Your Privacy at the Dispensary

Oklahoma dispensaries are required to confirm you’re a valid medical-marijuana patient. The state’s registry exists for exactly that: it lets a shop verify that your OMMA license is real and current. That is the legitimate, lawful part — and on its own, it isn’t the problem.

What many patients don’t realize is that the dispensary’s point-of-sale software — the checkout and customer-profile system the shop runs — is a separate, private system. It can store a profile tied to your name, date of birth, photo, and state ID number. What that software is allowed to do with that profile is set by the software vendor, not by the State of Oklahoma.

One widely used cannabis point-of-sale vendor, IndicaOnline, documents a feature in its own help materials that lets a dispensary add a customer to a “Black List.” There are two versions: a block that stays at that one store, and a network-wide block that — in the company’s own words — blocks the person “throughout the entire IndicaOnline system.”

Per the vendor’s blog, once a patient is added to the network list, other cannabis businesses “will be notified as soon as they scan [the] customer’s state ID.” In other words, your government ID is the key that pulls the flag up at any shop on the network — including ones you’ve never set foot in.

Here is what the entry does and does not require, according to the documentation:

• Required: the patient’s identity and state ID, a “block type,” and a free-text “reason.”
• Not captured: any date, evidence, incident report, witness, receipt, or police/court record.
• No notice: the listed patient is never told they’ve been added.
• No appeal: only a dispensary (or the vendor) can remove an entry — the person it’s about cannot.

The result is a private, cross-business record that can attach an unverified accusation to a lawful, state-licensed patient and carry it from shop to shop. And because the network isn’t limited to Oklahoma, a flag added in one state can surface at an Oklahoma counter — and an Oklahoma flag can follow a patient beyond the state line.

In the United States, a serious accusation is supposed to be tested — not simply declared. You are presumed innocent. You have the right to know what you’re accused of, to see the evidence, and to answer it before you are punished. Those protections — the due-process guarantees of the Fifth and Fourteenth Amendments, and the presumption of innocence the U.S. Supreme Court called “axiomatic and elementary” in Coffin v. United States (1895) — are the foundation of how a free society decides who is guilty and who is not.

Those guarantees bind the government — courts, police, agencies. They do not reach a private company’s checkout software. And that gap is exactly the problem. This network takes one of the most consequential things a society can do — brand a person a thief, a fraud, or a danger — and does it with none of the safeguards we demand of any courtroom. No judge. No hearing. No requirement of evidence. No notice to the accused. No appeal. A single employee’s words become a standing verdict, enforced across hundreds of businesses, that the accused never agreed to, never saw, and cannot overturn.

We respect the law and the process that proves guilt or innocence for a reason: the alternative — accusation treated as conviction — is precisely how innocent people get punished for things they never did. A private blacklist that skips that process doesn’t merely risk unfairness. It is built to deliver it.

A false flag doesn’t sit quietly in a database. Oklahoma defamation law treats every repetition of a false statement as a new publication — a fresh wrong, with fresh harm. Picture how that actually plays out: a budtender, rattled by a red “blocked” banner, repeats the accusation to a coworker — or, far worse, posts it on their personal Facebook. Now an unproven claim that someone is a racist, a thief, or a threat is circulating publicly, tied to a real person’s name, in their own community.

The social and reputational damage can be severe and permanent — lost relationships, lost work, a name dragged through the mud — all over an accusation the person was never told about and never had a chance to disprove. They can’t correct a record they were never shown, created by a store they may never have visited.

And here is the part dispensaries should hear clearly: relying on, repeating, or resharing one of these unverified accusations can expose a shop and its staff to their own defamation and false-light liability — for an entry they didn’t create and couldn’t verify. The software hands a frontline employee a loaded, unproven statement and quietly invites them to act on it. That’s a danger to the patient and to the business. No one in that chain — not the patient, not the budtender, not the shop — was ever given what a fair process requires: proof, and a chance to be heard.

Based on publicly available vendor documentation, IndicaOnline appears to be the only major cannabis point-of-sale system that openly documents a cross-company network block — one that reaches unrelated businesses. For comparison, another large vendor, Dutchie, documents a “ban a customer” tool that applies only within a single business’s own locations (and can even be turned off) — a meaningfully different and far narrower thing. For other major systems, we found no public documentation of any cross-company shared block.

That said, absence of public documentation is not proof a feature doesn’t exist. We have asked the major vendors directly, and this page will reflect what they tell us.

We won’t overstate the law — and we don’t need to. Below are the authorities that actually apply, each cited and linked. None of this is legal advice; it’s a map of where the questions live.

If a budtender mentions a “flag,” “block,” or red banner on your profile, here is a calm, documented path:

1. Get the details. Politely ask which store created it, whether it’s a network block, and the exact wording of the “reason.” That wording is the heart of any claim.
2. Send a written removal & records request to the listing store and to IndicaOnline, asking them to delete it and to provide what they hold about you.
3. File an OMMA complaint about the store’s handling of your private patient information. It’s free and it gets attention.
4. If the “reason” is false, a demand letter citing Oklahoma defamation and false-light law puts real weight behind a removal request — consider talking to an Oklahoma attorney.
5. Escalate with complaints to the FTC, the CFPB, and the Oklahoma Attorney General’s consumer division.

Timing matters: in Oklahoma, the deadline to sue for libel is generally one year, and for false light two years. Acting promptly — even just sending letters — preserves your options.

🖨️ Print our one-page “Know Your Rights” card →

This page is the overview. These companion reports go deeper on each piece: