Protecting personal information: cannabis retailers and purchasers take note
Given the highly sensitive nature of cannabis-related transactions, it is vital that organizations take all necessary precautions to safeguard the personal information of customers.
Canadian privacy law requires organizations that undertake commercial transactions using personal information to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). The CMA’s Privacy Compliance Guide addresses the operative parts of the legislation section-by-section, followed in each case by commentary and recommended member action.
The Office of the Privacy Commissioner of Canada (OPC) recently released guidance which outlines the obligations of cannabis retailers and customers’ rights under PIPEDA.
Key takeaways include:
Data collection
| Advice from the Commissioner for retailers. |
Collect the least amount of personal information possible. |
|
|
Refrain from recording personal information, where possible. |
||
|
Consider collecting email addresses, but not names, for mailing lists or memberships. |
||
|
Determine whether less privacy intrusive alternatives to video surveillance are appropriate. Only use video surveillance as a last resort. |
|
Advice from the Commissioner for purchasers. |
When purchasing cannabis, do no provide the retailer with more personal information than necessary. You may need to show your identification to verify age. |
|
|
If you are concerned about using credit card, and the option is available, consider using cash to purchase cannabis. |
||
|
If you are providing personal information to join a membership club or mailing list, consider the risks involved, and ask how your personal information will be stored. |
Safeguarding information
| Advice from the Commissioner for retailers. |
Ensure adequate physical, technological, and organizational security measures are in place to safeguard personal information, and that these measures recognize and respond to the sensitivity of this information. |
|
|
Designate a privacy officer. |
||
|
Create internal policies and train staff on them. |
||
|
Visit the OPC’s Privacy Toolkit for Businesses for guidance on how to comply with PIPEDA. |
|
Advice from the Commissioner for purchasers. |
If you have concerns about a retailer’s collection, use, storage, disclosure, or disposal of your personal information, ask to speak with their privacy officer. |
|
|
Ask retailers whether they store your personal information on servers outside of Canada. Opt to only purchase cannabis from those who keep your personal information in Canada. |
Also important to note is that the British Columbia Privacy Commissioner recently issued guidance for cannabis retailers and purchasers that outlines rights and obligations under British Columbia’s Personal Information and Protection Act which is substantially similar to PIPEDA.
Questions or comments? E-mail us – we want to hear from you.
