It Happened Before: The Retail Blacklist That Got Shut Down

If a private database of merchant-reported accusations sounds like something the law should have a problem with, that is because it has — before, and in a big way.

For years, a database called "Esteem," run by LexisNexis, collected reports from retailers about people accused of theft. The overwhelming majority of those entries involved alleged incidents that were never criminally charged and never resulted in a conviction — accusations, not findings. People were denied opportunities based on entries they had never seen and could not effectively dispute. The result was a class-action challenge under the federal Fair Credit Reporting Act, and in the settlement, LexisNexis agreed to suspend the Esteem database. A separate retail-flagging operation, The Retail Equation, has faced similar scrutiny and is listed by the federal Consumer Financial Protection Bureau.

Hold that next to a cannabis "block list." A business types an accusation. It is shared with other businesses. The accused is not notified, is not given the evidence, and has no real way to dispute it. The structure is the same. We are careful here: the Esteem case was about background screening, and no court has yet applied the FCRA to a cannabis point-of-sale blacklist — that legal fit is untested. But the precedent makes one thing clear. Merchant blacklists built on unproven, undisputable accusations have been found unacceptable before, and have been shut down.

There is a second echo worth naming. IndicaOnline markets itself as "HIPAA certified" and "first fully compliant." No agency issues a "HIPAA certification," and dispensaries generally are not HIPAA-covered to begin with — so the question is not whether the feature "violates HIPAA" (we do not claim it does). The question is the gap between a brand built on patient-data protection and a product feature designed to spread patient accusations between companies. That gap is the kind of thing Oklahoma's consumer-protection law (15 O.S. § 751) and the FTC's authority over deceptive practices exist to examine.

For Oklahoma patients, the lesson is not panic — it is awareness and a paper trail. Know which questions to ask, know that these lists are private (not the State), and know that the law has tools. We walk through all of it on our patient-privacy page.

Start with the overview of how the list works, then read why skipping due process matters so much. When you are ready to shop, our directory never sells rankings — the order you see is the order patients voted for.