and clear explanations of complex regulations and requirements.

Full bio

Hannah King

About Hannah King

Hannah E. King, a partner on the Dentons Cannabis team, is one of Maine’s leading authorities on the highly regulated and complicated cannabis industry. Hannah advises hundreds of cannabis businesses from small family-run businesses to large publicly traded, multi-state operators in Maine, Massachusetts, New Hampshire and Vermont.

Full bio

RELATED POSTS