As a result of the recent legalization of recreational cannabis in Canada, the Office of the Information and Privacy Commissioner for British Columbia (the “OIPC”) published guidelines (titled “Protecting Personal Information: Cannabis Transactions”) that aim to clarify the rights and obligations of both retailers and purchasers of cannabis under the Personal Information Protection Act (“PIPA”). As a reminder, PIPA applies to any private organization that collects, uses and discloses the personal information of individuals in British Columbia.
Cannabis remains illegal in most other countries around the world. As a result, transactions involving cannabis are often sensitive in nature. The potential stigma associated with the purchase or use of cannabis, as well as risks associated with cross-border information transfers, mean that retailers should tread carefully and ensure that any personal information collected, used, stored or disclosed is properly handled.
Accordingly, the OIPC has provided the following guidelines for retailers engaged in the sale of cannabis. For context, both private and public retailers are authorized to sell cannabis in BC, but only the government retailer is permitted to sell online.
1. Limit the collection of personal information to what is necessary
Cannabis retailers should only collect personal information that a reasonable person would consider “appropriate under the circumstances.” They are also required to obtain prior informed consent before collecting any personal information.
The guidelines provide an example where a retailer can request and review identification (e.g., a driver’s licence or other BC ID Card) to ensure that the consumer has reached the age of majority. However, there is no need to record this information. Also, medical information or other personal information is not required to purchase cannabis or cannabis products in person.
In the context of online purchases where more sensitive information may be collected (i.e., name, address and credit card information) vendors need to ensure that customers are aware of what information is being collected.
The guidelines also provide that if a retailer is considering using video surveillance to monitor the store, the capturing of an individual’s image or voice constitutes a collection of personal information and that consent needs to be previously obtained – which can be in the form of signage that is clearly visible to everyone. Accordingly, retailers should employ video surveillance only if less privacy-intrusive measures (e.g., hiring a security guard) are not possible.
To recap, the guidelines specifically provide the following advice to retailers:
- Collect the least amount of personal information as possible;
- Consider collecting email addresses, but not names, for mailing lists or memberships; and
- Determine whether less privacy intrusive alternatives to video surveillance are appropriate. Only use video surveillance as a last resort.
2. Employ appropriate safeguards for the storage of personal information
As a general proposition, the guidelines provide that any information collected from purchasers of cannabis must be stored in a secure manner by retailers. The OIPC highlights the following measures to be taken in order to comply with PIPA:
- Designate a privacy officer to be in charge of ensuring compliance with PIPA;
- Employ reasonable physical, technological and administrative security measures to prevent any unauthorized access, collection, use or disclosure of personal information;
- Develop and maintain employee policies and practices related to privacy; and
- Ensure online retailers have clear and updated privacy policies in place.
Interestingly, the guidelines provide some level of detail around physical, technological and administrative security measures to be implemented. Retailers should view these as being minimal standards – a foundation on which more elaborate measures should be built.
While these guidelines have come out of the BC OIPC, they provide useful best practices for cannabis retailers in other Canadian jurisdictions. In-store and online retailers of cannabis and cannabis products must exercise caution when it comes to the collection, use, storage and disclosure of personal information in the context of cannabis transactions. Given that cannabis remains illegal in most other countries, online retailers should also be aware of the potential ramifications of cross-border data transfers to those countries. Retailers should undertake a thorough review of all internal policies with respect to the handling of personal data in the context of cannabis transactions, and update them accordingly.
 PIPA defines personal information as “information about an identifiable individual.” This is a broad definition that encompasses name, date of birth, phone number, address, driver’s license number, medical information, physical description, social insurance number, financial information (such as a credit card number), and more.