April 1, 2019
By Amanda Branch and Jennifer McKenzie
Recreational cannabis became legal in Canada on October 17, 2018 and privacy-conscious consumers quickly voiced concerns about the collection of personal information, particularly during the purchasing process.
One of the stated purposes of the “Cannabis Act”, the federal law that legalizes cannabis, is “to provide for the licit production of cannabis to reduce illicit activities in relation to cannabis”. However, there have been some reports about the perception among consumers that one of the main advantages of purchasing from the illicit market is that cash transactions have no paper trail so privacy is preserved. This is especially true in those provinces where the retail sales is publicly and not privately run. (It is reported that the black market continues to thrive because of the supply issues experienced by the legal channels of trade, but that’s another issue!) Even though recreational cannabis is legal in Canada, it remains illegal in most other countries, and there is arguably still a stigma surrounding the recreational use. As a result, privacy is paramount.
In December 2018, the Office of the Privacy Commissioner of Canada (the “OPC”) released guidance titled Protecting personal information: Cannabis transactions (the “OPC Guidance”). The OPC Guidance is adapted from an earlier document released by the Office of the Information and Privacy Commissioner for British Columbia called Protecting personal information: Cannabis Transactions, (the “BC Guidance”).
The Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to private sector organizations in Canada that collect, use, or disclose personal information in the course of commercial activity, except where that activity takes place entirely within a province with “substantially similar” legislation (currently Quebec, Alberta and British Columbia). The British Colombia Personal Information Protection Act (“PIPA”) applies to any private organization that collects, uses and discloses the personal information of individuals in British Columbia.
Personal information is any “information about an identifiable individual”. This is a very broad definition and can include things like name, address, government-issued identifiers, health information and medical records, financial information and biometric data.
Under PIPEDA and PIPA, businesses may collect personal information only to the extent that it is necessary for the purposes identified by the organization (see here for our discussion on the OPC’s Guidance on inappropriate data practices: Interpretation and application of subsection 5(3)). These purposes must be in line with what a reasonable person would consider appropriate in the circumstances.
Organizations must also obtain consent before collecting any personal information, subject to limited exceptions. In particular, individuals must be made aware of what personal information is being collected, to which parties it will be disclosed, the purposes for its collection, and any residual risks of harm (see here for our discussion on the OPC’s Guidelines for obtaining meaningful consent).
PIPEDA recognizes that there are circumstances where consent is implied. For example, when you purchase a product online, the retailer has implied consent to collect your credit card number, the name as it appears on your credit card, and your billing and shipping address, all for the purpose of completing the purchase transaction.
Both guidance documents advise cannabis retailers to:
Similarly, both guidance documents offer the following suggestions to consumers:
Both guidance documents note that cannabis retailers:
The both guidance documents state that the personal information of cannabis users is considered very sensitive, particularly because cannabis is illegal in many countries outside Canada and, as a result, Canadian cannabis users may be denied entry to a foreign country if it is known they have purchased cannabis, even if done legally. As a result, retailers should consider storing personal information inside Canada and use caution if storing in the cloud or on a third party proprietary system, particularly if these are located outside Canada, as that could result in the personal information being accessed by foreign law enforcement.
Content shared on Bereskin & Parr’s website is for information purposes only. It should not be taken as legal or professional advice. To obtain such advice, please contact a Bereskin & Parr LLP professional. We will be pleased to help you.