• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
Background Image
Bennett Jones Logo 100 Years
  • People
  • Expertise
  • Knowledge
  • Search
  • Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Capital Projects Energy Funds & Finance Mining View all
Advisory
Crisis & Risk Management Environmental, Social & Governance (ESG) Governmental Affairs & Public Policy
View Client Work
Insights News Events
New Energy Economy Series COVID-19 Resource Centre Business Law Talks Podcast
Subscribe
Bennett Jones Centennial Menu
People
Practices
Industries
Advisory Services
Client Work
About
Offices
News
Careers
Insights
Law Students
Events
Search
Alumni
Payments
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 
Blog

B.C. Privacy Commissioner Issues Guidance Regarding Cannabis Transactions

November 07, 2018

Written by Michael R. Whitt Q.C., James D. Beeby, Stephen D. Burns, Kees de Ridder and Graeme S. Harrison

Following the recent legalization of cannabis, private retailers are open for business from coast to coast. While cannabis remains illegal in other jurisdictions, cannabis users' personal information is highly sensitive. In light of this, British Columbia's Privacy Commissioner has issued a guidance document to help retailers understand their obligations.

The guidance is rooted in the Commissioner's interpretation of the Personal Information Protection Act (British Columbia), in particular section 11, which provides that "…an organization may collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances…"

The Commissioner emphasizes retailers' need to inform individuals about what personal information is being collected, and the purposes for such collection; and recommends a set of best practices for cannabis retailers:

  • use video surveillance only if less privacy-intrusive measures, such as hiring a security guard, are unsuccessful;
  • post clearly visible signs outside retail locations warning of any video surveillance;
  • for in-person cannabis transactions, request ID to ensure the purchaser is over 19 years old, but do not record the purchaser's personal information;
  • if a purchase is made using a credit card, collecting the credit card number and cardholder's name is permissible;
  • collect the least amount of information possible, e.g., if a retailer offers a membership club or newsletter, collect email addresses but not names;
  • avoid storing customers' personal information on cloud services, especially those located outside of Canada;
  • establish physical security measures, such as locking filing cabinets and management offices, and shredding documents;
  • establish technological security measures, such as encryption, firewalls, restricting employee access, using unique electronic IDs for each staff member, and deleting personal information that is no longer needed; and
  • establish administrative security measures, such as privacy policies, mandatory staff training, regular risk assessments, complaint response processes, designation of a privacy officer, and compliance monitoring.

On top of the B.C. Commissioner's guidance, retailers may want to consider the extent of any detailed content in information about the transaction provided to point-of-sale, card clearance, or payment processors, and attempt to avoid explicitly disclosing information which might incriminate their customers in jurisdictions where cannabis purchase or use is not permitted.

For instance, a generic transaction description might provide less risk to the customer than a description detailing a purchase of what may be an illegal substance in other jurisdictions. The vendor might instead use a reference-type description of a transaction, such as a token, serial number, or link, which can be accessed by the vendor, but not by third parties, for purposes of managing the vendor's relationship with the customer.

The Act is deliberately vague in its requirement that organizations make "reasonable security arrangements to prevent unauthorized access" to personal data in their custody. This requires organizations to update their physical, technological, and administrative security measures as technology and industry advance. When reading guidance documents provided by the Commissioner, one must consider the regulator's role in promoting consumer privacy protections—in some cases, the guidance may be more stringent than courts have or may interpret commercial obligations. 

If you would like to learn more about what your business can do to comply with Canada's privacy laws, members of our Privacy and Data Protection team can assist.

PDF Download

Authors

  • James D. Beeby James D. Beeby, Partner
  • Stephen D. Burns Stephen D. Burns, Partner, Trademark Agent
  • Kees  de Ridder Kees de Ridder, Associate, Patent Agent

Spring 2022 Economic Outlook

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

UPDATED Canadian Sanctions Targeting Russia, Belarus [...]

June 29, 2022
       

Blog

National Indigenous Economic Strategy Rebuilding Indigenous Economies

June 24, 2022
       

Blog

Achieving Net Zero by 2050: The MMV Plan as a Fundamental [...]

June 23, 2022
       

Blog

Anti-Money Laundering Rules Expanded to Include Payment [...]

June 21, 2022
       

Blog

Alberta Court Declines to Extend Limitation Period [...]

June 20, 2022
       
Bennett Jones Centennial Footer 100 Years
Bennett Jones Centennial Footer 100 Years
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
  • History
Offices
  • Calgary
  • Edmonton
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2022. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones