Lawsuit: Curaleaf Let Ad-Tech Firms Spy on Floridians’ Marijuana Shopping

A new federal class action complaint filed in Miami accuses Curaleaf, one of the nation’s largest cannabis retailers, of secretly allowing ad-tech firms to monitor what medical marijuana patients searched, clicked, and bought on its website.

According to the complaint (attached at the bottom of this story), filed on November 8 in the Southern District of Florida, Curaleaf allegedly embedded a tracking code on its website that allowed outside vendors to “eavesdrop” on patients’ browsing activity and personal information in real-time as they shopped.

The anonymous plaintiff, identified as John Doe, says he used Curaleaf’s site on June 5, 2025, to browse and buy medical marijuana, the complaint states. As he viewed products, added items to his cart, and entered his name, phone number, email, home address, and billing information at checkout, Curaleaf’s code enabled four third-party vendors: Google, SD Technologies (Sweed), InRadio (AdPredictive), and StackAdapt, to intercept his actions and personal details, the suit alleges.

The complaint states that embedded scripts transmitted full URLs, showing exactly which products Doe viewed, what he added to his cart, every button click related to purchases, and identifying contact information. Taken together, the lawsuit argues, that stream of data reveals protected health information about a patient’s marijuana use and ties it directly to their identity, in violation of federal and state privacy laws.

Curaleaf, which reported roughly 1.34 billion dollars in sales for 2024, operates in Florida as a licensed “medical marijuana treatment center,” a designation that carries strict rules under HIPAA and state law meant to protect anything that could reveal a patient’s cannabis treatment. The lawsuit claims Curaleaf broke those rules “to boost marketing effectiveness and enhance medical marijuana sales.”

Doe says he was never warned about any data sharing. The complaint states that during his visit to the site, he was not shown the terms of service or a privacy policy disclosing that his medical marijuana activity would be shared externally. The suit casts the company’s conduct as far more invasive than routine web analytics, citing HIPAA regulations, Florida laws barring medical marijuana treatment centers from revealing confidential patient information, and state statutes that prohibit using someone’s personal identification and medical records without authorization.

Based on those allegations, the lawsuit accuses Curaleaf of violating the federal Electronic Communications Privacy Act of 1986 and Florida’s Security of Communications Act by “procuring” third-party vendors to intercept the contents of patients’ electronic communications with the site without the required all-party consent. Doe also alleges civil theft, arguing Curaleaf helped outside companies take personal and health data that has economic value, violations of the Florida Deceptive and Unfair Trade Practices Act, for quietly embedding tracking tools that siphoned sensitive data for commercial gain, and “intrusion upon seclusion” (an offensive invasion of private affairs) for allowing outsiders to peer into confidential medical activity “in a way that would offend a reasonable person.” 

The complaint characterizes Curaleaf’s practices as an “illegal scheme” exploiting protected health information to drive targeted marketing.

Doe seeks to represent two overlapping groups: a nationwide class of medical marijuana patients who used Curaleaf.com, and a Florida-only class of residents who visited the site. The suit estimates that “many thousands” of people may be affected and argues that a class action is the most efficient way to determine whether Curaleaf’s practices have violated federal and state law.

The case lands amid growing scrutiny over how cannabis tech companies handle customer data. High Times recently reported that Sweed, one of the vendors named in the complaint, launched a cannabis “bug bounty program,” where researchers test a company’s systems for vulnerabilities, after a breach exposed information belonging to more than 380,000 consumers across North America. 

Doe’s lawsuit does not accuse Sweed of involvement in that breach, but alleges Curaleaf paid Sweed and other vendors to analyze patients’ personal data and browsing activity without consent.

John Doe’s attorney, Michael Pineiro, declined to elaborate on the allegations. “We do not have any public comment,” Pineiro told New Times.

NORML Florida Executive Director Karen Goldstein said she was not yet familiar with the case, but pointed to an explainer by the cannabis platform Veriheal, noting that medical marijuana card status and related health information are generally treated as HIPAA-protected medical records that must be safeguarded accordingly. 

NORML Florida Legal Director Michael Minardi said it remains to be seen exactly what types of data Curaleaf shared and how courts will categorize it.

“I do not think I know enough to comment in detail. If there were a possible HIPAA violation, I would think it would have been added to the complaint,” Minardi wrote in an email to New Times. “Through discovery, they may find more information about exactly what data was shared. Because these are medical issues, everything should be HIPAA compliant. Fundamentally, cannabis has to be taken out of the equation. A patient using cannabis should have the same right to have their medical information protected as a patient using any other medication.”

A federal judge in early November ordered Doe to file a disclosure statement under seal identifying himself by name. As of Tuesday afternoon, court records indicated Curaleaf had neither been served nor filed a response.

Curaleaf did not respond to a message from New Times seeking comment.