Protecting personal information: Cannabis transactions
December 2018
On this page
- Purpose of this guidance document
- Personal Information
- Only Collect What is Needed
- Safeguarding personal information
This document is adapted from guidance developed by the Office of the Information and Privacy Commissioner for British Columbia.
Purpose of this guidance document
On October 17, 2018, cannabis became legal in Canada. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to any private organization in Canada that collects, uses, or discloses personal information in the course of commercial activity, except where that activity takes place entirely within a province with “substantially similar” private sector privacy law (currently Quebec, Alberta and British Columbia).Footnote 1
Cannabis is illegal in most jurisdictions outside of Canada. The personal information of cannabis users is therefore very sensitive. For example, some countries may deny entry to individuals if they know they have purchased cannabis, even lawfully. This guidance document was created to help cannabis retailers and purchasers understand their rights and obligations under PIPEDA.
Personal information
PIPEDA defines personal information as “information about an identifiable individual.” This is a broad definition that can include name, date of birth, phone number, address, driver’s license number, medical information, physical description, social insurance number, financial information (such as a credit card number), and more.
Only collect what is needed
PIPEDA limits the collection of personal information by organizations, including private sector cannabis retailers, to that which is necessary for the purposes identified by the organization. Additionally however, section 5(3) of PIPEDA requires that the purposes are in line with what a reasonable person would consider to be appropriate in the circumstances, which means that the sensitivity of the information and the context for its collection are some of the factors to be considered in determining what personal information needs to be collected. For more information, see our Guidance on inappropriate data practices: Interpretation and application of subsection 5(3).
PIPEDA also generally requires retailers to obtain meaningful consent before collecting any personal information, subject to narrow exceptions. This means, in part, that retailers need to inform individuals about what personal information is being collected, to which parties it will be disclosed, the purposes for its collection, and any residual risks of harm. For more information, see our Guidelines for obtaining meaningful consent.
As requirements may differ across jurisdictions, cannabis retailers should be clear on what information they are required to collect during in-person transactions. For instance, it may be the case that while cannabis workers in a given province may request and review identification, such as a driver’s licence, to ensure the purchaser is the necessary age within that province, they are not required to record this information. Similarly, medical information or other personal information is often not required to purchase cannabis or cannabis products in person.
There may be some circumstances where a cannabis retailer may be authorized to collect additional personal information. For example, a purchase made using a credit card would involve the collection of the credit card number and cardholder’s name.
Similarly, if a retailer offers a membership club or distributes a mailing list, they may collect email addresses for those who sign up. Retailers should consider only collecting the minimum amount of personal information required for mailing lists or memberships.
If a retailer is considering using video surveillance to monitor the store, it is important to note that capturing an individual’s image or voice constitutes a collection of personal information. Again, PIPEDA generally requires consent before the collection of personal information. Retailers should only use video surveillance if less privacy-intrusive measures cannot achieve the same ends. If retailers choose to use video surveillance, they must notify individuals with signage that is clearly visible to anyone before entering the store. That way, individuals can choose to shop elsewhere if they do not want the retailer to collect their personal information. For more information, see our Guidelines on Overt Video Surveillance.
Individuals seeking to purchase cannabis or cannabis products online from retailers also need to be made aware when the retailer is collecting their personal information (such as name, date of birth, home address, credit card number, purchase history, or email address). Providing personal information, especially through online formats, creates additional risks that purchasers need to consider.
