When you browse a cannabis dispensary’s website, you probably assume some level of basic privacy. You’re not searching for something you’d share publicly. Cannabis use, medical conditions, and purchasing patterns are sensitive — the kind of data that could affect employment decisions, insurance, or relationships if it ended up in the wrong hands.

Stiiizy, the largest cannabis retailer in California, apparently didn’t share that assumption.

A federal lawsuit filed in May 2026 alleges that Stiiizy concealed tracking tools across its websites to monitor customers’ shopping and purchasing habits — and then secretly sold that behavioral data to data brokers.

What the Lawsuit Alleges

According to the complaint, Stiiizy embedded third-party tracking pixels and scripts into its website and digital properties that captured detailed behavioral data from visitors. This included:

  • Which products customers browsed
  • How long they spent on specific pages
  • Their purchasing patterns and preferences
  • Device and browser information that could be used to build persistent profiles

None of this disclosure appeared in Stiiizy’s privacy policy in any meaningful way. Customers who shopped on the site had no reason to believe their behavior was being captured and resold.

The data was then passed to data brokers — companies that aggregate behavioral signals from multiple sources into consumer profiles and sell access to advertisers, analytics firms, and other commercial buyers.

The lawsuit covers consumers who purchased Stiiizy products between 2018 and 2024. Given that Stiiizy operates dispensaries across Alameda, Modesto, San Francisco, and other California markets, the class could include millions of customers.

Why Cannabis Data Is Different

Every e-commerce company tracks user behavior to some extent. But cannabis data carries risks that grocery or clothing purchase data doesn’t.

Employment: In many states and industries, cannabis use is still grounds for termination or disqualification. Federal contractors, some healthcare workers, and employees in safety-sensitive positions can face serious professional consequences if their cannabis use becomes known.

Insurance: Life, disability, and health insurance underwriting can be influenced by lifestyle factors. Cannabis purchase data in the hands of a data broker creates a pathway for that information to reach underwriters through data licensing arrangements that consumers can’t trace or prevent.

Law enforcement: Despite California’s legalization, cannabis remains federally illegal. Data broker profiles that include cannabis purchase history could theoretically be acquired by federal investigators through commercial data purchases — a pathway that doesn’t require a warrant.

Personal exposure: For people in conservative families, religious communities, or other situations where cannabis use would create social or personal consequences, the exposure of purchase history can cause real harm.

The sensitivity of the data is precisely why the concealment alleged in the lawsuit is so significant. This wasn’t a case of a company being careless with data it didn’t realize was sensitive. Cannabis is a legal but sensitive consumer product, and any reasonable privacy analysis would flag purchase data as requiring heightened protection.

The Separate Data Breach

The tracking lawsuit is distinct from a separate incident that affected Stiiizy in late 2024, when a third-party vendor breach exposed customer identification information and transaction history from multiple California dispensaries in Stiiizy’s network.

That breach involved the kind of sensitive identity data that California dispensaries are legally required to collect — government-issued ID, age verification records, and purchase history — being exposed through a compromised point-of-sale system.

Two incidents involving two different types of data exposure. The pattern suggests a company that was not treating customer privacy as a meaningful operational priority.

The Broader Problem: Dispensary Data Practices

Stiiizy’s alleged behavior is not unique. The cannabis industry operates in a complicated data privacy environment. State-mandated track-and-trace systems require dispensaries to log every sale with identifying information. Those systems generate detailed records of who buys what, when, and how much.

The regulatory intent is compliance and inventory control. But the data those systems generate is rich, sensitive, and increasingly attractive to commercial data brokers who want to build profiles of cannabis consumers.

California has stronger privacy laws than most states — the California Consumer Privacy Act gives residents rights over their personal data, including the right to opt out of its sale. If Stiiizy’s tracking and data sales violated CCPA requirements, the company faces exposure beyond the federal lawsuit.

What Consumers Should Know

If you’ve purchased from Stiiizy online or visited their website between 2018 and 2024, you may be part of the class in this lawsuit. Class action attorneys are actively investigating; information on joining the class is available through litigation support sites that are tracking the case.

More broadly, the Stiiizy case is a reminder that the cannabis industry has not been held to the same privacy standards that most consumers would expect. When you shop at a dispensary — particularly online — you’re generating data that is not automatically protected just because the transaction is legal.

Practical steps:

  • Use dispensary websites without logging in when possible — browsing as a guest limits the data that can be tied to your identity
  • Opt out of data sales through any dispensary’s privacy portal — CCPA requires this option for California residents
  • Check your state’s cannabis track-and-trace laws to understand what data dispensaries are legally required to retain about you
  • Use a VPN when browsing cannabis-related websites to limit IP-based tracking

The legal right to purchase cannabis shouldn’t come with an invisible surveillance tax. But until the industry is held to account — through lawsuits like this one and regulatory enforcement — that’s effectively what’s happening.