Privacy protection is of particular interest this spring as private-sector shops start popping up across Ontario. Since the federal government legalized the recreational use of marijuana in October, legal marijuana has only been accessible up until this point online through the Ontario Cannabis Store.
“If [retailers] do not protect that sensitive personal information, they will not get customer trust. If you don’t get customer trust, you don’t get customers,” says privacy lawyer Chantal Bernier, a partner with Dentons Canada LLP, who previously worked with the office of the federal privacy commissioner and served as acting privacy commissioner.
She points out that private-sector businesses are required under the Personal Information Protection and Electronic Documents Act to ensure there are safeguards in place to protect any information.
The commercial reality, says Bernier, is that if the privacy protections are not in place, purchasers will simply turn to the black market and buy untested product that could pose health risks, contrary to one of the motivations behind legalization.
“We all know that the use of cannabis is sensitive personal information. Why? If that information is disclosed without authorization, it can be impactful,” she says. “So, all of the retailers and the producers are truly gearing up for the most secure system to protect that information.”
Bernier points to guidance from the federal privacy commissioner suggesting that customers can also take steps to protect their own personal and financial information by making purchases with cash and staying off mailing lists.
Those who want to make the purchase in the privacy of their own home by buying marijuana online will leave a digital trail, adds Bernier.
In its December 2018 statement on the collection of personal information in cannabis transactions, the Office of the Privacy Commissioner of Canada advises that cash transactions can help to minimize risks for consumers, who should also make a point of knowing what kind of information the retailer is collecting.
It highlights widespread concern by Canadians and potential problems at the border as they cross into the United States.
“Cannabis is illegal in most jurisdictions outside of Canada. The personal information of cannabis users is therefore very sensitive. For example, some countries may deny entry to individuals if they know they have purchased cannabis, even lawfully,” reads the statement.
It further suggests retailers make “appropriate security arrangements to prevent unauthorized access, disclosure, use, copying, or modification. This means ensuring physical, technological, and organizational security measures are in place to store personal information.” But paying cash for marijuana transactions isn’t yet possible in Ontario given that cannabis has only been available through the Ontario Cannabis Store online so far, says Lisa Lifshitz, a privacy partner at Torkin Manes LLP in Toronto.
As legal private-sector pot shops start doing business in Ontario, Lifshitz says, there are other potential privacy risks for purchasers, even for consumers who pay in cash.
Retailers often collect information about their clients and some may copy proof of age identification. Any of that information inputted into the store’s system then becomes vulnerable to the controls of a third-party processor that hosts data, she explains.
Any servers used to store that information that don’t reside in Canada can be subject to the laws of that other jurisdiction, such as the United States’ anti-terrorism Patriot Act or its Clarifying Lawful Overseas Use of Data Act, which allows U.S. officials and foreign governments more access to personal data stored in the cloud.
“There’s a good chance that that processor is actually an affiliate or foreign processor that may actually have other obligations under other laws to disclose that data,” she says. “Then they would have to disclose it, subject to due process, obviously. That’s why the commissioner is advising that individuals may want to purchase cannabis from retailers who keep the personal information in Canada.
“Again, you have to dig a little deeper than that. It’s not just about keeping it in Canada; it’s who is the entity that is actually hosting it and where are they geographically located and where are their servers located.”