Dude, where’s my data? The OPC’s privacy guidance to cannabis retailers and purchasers

Canadian Lawyer Online — IT Girl Column
 

With much fanfare, recreational cannabis became legal in Canada on October 17, 2018. On December 17, 2018, the Office of the Privacy Commissioner of Canada published preliminary guidance for cannabis retailers and customers regarding the protection of personal information collected during such transactions, including online transactions.

Adapted from previous guidance published by the Office of the Information and Privacy Commissioner for British Columbia, the OPC guidance is intended to remind cannabis retailers and purchasers that are subject to the Personal Information Protection and Electronic Documents Act of their obligations, given the sensitive nature of cannabis transactions which largely remain illegal outside of Canada.   

Subject organizations include private sector businesses in Canada that collect, use or disclose personal information during commercial activity, unless it takes place entirely within a province with “substantially similar” private sector privacy law, which currently includes only Alberta, British Columbia and Quebec. The Guidance correctly notes that if the cannabis retailer is operated by a provincial government or if heath information is collected, then provincial public sector and health privacy legislation may apply to this activity rather than PIPEDA.

While the guidance contains much useful advice, much of its application is currently limited in Ontario as recreational cannabis can currently only be purchased online exclusively from the Ontario Cannabis Store, rather than at physical stores.   

Accordingly, the OCS’s privacy policy notes that customer information is subject to Ontario’s Freedom of Information and Protection of Privacy Act rather the PIPEDA. However, the Guidance will eventually become more pertinent when the Government of Ontario authorizes private retail cannabis outlets, which is expected to occur on April 1, 2019 with the OCS acting as the wholesaler to such establishments.

The guidance stressed a number of critical themes under PIPEDA, as follows.

Only collect what is needed 

In some respects, it’s business as usual for private sector cannabis retailers, who are cautioned that they should only be collecting personal information for the purposes identified by the organization and that any such purpose has to be in line with what a “reasonable person” would consider to be appropriate in the circumstances. Moreover, cannabis retailers will also have to obtain “meaningful consent” from individuals before collecting their personal information, which includes telling customers what personal information is being collected, to which parties it will be disclosed, the purposes for its collection, and risks of harm. For example, if a retailer plans to use video surveillance to protect its store (although the OPC considers the use of video surveillance as a last resort) it must warn individuals of such activity using visible signage before the customer enters the store and is recorded.

Not surprisingly, the OPC stressed that retailers should collect the least amount of personal information possible from customers, given the likelihood of potential data breaches and the possible disclosure of personal information across-border to foreign governments, and should avoid recording personal information where possible. The OPC also suggested collecting email addresses, but not names, for mailing lists and memberships.

When purchasing cannabis, the OPC also advises individuals not to provide the retailer with more personal information than necessary and specifically recommends that if users are concerned about using credit cards (and the option is available), then cash should be used to buy cannabis. Regrettably this approach is not available to users of the OCS website, which currently accepts VISA, Mastercard and American Express, VISA Debit, Debit MasterCard and pre-paid credit cards – but not cash.

The OCS requires customers to provide their names, addresses, email, telephone numbers and payment card information when products are ordered from the website. Customers are also asked to verify that they are at least 19 years old to confirm their purchase.  

On a more positive note, while prospective customers that wish to peruse the OCS website are asked to enter their date of birth to confirm that they are 19 years of age or older to legally access the website’s content, the OCS’ Privacy Policy advises that the visitor’s date of birth is not used for other purposes, or kept or stored by OCS after the visitor closes their browser session.

Ensure adequate security measures

Any personal information collected by a retailer, such as name, credit card number, email address or any other personal information must be stored securely in accordance with PIPEDA’s requirements. 

