Insights Header image
Insights Header image
Insights Header image

The Privacy Commissioner’s Guide to Protecting Personal Information in Cannabis Transactions

January 2019 Privacy Bulletin 3 minute read

The Office of the Privacy Commissioner of Canada recently released a guidance document for Canadian private sector cannabis retailers who collect personal information from their customers.

The safeguarding of personal information in the context of cannabis transactions is particularly significant since cannabis is illegal in most jurisdictions outside of Canada, which makes the collection and storage of personal information of cannabis users especially sensitive.

Collecting personal information in compliance with PIPEDA

The guidance document relates to compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA currently applies to all Canadian privacy sector cannabis retailers except those operating entirely in Quebec, Alberta or British Columbia, which have each enacted substantially similar privacy legislation.

PIPEDA defines personal information as “information about an identifiable individual,” and limits the collection of personal information to that which is necessary for the purposes identified by the organization. These purposes must be in line with what a reasonable person would consider appropriate in the circumstances.

Before collecting any personal information, PIPEDA requires cannabis retailers to obtain meaningful consent. In order to obtain meaningful consent, customers need to be informed of:

  1. what personal information is being collected;
  2. who their personal information will be disclosed to;
  3. the purposes for its collection; and
  4. any risks of harm.

Given the requirements of PIPEDA, the Privacy Commissioner recommends that cannabis retailers:

  • be clear on what information needs to be collected during in-person transactions, keeping in mind that requirements may differ across jurisdictions;
  • be aware of any circumstances that require the collection of additional personal information (i.e. credit card transactions, distributing mailing lists, and membership programs);
  • be cognisant of consent requirements when using video surveillance and determine whether less privacy intrusive alternatives are appropriate. If video surveillance is used, the retailer should notify individuals with signage that is clearly visible to anyone before entering the store;
  • be proactive in making online customers aware when their personal information is collected; and
  • refrain from recording personal information, where possible.

Adopting security measures to protect personal information

Cannabis retailers must store the personal information securely to prevent unauthorized access, disclosure, use, copying, or modification. The sensitivity of the information will enhance the level of protection required. For example, payment information and health information will require particularly secure protection mechanisms.

Appropriate security measures will include a combination of physical, technological, and organizational security controls. Examples of physical security measures include locking or restricting access to locations with records containing personal information and cross-shredding documents when destroying personal information. Technological security measures may include strong passwords, encryption and firewalls. Finally, organizational safeguards may include mandatory staff training and security screening of staff.

Cannabis retailers should also be particularly mindful of the risks associated with storing data in the Cloud since this may include the transfer or storage of personal information outside of Canada, which could then potentially be accessed by foreign law enforcement. When possible, storing personal information on a server located in Canada will generally be more privacy protective for cannabis retailers.

Adopting strong privacy policies

Private sector cannabis retailers are required develop effective privacy policies and practices, including a process to respond to complaints about management of personal information. These policies ensure accountability within the organization and helps to mitigate privacy risks. To ensure that such policies and practices are effectively implemented, management should conduct regular training of all staff members in privacy policies as it pertains to everyday transactions.

Retailers must also appoint a designated privacy officer who is responsible for ensuring compliance with PIPEDA. If requested, the retailer must provide that person’s position name or title and contact information.

by Mitch Koczerginski, Lyndsay Wasser and Sara Ruhani, Articling Student

a cautionary note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2019

Insights (5 Posts)View More

Featured Insight

What’s New in the FAQs: Recent Competition Bureau Guidance on the Amendments to Canada’s Competition Act

Commenting on the Competition Bureau's FAQs describing how the Bureau will enforce the amended merger and reviewable conduct provisions of the Competition Act.

Read More
Dec 3, 2024
Featured Insight

Developer-Friendly Changes Proposed for Ontario’s Record of Site Condition Regime

Ontario is proposing to amend its Record of Site Condition legislation to streamline brownfield development and support other development projects.

Read More
Dec 3, 2024
Featured Insight

Buyer’s Remorse: Asset Purchaser Liable for Pre-Closing Employment Liabilities of Vendor

In a recent British Columbia decision, an asset purchaser was held liable for the pre-closing employment-related liabilities of the vendor.

Read More
Nov 29, 2024
Featured Insight

Reducing NSF Fees: Proposed Regulations Amending the Financial Consumer Protection Framework Regulations

The Governor in Council announced a proposal to amend regulations aimed at reducing non-sufficient funds (NSF) fees.

Read More
Nov 27, 2024
Featured Insight

Federal Court of Appeal Upholds Arrears Interest on Non-Existent Tax Debts: Bank of Nova Scotia v Canada, 2024 FCA 192

The Federal Court of Appeal upheld the charging of "arrears interest" on notional income tax liabilities that are completely offset by carry-backs.

Read More
Nov 27, 2024