Data Privacy and State Liquor Laws – there is a potential problem brewing!
Should we be entrusting state entities to keep consumer buying information safe?
While laws to strengthen consumer privacy are well intended, in many cases they contrast with regulatory oversight and governments’ requirement to keep transaction data. Why are we even tracking such information – brick and mortar stores do not gather it, it brings up serious questions about quantity limits only for online sales.
In the US, there is not a single state that requires brick-and-mortar retailers to collect personal data on the individuals they sell liquor (beer, wine, or spirits) to, and rightly so. Even when retailers check an ID to verify age, there's no requirement to keep records of these checks. The only time data is collected on retail stores purchasers is during compliance checks held by state officials. Spoiler: 10% of the time, they sell to minors.
This is in stark contrast with online sales of liquor, particularly states that impose quantity limits. Here, the level of personal data required by the state crosses into concerning territory.
Existing state limits
Considerations:
If the limit is high enough (KY, NY, PA) then it is like not having a limit. Removing it will save the states exposure on civil rights challenges around privacy and will save states millions of dollars on enforcement that is not necessary.
States with an annual limit take account of buying habits i.e. consumers do not buy equal amounts each month. Miss a month and your limit is lost - a use it or lose it policy.
Some states have limits on the producer as well (not noted above).
For states to enforce quantity limits, direct sellers/shippers must record extensive details about the buyer, including name, address, date of birth, purchase price, volume sold, tracking information, sales tax, excise tax, date of either purchase / shipment / delivery, then submit this data to the state on a regular interval, be that monthly or yearly. While it's understandable for the seller to keep some of this data to support audit requirements, transferring it to state authorities where security isn't guaranteed, raises significant concerns. This was proven recently, when an analyst of ours made a public record request to Massachusetts ABCC where they shared the full name, full address, name of licensee, gallons, and amount of the nearly 500,000 direct wine sales made into the state in 2022. Let’s look at what correct data privacy looks like below.
Data Privacy in 2024
Some of the key principles of data collection, as outlined by General Data Protection Regulation (GDPR), which five US states enacted GDPR inspired statutes in 2023, includes:
Erasure — individuals have the right to request that their personal information be deleted.
Consent — individuals have the right to decide whether their personal information may be sold or whether it may be used for purposes of receiving targeted advertising.
Data minimization — personal information, especially that which is sensitive, should be kept, if at all, only long enough to serve its purposes.
Transparency, informed consent, and legitimate uses — personal information should be used with informed consent from the data subjects, in a way that is understandable to them, and only for legitimate uses allowed under law.
And more – see https://gdpr-info.eu/art-5-gdpr/
Collecting and remitting customer data to a state entity unbeknownst to the purchaser and then the state storing that data in a potentially unsecure place and remitting the exact data to any member of the public for their use for any purpose, breaks many of the modern data privacy rules.
Data minimization says that data should be kept, if at all, only long enough to serve its purpose. If the purpose is enforcing quantity limits on a monthly or yearly basis then shortly after that period closes, the DTC sales data should be deleted, especially if it contains names and personal addresses. The fact that one of our analysts could get all the direct sales data for Massachusetts without the customers knowing, six months after the year of data collection closed is concerning.
The Seller Dilemma
This data privacy issue creates a dilemma for sellers responding to requests to remove customer data under various state regulations, such as in California. Due to state mandates, sellers must retain detailed records for a minimum of two to three years, if not longer. This requirement seems unjustifiable, especially as it's not mandated for brick-and-mortar stores.
The industry and state attorneys general need to investigate two critical "why" questions:
Why are quantity limits still in place? Originally to appease wholesalers during the development of new sales channels, but now they lack legal or reasonable justification.
Why do states collect extensive personal data related to individual purchasing habits and why must the data be stored for such an extended period when limits can be reset up to a monthly basis?
States that forgo these limits and data collection, smartly recognize their impracticality and inability to be justified. Just imagine going to Costco and providing them the same information when you check out as a person does online. What you are buying, how frequently you buy, how much you have purchased (possibly telling you, you have purchased enough this month), then sending all personal data to the state.
The ideal solution is without quantity limits, where the states only require the reporting of volume and value of orders shipped from the licensee, so that sales and excise tax can be calculated and paid. If they worry you are not paying the taxes, they can audit the sellers, just like any other government department.
These issues highlight the need for a serious reevaluation of how consumer data is collected and used in the DTC wine market. Ensuring privacy while maintaining regulatory compliance is not just a logistical challenge but a fundamental right that needs safeguarding.