Chicago-based cannabis heavyweight Verano Holdings is staring down a new privacy lawsuit in Illinois that accuses the company of printing medical patients’ names and birthdates right on their in-store receipts. The complaint says those little slips of paper can effectively flag customers as registered medical cannabis users and expose sensitive personal details, setting up a fresh legal headache for multi-state dispensary operators.
What the suit alleges
According to Crain's Chicago Business, the lawsuit, filed in Illinois state court, claims Verano receipts list purchasers’ full names and dates of birth. The filing argues that, in the medical cannabis context, those data points on a receipt can tip off a person’s status as a medical-use customer and link them to other protected information.
Law360 also covered the case and reports that the plaintiff is alleging violations of federal and state privacy laws, while asking the court to let them represent similarly situated customers as a putative class. Law360 notes that the suit focuses on receipts printed at Verano’s retail locations and that the plaintiffs are seeking damages under the statutes cited in the complaint.
Illinois law keeps the registry confidential
Illinois already treats its medical cannabis registry as tightly guarded information. Under the Compassionate Use of Medical Cannabis Program Act, the Department of Public Health must keep a confidential list of cardholders. The law strictly limits how registry information can be disclosed and makes certain unauthorized breaches a criminal offense. Those protections are central to the plaintiff’s claim that dispensary receipts should not reveal patient-identifying details. (410 ILCS 130)
Do HIPAA rules apply?
Whether HIPAA actually covers this kind of dispensary conduct is a trickier question. Federal guidance says HIPAA applies to "covered entities" such as health plans, certain health-care providers that transmit specific electronic transactions, and clearinghouses, along with their business associates, not to every business that handles health-related details. A court would likely have to decide whether a dispensary in this context counts as a covered entity or a business associate before HIPAA comes into play.
That distinction matters. Verano has already warned in its SEC filings that any data breach or privacy incident could expose the company to liability under HIPAA and other privacy laws, on top of reputational damage. (HHS; Verano 10-K)
Legal stakes and possible outcomes
If the judge lets the class allegations move forward, this lawsuit could turn into a broader test of how consumer privacy and medical confidentiality rules apply inside cannabis retail shops. Potential remedies include statutory damages under Illinois law, orders telling the company to change its practices, and added attention from regulators if state or federal agencies decide to take a closer look.
A key issue will be whether these receipts are treated as "protected health information" and whether the dispensary had any lawful reason to print names and dates of birth in this setting, as described in coverage of the complaint.
What’s next
The case is currently pending in the Illinois state court and was first noted in reporting by Crain's Chicago Business. If the plaintiff wins class certification, the lawsuit could expand to include other Illinois medical cannabis patients who received similar receipts. Observers will be watching court filings and any moves from the Illinois Department of Public Health or federal OCR for developments that could ripple out to both patients and cannabis retailers.
.jpg){kind=link}