One way to minimize the possibility of disclosure to foreign governments (given that cannabis use is not legal in most other jurisdictions), and reduce the impacts of a data breach, or other incidents that reveal purchasers’ names or other personal information, is to refrain from recording customers’ personal information.
| Advice from the Commissioner for retailers |
|---|
| Collect the least amount of personal information possible. |
| Refrain from recording personal information, where possible. |
| Consider collecting email addresses, but not names, for mailing lists or memberships. |
| Determine whether less privacy intrusive alternatives to video surveillance are appropriate. Only use video surveillance as a last resort. |
| Advice from the Commissioner for purchases |
|---|
| When purchasing cannabis, do not provide the retailer with more personal information than necessary. You may need to show your identification to verify age. |
| If you are concerned about using your credit card, and the option is available, consider using cash to purchase cannabis. |
| If you are providing personal information to join a membership club or mailing list, consider the risks involved, and ask how your personal information will be stored. |
Safeguarding personal information
If a retailer collects personal information such as name, credit card number, email address, or any other personal information from purchasers, this information must be stored securely.
Privacy officer
Retailers must designate someone to be responsible for ensuring compliance with PIPEDA. The organization must provide that person’s position name or title and contact information when requested.
Security measures
Cannabis retailers must protect the personal information in their custody or under their control by making appropriate security arrangements to prevent unauthorized access, disclosure, use, copying, or modification. This means ensuring physical, technological, and organizational security measures are in place to store personal information. In determining what security arrangements are “appropriate”, retailers should be mindful that the sensitivity of the information in question will enhance the level of protection required under PIPEDA. In addition, personal information can only be used for the purpose for which it was originally collected and should only be kept for as long as necessary to fulfil that purpose. Once the purpose is no longer necessary, the personal information should be securely destroyed.
- Physical security measures include:
- locking or restricting access to locations with records containing personal information (i.e. filing cabinets and management offices); and
- using appropriate security measures such as cross-shredding documents when destroying personal information.
- Technological security measures for personal information held in computer systems include:
- use of unique electronic user IDs for each staff member or purchaser;
- strong passwords;
- encryption;
- firewalls; and,
- deleting personal information once it is no longer needed.
- Organizational safeguards include:
- Restricting employee access to personal information they do not need to access to perform their job duties;
- Mandatory staff training; and,
- Security screening of staff.
In addition, retailers should conduct regular risk assessments and compliance monitoring to see if program controls need to be updated and to ensure the organization is meeting the requirements of PIPEDA.
Keep in mind that storing data in the Cloud or in proprietary software means there is likely transfer or storage of that personal information outside of Canada, which could then potentially be accessed by foreign law enforcement. Again, given the fact that cannabis use is not legal in most other jurisdictions, potential access to this data by foreign governments is of particular concern, which means it will generally be more privacy protective to store personal information on a server located in Canada.
Privacy policies
Private organizations are required by law to develop policies and practices to meet their responsibilities under PIPEDA, including developing a process to respond to complaints about management of personal information. These policies support an organization’s accountability, and are critical to building trust and mitigating privacy risk. However, internal policies and practices are only effective when management and staff understand and are committed to following them. The best way of ensuring this is for management to emphasize that protection of personal information is a company priority and to ensure that all staff are trained in, understand, and follow the privacy policy in everyday transactions. For more information, organizations may want to read Getting Accountability Right with a Privacy Management Program.
As noted prior, external privacy notices must also provide individuals with sufficient information about an organization’s practices to ensure consent is meaningful. Retailers who have websites, and especially those with a membership login, should in particular ensure that they inform visitors to the webpage about any additional personal information collected (such as tracking cookies and website analytics) and the reasons for collection.
| Advice from the Commissioner for retailers |
|---|
| Ensure adequate physical, technological, and organizational security measures are in place to safeguard personal information, and that these measures recognize and respond to the sensitivity of this information. |
| Designate a privacy officer. |
| Create internal policies and train staff on them. |
| Visit the OPC’s Privacy Guide for Businesses for guidance on how to comply with PIPEDA. |
| Advice from the Commissioner for purchasers |
|---|
| If you have concerns about a retailer’s collection, use, storage, disclosure, or disposal of your personal information, ask to speak with their privacy officer. |
| Ask retailers whether they store your personal information on servers outside of Canada. Opt to only purchase cannabis from those who keep your personal information in Canada. |
- Date modified: