Has your privacy gone up in smoke?

  • March 13, 2019
  • Margery Pazdor and Katherine Rusk

The use and sale of recreational cannabis became legal in Canada on Oct. 17, 2018. Legalization brought with it a number of notable legal concerns, with privacy becoming a headline issue that lawyers, consumers, and businesses need to keep in mind.

Cannabis is still not legal in many countries, and even with legalization in Canada the consumption of cannabis continues to be highly stigmatized in both Canada and elsewhere. As a result, information regarding the purchase and use of cannabis continues to be highly sensitive, even leaving aside the medical data that has been the major focus of privacy advocates pre-legalization. 

While the details around the sale and consumption of recreational cannabis are still being developed, at this point many consumers of recreational cannabis are required to provide a significant amount of personal information in order to purchase the product. In part, this is due to the fact that many consumers can only access the product by ordering online. In Ontario at the moment, consumers can only order online through the Ontario Cannabis Store. This is slated to change in 2019, but for now consumers have only one option. In British Columbia, it is still virtually impossible for most consumers to purchase cannabis in person – a handful of licensed stores were open in the province at the time of writing, none of which are located in the Lower Mainland. Most consumers are therefore forced to order their product online. When they do so, they are required to provide their names, addresses, credit card information, and date of birth. In fact, a date of birth is required to even access most cannabis retailers' websites, which is then stored through online cookies for the consumers' convenience.

Any storage of personal information creates a risk that the information could be accessed inappropriately, with consumer privacy breached. For example, within days of legalization a breach did in fact occur in Ontario. On Nov. 1, 2018, the Ontario Cannabis Store learned that certain personal information of some 4,500 of its customers had been accessed through a vulnerability in Canada Post’s online tracking tool.1 This breach also affected the individuals who had signed for package delivery, even if they had not purchased the cannabis in the first place. 

In addition to the normal risks resulting from data breaches – ranging from unauthorized credit card purchases to identity theft – in the case of data relating to cannabis, public disclosure of the mere fact of a purchase could have a significant impact on certain individuals. Some employers, for example, are prohibiting the consumption of cannabis altogether by their employees. As such, a data breach disclosing that an employee under such a prohibition had purchased cannabis from an online store could have significant consequences for that employee.

For cannabis consumers who live in apartment complexes or condominiums, an additional risk to privacy is the requirement that the person signing for the package delivery (such as a concierge or building manager) provide proof of age before accepting the parcel. This unique requirement means that the resident is immediately revealed as having ordered cannabis. Some buildings are refusing to accept packages that require proof of identification entirely.

Retailers and consumers should be considering what personal information needs to be gathered in the first place. British Columbia’s Office of the Information and Privacy Commissioner has released a Guidance Document for private cannabis retailers and purchasers, explaining how BC’s Personal Information Protection Act should apply.2 The guidance document encourages cannabis businesses to collect and store the minimum amount of personal information. For example, the Guidance Document encourages cannabis businesses to review personal identification for in-person sales to ensure minimum age compliance, but not to record the individual’s information. Federally, the Personal Information Protection and Electronic Documents Act provides that businesses must limit the amount and type of personal information gathered to the minimum amount necessary to fulfil the required purposes. However, in some cases retailers may not even realize they are collecting personal information – for example, in Prince Edward Island the government-run retailer was using a device to scan ID cards in order to verify the legitimacy of the card, but was unknowingly and unintentionally storing the personal information from the ID card on the scanning device.3

The processing of credit card purchases of cannabis is an additional source of privacy risk. Credit card statements disclose cannabis purchases – for example, transactions with the Ontario Cannabis Store show up on statements as "OCS/SOC", and purchases from the British Columbia Cannabis Store are shown as “BCS Online Vancouver.” Canadians on the move are also potentially at risk of credit card processing occurring in a jurisdiction where cannabis is not legal and having this information disclosed to law enforcement in those jurisdictions.  The Office of the Privacy Commissioner plans to issue guidance for both retailers and consumers on cannabis transactions.4

In sum, the sale and use of recreational cannabis as it currently transpires poses risks to individuals’ privacy. As the industry develops, it is likely that many of these issues will be addressed and resolved. In the meantime, cannabis consumers and businesses should bear these risks in mind, and adapt accordingly. For businesses this will likely mean conducting privacy and security assessments to ensure that, having identified and mitigated the relevant risks, any personal information they are collecting is appropriately managed and protected.

Margery Pazdor is an advocate with Community Social Services Employers’ Association of BC, and Katherine Rusk is an associate with Bennett Jones

End notes

1. Artuso, Atonella, “Names of recreational cannabis buyers hacked”, (November 18, 2018) Toronto Sun: https://torontosun.com/news/provincial/exclusive-names-of-recreational-cannabis-buyers-hacked.

2. Office of the Information & Privacy Commissioner for British Columbia, Guidance Document, PIPA: Protecting Personal Information: Cannabis Transactions, October 2018, https://www.oipc.bc.ca/guidance-documents/2248.

3. CBC News, “Privacy commissioner investigating personal data collection at cannabis stores,” (October 19, 2018) CBC online: https://www.cbc.ca/news/canada/prince-edward-island/pei-cannabis-stores-scanning-ids-1.4866267.

4. Colin Perkel, "Privacy commissioner concerned about potential fallout of credit card use for legal online pot purchases", (November 18, 2018), The Globe and Mailhttps://www.theglobeandmail.com/cannabis/article-privacy-commissioner-concerned-about-potential-fallout-of-credit-card/.