With much fanfare, recreational cannabis became legal in Canada on October 17, 2018. On December 17, 2018, the Office of the Privacy Commissioner of Canada published preliminary guidance for cannabis retailers and customers regarding the protection of personal information collected during such transactions, including online transactions.
Adapted from previous guidance published by the Office of the Information and Privacy Commissioner for British Columbia, the OPC guidance is intended to remind cannabis retailers and purchasers that are subject to the Personal Information Protection and Electronic Documents Act of their obligations, given the sensitive nature of cannabis transactions which largely remain illegal outside of Canada.
Subject organizations include private sector businesses in Canada that collect, use or disclose personal information during commercial activity, unless it takes place entirely within a province with “substantially similar” private sector privacy law, which currently includes only Alberta, British Columbia and Quebec. The Guidance correctly notes that if the cannabis retailer is operated by a provincial government or if heath information is collected, then provincial public sector and health privacy legislation may apply to this activity rather than PIPEDA.
While the guidance contains much useful advice, much of its application is currently limited in Ontario as recreational cannabis can currently only be purchased online exclusively from the Ontario Cannabis Store, rather than at physical stores.
The guidance stressed a number of critical themes under PIPEDA, as follows.
Only collect what is needed
In some respects, it’s business as usual for private sector cannabis retailers, who are cautioned that they should only be collecting personal information for the purposes identified by the organization and that any such purpose has to be in line with what a “reasonable person” would consider to be appropriate in the circumstances. Moreover, cannabis retailers will also have to obtain “meaningful consent” from individuals before collecting their personal information, which includes telling customers what personal information is being collected, to which parties it will be disclosed, the purposes for its collection, and risks of harm. For example, if a retailer plans to use video surveillance to protect its store (although the OPC considers the use of video surveillance as a last resort) it must warn individuals of such activity using visible signage before the customer enters the store and is recorded.
Not surprisingly, the OPC stressed that retailers should collect the least amount of personal information possible from customers, given the likelihood of potential data breaches and the possible disclosure of personal information across-border to foreign governments, and should avoid recording personal information where possible. The OPC also suggested collecting email addresses, but not names, for mailing lists and memberships.
When purchasing cannabis, the OPC also advises individuals not to provide the retailer with more personal information than necessary and specifically recommends that if users are concerned about using credit cards (and the option is available), then cash should be used to buy cannabis. Regrettably this approach is not available to users of the OCS website, which currently accepts VISA, Mastercard and American Express, VISA Debit, Debit MasterCard and pre-paid credit cards – but not cash.
The OCS requires customers to provide their names, addresses, email, telephone numbers and payment card information when products are ordered from the website. Customers are also asked to verify that they are at least 19 years old to confirm their purchase.
Ensure adequate security measures
Any personal information collected by a retailer, such as name, credit card number, email address or any other personal information must be stored securely in accordance with PIPEDA’s requirements.
The OPC recommends that technological security measures for computer systems holding personal information include: the use of unique electronic user IDs for each staff member or purchaser; strong passwords; encryption; firewalls and deleting personal information when it is no longer needed. Organizational methods include restricting employee access to personal information they do not need unless required to perform their job duties, implementing mandatory staff training and staff security screening. Retailers are also expected to conduct regular risk assessments and compliance monitoring to ensure that they are meeting PIPEDA requirements, updating program controls if and as necessary.
Store personal information on Canadian servers to minimize cross-border privacy concerns
The OPC astutely acknowledges that the use of certain cloud services or proprietary software to store personal information regarding cannabis purchases may lead to the transfer of such data outside of Canada, thereby increasing the risk of potential access to such data by foreign law enforcement or governments. Thus, the OPC flagged the very real concern that potential access to this data by such foreign governments will be problematic for cannabis users, given the continued illegality of cannabis worldwide.
While some Canadian cannabis retailers may wish to heed such advice by choosing local Canadian cloud vendors, in my view they will also be required to engage in further due diligence to confirm that such so-called Canadian cloud providers actually host and retain all their data on servers located in Canada rather than using third-party service providers, subcontractors and sub-processors or Canadian affiliates of large foreign vendors whose actual networks (or portions thereof) are located in other jurisdictions, which still puts Canadian personal information at risk of third party government or other exposure.
Any such cloud-computing agreements between such Canadian cannabis retailers and cloud vendors should also contain the necessary contractual provisions to specify and lock-down the location of customer personal information held by such cloud vendor and its subcontractors and sub-processors and the servers used to host and store such data.
Designate privacy officers
All cannabis retailers are required to designate privacy officers who are responsible for ensuring compliance with PIPEDA and such organizations must provide that person’s position, name or title and contact information when requested by a customer or otherwise. It is also expected that such persons will be responsible for responding to any customer concerns regarding the collection, use, storage, disclosure or disposal of personal information.
Create meaningful privacy policies
Under PIPEDA organizations are required to develop policies and practices to meet their responsibilities and demonstrate compliance. These include internal policies as well as external privacy notices. The Guidance reminds cannabis retailers that they are expected to emphasize the protection of personal information as company priorities and ensure that all of their staff are trained in, understand, and follow company privacy policies in everyday transactions.
In typical OPC fashion certain aspects of the guidance is vague. For example, it’s great to say that cannabis retailers should employ strong passwords and encryption as mandatory technological security measures, but a cannabis retailer may reasonably ask what the OPC considers these to be or what minimum standards should be employed. Overall, the guidance is a good first step in reminding cannabis retailers of their obligations and cannabis consumers of their rights under PIPEDA.