The guidance emphatically states that cannabis retailers must protect the personal information of customers in their custody and control by making appropriate security arrangements to prevent unauthorized access, disclosure, use, copying or modification. Retailers are expected to employ physical, technological and organizational security measures to store personal information. Per its privacy policy, the OCS states that it “employs organizational, contractual, technical and physical security measures” to protect to protect personal information under its custody and control. The Guidance also stresses that personal information should only be used for the purpose for which it was originally collected and should only be kept as long as necessary to fulfill the purpose, after which it should be securely destroyed. For example, paper documents should be cross-shredded.

The OPC recommends that technological security measures for computer systems holding personal information include: the use of unique electronic user IDs for each staff member or purchaser; strong passwords; encryption; firewalls and deleting personal information when it is no longer needed. Organizational methods include restricting employee access to personal information they do not need unless required to perform their job duties, implementing mandatory staff training and staff security screening. Retailers are also expected to conduct regular risk assessments and compliance monitoring to ensure that they are meeting PIPEDA requirements, updating program controls if and as necessary.

Store personal information on Canadian servers to minimize cross-border privacy concerns 

The OPC astutely acknowledges that the use of certain cloud services or proprietary software to store personal information regarding cannabis purchases may lead to the transfer of such data outside of Canada, thereby increasing the risk of potential access to such data by foreign law enforcement or governments. Thus, the OPC flagged the very real concern that potential access to this data by such foreign governments will be problematic for cannabis users, given the continued illegality of cannabis worldwide.

The guidance notes that it is more “privacy protective” to store personal information regarding cannabis acquisition on servers located in Canada and then more forcefully recommends that customers ask cannabis retailers whether their personal information is stored on servers outside of Canada. The OPC even goes so far as to suggest that purchasers may want to opt to “purchase cannabis from those retailers who keep your personal information in Canada.” Interestingly, the OCS speaks to this concern in its privacy policy, stating that it “stores customer personal information under its custody or control in Canada.

While some Canadian cannabis retailers may wish to heed such advice by choosing local Canadian cloud vendors, in my view they will also be required to engage in further due diligence to confirm that such so-called Canadian cloud providers actually host and retain all their data on servers located in Canada rather than using third-party service providers, subcontractors and sub-processors or Canadian affiliates of large foreign vendors whose actual networks (or portions thereof) are located in other jurisdictions, which still puts Canadian personal information at risk of third party government or other exposure.  

Any such cloud-computing agreements between such Canadian cannabis retailers and cloud vendors should also contain the necessary contractual provisions to specify and lock-down the location of customer personal information held by such cloud vendor and its subcontractors and sub-processors and the servers used to host and store such data.

Designate privacy officers

All cannabis retailers are required to designate privacy officers who are responsible for ensuring compliance with PIPEDA and such organizations must provide that person’s position, name or title and contact information when requested by a customer or otherwise. It is also expected that such persons will be responsible for responding to any customer concerns regarding the collection, use, storage, disclosure or disposal of personal information.

Create meaningful privacy policies

Under PIPEDA organizations are required to develop policies and practices to meet their responsibilities and demonstrate compliance. These include internal policies as well as external privacy notices. The Guidance reminds cannabis retailers that they are expected to emphasize the protection of personal information as company priorities and ensure that all of their staff are trained in, understand, and follow company privacy policies in everyday transactions. 

Publicly facing privacy policies must also provide individuals with enough information about the retailer’s practices to ensure that consent is meaningful. For example, cannabis retailers with websites must inform users about any personal information that they collect, including tracking cookies and website analytics, why such information is collected and of course, how it is being used by the retailer. The OCS’ privacy policy for example does transparently speak to the use by the OCS of website cookies, server log data, web analytics services, among other things.

In typical OPC fashion certain aspects of the guidance is vague. For example, it’s great to say that cannabis retailers should employ strong passwords and encryption as mandatory technological security measures, but a cannabis retailer may reasonably ask what the OPC considers these to be or what minimum standards should be employed. Overall, the guidance is a good first step in reminding cannabis retailers of their obligations and cannabis consumers of their rights under PIPEDA.

This article originally appeared as Lisa's IT Girl column in Canadian Lawyer Online