Canada: Dude, Where's My Data? The OPC's Privacy Guidance To Cannabis Retailers And Purchasers

Last Updated: January 18 2019
Article by Lisa R. Lifshitz

With much fanfare, recreational cannabis became legal in Canada on October 17, 2018. On December 17, 2018, the Office of the Privacy Commissioner of Canada published preliminary guidance for cannabis retailers and customers regarding the protection of personal information collected during such transactions, including online transactions.

Adapted from previous guidance published by the Office of the Information and Privacy Commissioner for British Columbia, the OPC guidance is intended to remind cannabis retailers and purchasers that are subject to the Personal Information Protection and Electronic Documents Act  of their obligations, given the sensitive nature of cannabis transactions which largely remain illegal outside of Canada.   

Subject organizations include private sector businesses in Canada that collect, use or disclose personal information during commercial activity, unless it takes place entirely within a province with "substantially similar" private sector privacy law, which currently includes only Alberta, British Columbia and Quebec. The Guidance correctly notes that if the cannabis retailer is operated by a provincial government or if heath information is collected, then provincial public sector and health privacy legislation may apply to this activity rather than PIPEDA.

While the guidance contains much useful advice, much of its application is currently limited in Ontario as recreational cannabis can currently only be purchased online exclusively from the Ontario Cannabis Store, rather than at physical stores.   

Accordingly, the OCS's privacy policy notes that customer information is subject to Ontario's Freedom of Information and Protection of Privacy Act rather the PIPEDA. However, the Guidance will eventually become more pertinent when the Government of Ontario authorizes private retail cannabis outlets, which is expected to occur on April 1, 2019 with the OCS acting as the wholesaler to such establishments.

The guidance stressed a number of critical themes under PIPEDA, as follows.

Only collect what is needed 

In some respects, it's business as usual for private sector cannabis retailers, who are cautioned that they should only be collecting personal information for the purposes identified by the organization and that any such purpose has to be in line with what a "reasonable person" would consider to be appropriate in the circumstances. Moreover, cannabis retailers will also have to obtain "meaningful consent" from individuals before collecting their personal information, which includes telling customers what personal information is being collected, to which parties it will be disclosed, the purposes for its collection, and risks of harm. For example, if a retailer plans to use video surveillance to protect its store (although the OPC considers the use of video surveillance as a last resort) it must warn individuals of such activity using visible signage before the customer enters the store and is recorded.

Not surprisingly, the OPC stressed that retailers should collect the least amount of personal information possible from customers, given the likelihood of potential data breaches and the possible disclosure of personal information across-border to foreign governments, and should avoid recording personal information where possible. The OPC also suggested collecting email addresses, but not names, for mailing lists and memberships.

When purchasing cannabis, the OPC also advises individuals not to provide the retailer with more personal information than necessary and specifically recommends that if users are concerned about using credit cards (and the option is available), then cash should be used to buy cannabis. Regrettably this approach is not available to users of the OCS website, which currently accepts VISA, Mastercard and American Express, VISA Debit, Debit MasterCard and pre-paid credit cards – but not cash.

The OCS requires customers to provide their names, addresses, email, telephone numbers and payment card information when products are ordered from the website. Customers are also asked to verify that they are at least 19 years old to confirm their purchase.  

On a more positive note, while prospective customers that wish to peruse the OCS website are asked to enter their date of birth to confirm that they are 19 years of age or older to legally access the website's content, the OCS' Privacy Policy advises that the visitor's date of birth is not used for other purposes, or kept or stored by OCS after the visitor closes their browser session.

Ensure adequate security measures

Any personal information collected by a retailer, such as name, credit card number, email address or any other personal information must be stored securely in accordance with PIPEDA's requirements. 

The guidance emphatically states that cannabis retailers must protect the personal information of customers in their custody and control by making appropriate security arrangements to prevent unauthorized access, disclosure, use, copying or modification. Retailers are expected to employ physical, technological and organizational security measures to store personal information. Per its privacy policy, the OCS states that it "employs organizational, contractual, technical and physical security measures" to protect to protect personal information under its custody and control. The Guidance also stresses that personal information should only be used for the purpose for which it was originally collected and should only be kept as long as necessary to fulfill the purpose, after which it should be securely destroyed. For example, paper documents should be cross-shredded.

