Pot & Privacy: BC Privacy Commissioner Issues Guidance for Protection of Personal Information in Cannabis Transactions
The Office of the Information and Privacy Commissioner for British Columbia has released a guidance document to help cannabis retailers and purchasers understand their rights and obligations under the Personal Information Protection Act (British Columbia) (“PIPA”).
The guidance document, “Protecting Personal Information: Cannabis Transactions” (the “Guidance Document”), highlights the fact that although cannabis became legal in Canada on October 17, 2018, it remains illegal in most other jurisdictions around the world, making personal information concerning cannabis users particularly sensitive information that must be properly collected and safeguarded.
PIPA, which applies to any private organization that collects, uses and discloses personal information of individuals in British Columbia, broadly defines “personal information” to include any information regarding an “identifiable individual”, which can include information such as name, phone number, driver’s licence number, credit card number, or other identifying information.
Cannabis Retailers Should Collect Only the Information They Need
The Guidance Document advises readers that PIPA requires private-sector cannabis retailers, like other organizations, to collect only personal information that a reasonable person would consider “appropriate in the circumstances”, as well as to obtain informed consent from individuals prior to collecting their personal information. In the case of a cannabis retailer, the Guidance Document states that while a retailer may review a customer’s identification to confirm they are of legal age to purchase cannabis, there is no need to record and keep this information. If a customer uses a credit card, on the other hand, a cannabis retailer is authorized to collect the credit card number and customer name to process the transaction. While a cannabis retailer can collect e-mail addresses from individuals who sign up for a membership club or mailing list, the Guidance Document recommends that the retailer collect the minimum amount of required information—for example, collecting only the individual’s e-mail address, and not their name. Indeed, the Guidance Document proposes that cannabis retailers can minimize risks of incidents such as foreign disclosure of customer information and data breaches by not recording any customer personal information.
Capturing a person’s image or voice constitutes a form of collection of personal information and therefore requires consent, typically obtained by posting clear signage that notifies individuals of the presence of video surveillance before they enter a retail space. The Guidance Document recommends that cannabis retailers use video surveillance as a last resort, and only if less “privacy-intrusive” options such as the use of a security guard are unsuccessful.
Storing Personal Information Securely
If cannabis retailers do record personal information from customers, they are required to store it securely, as with their employees’ personal information, by making “reasonable security arrangements to prevent unauthorized access, collection, use, copying, modification or disposal,” the Guidance Document states.
These protections include physical security measures, such as storing personal information in a locked or restricted location and cross-shredding documents when destroying personal information; technological security measures, such as password-protection and encryption and deletion of personal information once it is no longer needed; and administrative security measures, such as implementation of privacy policies and mandatory staff training. In addition, the Guidance Document recommends that retailers engage in regular risk assessments and compliance monitoring, and that data be stored on a server located in Canada to lessen the chances of unauthorized access and foreign disclosure. In addition, cannabis retailers must bear in mind that they can only use personal information for the purpose for which it was collected and should retain it only as long as necessary for that purpose.
Retailers are also required to designate a person as privacy officer responsible for ensuring that the organization complies with PIPA, and must provide the privacy officer’s position name or title and contact information on request.
Privacy Policies
As with other private organizations in British Columbia, cannabis retailers are required to develop policies and practices to meet their obligations under PIPA, including implementing a process for responding to complaints about handling of personal information. If the retailer has a website, the Guidance Document states that a separate privacy policy should be posted on the website disclosing all personal information collected and the reasons for which it is collected. In addition, the Guidance Document advises cannabis retailers to ensure that all staff are trained in, understand, and follow the retailer’s privacy policies.
Advice for Cannabis Purchasers
In addition to providing advice to cannabis retailers, the Guidance Document offers tips to cannabis purchasers to help them protect their personal information. Purchasers should provide cannabis retailers with only the information they need and should consider using cash for a transaction where possible. They should also consider associated risks if providing personal information to join a membership club or mailing list and should inquire as to how and where their personal information will be stored—and only disclose personal information to cannabis retailers who store personal information in Canada.
Cannabis purchasers may have a variety of concerns regarding the privacy of their purchases. These concerns include potential impacts on the purchaser’s reputation or business, and potential access to the information by American law enforcement if it is housed on a server in the United States. If cannabis purchasers have concerns regarding a cannabis retailer’s personal information practices, the Guidance Document advises them to ask to speak to the retailer’s privacy officer. Cannabis purchasers who purchase cannabis products online, including from retailers in other provinces, should be aware that their personal information is being collected to fulfill the sale, and that providing this information online creates additional security risks.
Conclusion
In the wake of the legalization of cannabis in Canada, the cannabis industry has been growing and evolving rapidly. As legal cannabis retailers obtain provincial licences and establish their retail operations and business practices in B.C., they should keep front of mind the particular sensitivity of personal information of cannabis purchasers and implement privacy policies and practices with respect to collection, storage, usage, and disposal of personal information that comply with PIPA. The Guidance Document provides a useful starting point to help cannabis retailers and purchasers consider the relevant requirements and issues.
Visit our Cybersecurity, Privacy & Data Management page and contact us with any questions or for assistance.