Stiiizy Sued for Tracking Cannabis Shoppers and Selling Their Data

On May 13, 2026, a federal lawsuit was filed against Stiiizy — California's largest cannabis retailer — alleging that the company concealed tracking tools on its websites to monitor customers' shopping and purchasing habits, then sold that data to third-party data brokers without consumer consent.

Let that sink in for a moment. The biggest weed retailer in the biggest cannabis market in the country allegedly watched what you browsed, what you bought, and how you shopped — then packaged that information and sold it to whoever was buying.

If you've ever shopped on a Stiiizy website, this lawsuit concerns you. And even if you haven't, it raises questions that every cannabis consumer in America should be asking right now.

What the Lawsuit Alleges

The federal complaint paints a troubling picture. According to the filing, Stiiizy embedded concealed tracking tools throughout its web properties — code that monitored user behavior including browsing patterns, product views, and purchasing decisions.

This isn't about standard website analytics. Every website uses some form of tracking to understand traffic and improve user experience. What's alleged here goes further: the lawsuit claims Stiiizy collected granular shopping behavior data and then sold it to data brokers — companies whose entire business model is aggregating personal information and reselling it.

The critical element is consent. The lawsuit alleges this was done without adequate consumer notification or permission. Visitors to Stiiizy's websites allegedly had no meaningful way to know their cannabis shopping behavior was being tracked at this level, and certainly didn't consent to having that data sold.

This Isn't Stiiizy's First Privacy Problem

Here's where the story gets worse. This lawsuit isn't Stiiizy's first dance with consumer data issues.

In 2024, the company suffered a ransomware attack that exposed the personal data of over 420,000 customers. We're not talking about email addresses and usernames. The breach reportedly included:

• Driver's licenses
• Passports
• Medical cannabis cards
• Other identifying documents

For a cannabis company to lose that kind of data is catastrophic for its customers. These are people who, in many cases, uploaded government identification to comply with age verification and medical program requirements — trusting that a major retailer would protect that information.

Now, two years later, the same company faces allegations of intentionally harvesting and selling customer data. Whether the 2024 breach and the 2026 lawsuit are connected in any operational way is unclear, but together they paint a picture of a company with a pattern of treating customer data carelessly at best, and exploitatively at worst.

Why Cannabis Privacy Is Different

"Every website tracks you" — that's probably what some people are thinking right now. And they're not wrong. Data harvesting is endemic to the modern internet. So why should cannabis consumers be especially concerned?

One word: prohibition.

Cannabis remains federally illegal in the United States. It's a Schedule I controlled substance (though rescheduling efforts are underway). That means anyone who purchases cannabis — even legally under state law — is technically admitting to a federal crime.

When your cannabis shopping data gets sold to data brokers, it enters a marketplace where it can potentially be purchased by:

• Insurance companies — who might use cannabis purchase history to adjust health, life, or disability premiums
• Employers — who might use the data for hiring or firing decisions
• Landlords — who might use it to deny housing applications
• Law enforcement — who could potentially purchase this data without a warrant
• Government agencies — including immigration authorities, where cannabis use can affect visa and citizenship applications
• Custody attorneys — who might use purchase records in family court proceedings

This isn't paranoia. These are documented ways that data broker information has been used against individuals. When the data in question is specifically about purchasing a federally illegal substance, the potential for harm multiplies dramatically.

The Consent Problem in Cannabis Retail

Cannabis dispensaries occupy a unique position in retail. They require more personal information from customers than virtually any other type of store:

• Government-issued photo ID (mandatory)
• Medical cards (for medical programs)
• Home addresses (for delivery services)
• Phone numbers (for loyalty programs)
• Email addresses (for marketing)

Consumers provide this information because they're legally required to in many cases, and because they trust that a licensed, regulated business will handle it responsibly. That trust is foundational to the legal cannabis market functioning.

When a company allegedly takes that captive audience — people who must identify themselves to purchase a legal product — and then secretly monitors and monetizes their behavior, it represents a profound betrayal of the social contract between retailer and consumer.

The Broader Industry Accountability Question

Stiiizy is California's largest cannabis retailer, but it's not the only cannabis company with a website. This lawsuit raises uncomfortable questions for the entire industry:

• How many other cannabis retailers are using aggressive tracking tools?
• What data is being collected across dispensary websites industry-wide?
• Are cannabis loyalty programs being used as data harvesting operations?
• Do cannabis apps track user behavior beyond what's disclosed?
• Where does cannabis delivery data end up?

The cannabis industry has largely operated without the level of privacy scrutiny applied to healthcare, finance, or even general e-commerce. That needs to change. Cannabis consumers are uniquely vulnerable, and the industry has a heightened obligation to protect their data — not exploit it.

What Consumers Can Do Right Now

While the lawsuit plays out, here's how cannabis consumers can protect themselves:

1. Use Privacy Tools When Browsing

• Enable "Do Not Track" in your browser settings
• Use browser extensions that block tracking scripts
• Consider using a VPN when visiting cannabis websites
• Clear cookies regularly or use private browsing mode

2. Minimize Data Sharing

• Think carefully before signing up for loyalty programs
• Use a separate email address for cannabis-related accounts
• Provide only the information that's legally required
• Opt out of marketing communications

3. Check Privacy Policies

• Actually read the privacy policy before creating accounts (yes, all of it)
• Look for language about "sharing with third parties" or "marketing partners"
• Check if there's an opt-out mechanism for data sharing
• Look for data deletion request options

4. Know Your Rights

• California residents have rights under the CCPA/CPRA to know what data is collected and request deletion
• Other states have similar laws (Virginia, Colorado, Connecticut, etc.)
• You can submit data deletion requests to any company that has your information
• Document what information you've provided to cannabis companies

The Bigger Picture: Trust and the Legal Market

The legal cannabis market exists because voters and legislators decided that regulation was preferable to prohibition. Central to that argument was the idea that licensed businesses would be accountable, transparent, and protective of their customers.

Every time a cannabis company violates consumer trust — whether through a data breach, secret tracking, or privacy exploitation — it undermines the foundational argument for legal cannabis. It gives ammunition to prohibitionists who argue that the industry can't be trusted to self-regulate.

More importantly, it harms real people. The 420,000 customers whose documents were exposed in 2024 can never un-expose that data. And the customers whose shopping behavior may have been sold to data brokers can never un-ring that bell.

What Should Happen Next

This lawsuit needs to result in meaningful consequences — not just for Stiiizy, but as a signal to the entire industry. Cannabis consumers deserve:

• Transparency — clear, honest disclosure of all data collection practices
• Consent — genuine, informed opt-in (not opt-out) for any data sharing
• Minimization — companies should collect only what's necessary
• Security — enterprise-grade protection for sensitive consumer data
• Accountability — real penalties when companies violate consumer trust

The cannabis industry is still young enough to establish strong privacy norms before bad practices become entrenched. This lawsuit might be the wake-up call that forces the conversation.

The Bottom Line

If you're a cannabis consumer who has ever shopped on Stiiizy's website, you may want to exercise your data privacy rights and request information about what data the company holds on you. If you're in California, the CPRA gives you the legal right to do so.

More broadly, this case should make every cannabis consumer think harder about digital privacy. The data you generate while shopping for a federally illegal product has unique risks attached to it — risks that go far beyond targeted advertising.

The legal cannabis industry asked for our trust. It's time to demand that trust be earned and maintained — with our data protected as fiercely as the plants are cultivated.

---

Looking for a verified shop carrying products like these? Browse Budpedia's dispensary near me directory to find licensed cannabis retailers in your state with up-to-date menus.