The OPC recommends that technological security measures for computer systems holding personal information include: the use of unique electronic user IDs for each staff member or purchaser; strong passwords; encryption; firewalls and deleting personal information when it is no longer needed. Organizational methods include restricting employee access to personal information they do not need unless required to perform their job duties, implementing mandatory staff training and staff security screening. Retailers are also expected to conduct regular risk assessments and compliance monitoring to ensure that they are meeting PIPEDA requirements, updating program controls if and as necessary.

Store personal information on Canadian servers to minimize cross-border privacy concerns 

The OPC astutely acknowledges that the use of certain cloud services or proprietary software to store personal information regarding cannabis purchases may lead to the transfer of such data outside of Canada, thereby increasing the risk of potential access to such data by foreign law enforcement or governments. Thus, the OPC flagged the very real concern that potential access to this data by such foreign governments will be problematic for cannabis users, given the continued illegality of cannabis worldwide.

The guidance notes that it is more "privacy protective" to store personal information regarding cannabis acquisition on servers located in Canada and then more forcefully recommends that customers ask cannabis retailers whether their personal information is stored on servers outside of Canada. The OPC even goes so far as to suggest that purchasers may want to opt to "purchase cannabis from those retailers who keep your personal information in Canada." Interestingly, the OCS speaks to this concern in its privacy policy, stating that it "stores customer personal information under its custody or control in Canada."

While some Canadian cannabis retailers may wish to heed such advice by choosing local Canadian cloud vendors, in my view they will also be required to engage in further due diligence to confirm that such so-called Canadian cloud providers actually host and retain all their data on servers located in Canada rather than using third-party service providers, subcontractors and sub-processors or Canadian affiliates of large foreign vendors whose actual networks (or portions thereof) are located in other jurisdictions, which still puts Canadian personal information at risk of third party government or other exposure.  

Any such cloud-computing agreements between such Canadian cannabis retailers and cloud vendors should also contain the necessary contractual provisions to specify and lock-down the location of customer personal information held by such cloud vendor and its subcontractors and sub-processors and the servers used to host and store such data.

Designate privacy officers

All cannabis retailers are required to designate privacy officers who are responsible for ensuring compliance with PIPEDA and such organizations must provide that person's position, name or title and contact information when requested by a customer or otherwise. It is also expected that such persons will be responsible for responding to any customer concerns regarding the collection, use, storage, disclosure or disposal of personal information.

Create meaningful privacy policies

Under PIPEDA organizations are required to develop policies and practices to meet their responsibilities and demonstrate compliance. These include internal policies as well as external privacy notices. The Guidance reminds cannabis retailers that they are expected to emphasize the protection of personal information as company priorities and ensure that all of their staff are trained in, understand, and follow company privacy policies in everyday transactions. 

Publicly facing privacy policies must also provide individuals with enough information about the retailer's practices to ensure that consent is meaningful. For example, cannabis retailers with websites must inform users about any personal information that they collect, including tracking cookies and website analytics, why such information is collected and of course, how it is being used by the retailer. The OCS' privacy policy for example does transparently speak to the use by the OCS of website cookies, server log data, web analytics services, among other things.

In typical OPC fashion certain aspects of the guidance is vague. For example, it's great to say that cannabis retailers should employ strong passwords and encryption as mandatory technological security measures, but a cannabis retailer may reasonably ask what the OPC considers these to be or what minimum standards should be employed. Overall, the guidance is a good first step in reminding cannabis retailers of their obligations and cannabis consumers of their rights under PIPEDA.

This article originally appeared as Lisa's IT Girl column in Canadian Lawyer Online

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Lisa R. Lifshitz
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Sign Up
Gain free access to lawyers expertise from more than 250 countries.
 
Email Address
Company Name
Password
Confirm Password
Position
Industry
Mondaq Newsalert
Select Topics
Select Regions
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions