Written by Michael R. Whitt Q.C., James D. Beeby, Stephen D. Burns, Kees de Ridder and Graeme S. Harrison

Following the recent legalization of cannabis, private retailers are open for business from coast to coast. While cannabis remains illegal in other jurisdictions, cannabis users' personal information is highly sensitive. In light of this, British Columbia's Privacy Commissioner has issued a guidance document to help retailers understand their obligations.

The guidance is rooted in the Commissioner's interpretation of the Personal Information Protection Act (British Columbia), in particular section 11, which provides that "…an organization may collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances…"

The Commissioner emphasizes retailers' need to inform individuals about what personal information is being collected, and the purposes for such collection; and recommends a set of best practices for cannabis retailers:

• use video surveillance only if less privacy-intrusive measures, such as hiring a security guard, are unsuccessful;
• post clearly visible signs outside retail locations warning of any video surveillance;
• for in-person cannabis transactions, request ID to ensure the purchaser is over 19 years old, but do not record the purchaser's personal information;
• if a purchase is made using a credit card, collecting the credit card number and cardholder's name is permissible;
• collect the least amount of information possible, e.g., if a retailer offers a membership club or newsletter, collect email addresses but not names;
• avoid storing customers' personal information on cloud services, especially those located outside of Canada;
• establish physical security measures, such as locking filing cabinets and management offices, and shredding documents;
• establish technological security measures, such as encryption, firewalls, restricting employee access, using unique electronic IDs for each staff member, and deleting personal information that is no longer needed; and
• establish administrative security measures, such as privacy policies, mandatory staff training, regular risk assessments, complaint response processes, designation of a privacy officer, and compliance monitoring.

On top of the B.C. Commissioner's guidance, retailers may want to consider the extent of any detailed content in information about the transaction provided to point-of-sale, card clearance, or payment processors, and attempt to avoid explicitly disclosing information which might incriminate their customers in jurisdictions where cannabis purchase or use is not permitted.

For instance, a generic transaction description might provide less risk to the customer than a description detailing a purchase of what may be an illegal substance in other jurisdictions. The vendor might instead use a reference-type description of a transaction, such as a token, serial number, or link, which can be accessed by the vendor, but not by third parties, for purposes of managing the vendor's relationship with the customer.

The Act is deliberately vague in its requirement that organizations make "reasonable security arrangements to prevent unauthorized access" to personal data in their custody. This requires organizations to update their physical, technological, and administrative security measures as technology and industry advance. When reading guidance documents provided by the Commissioner, one must consider the regulator's role in promoting consumer privacy protections—in some cases, the guidance may be more stringent than courts have or may interpret commercial obligations. 

If you would like to learn more about what your business can do to comply with Canada's privacy laws, members of our Privacy and Data Protection team can assist.