Privacy compliance for private sector cannabis retailers part 2
By AdvocateDaily.com Staff
In the final instalment of a two-part series on privacy compliance for private-sector cannabis retail, Toronto business lawyer Peter Murphy looks at the privacy commissioner’s guidelines on the subject.
Recreational cannabis retailers will need legal help to balance regulatory compliance and customers’ privacy expectations, says Toronto business lawyer Peter Murphy.
Following the federal government’s recent legalization of the drug for recreational use, the Ontario government unveiled its own framework for its sale at bricks-and-mortar outlets in the Cannabis Statute Law Amendment Act (CSLAA).
Meanwhile, the Office of the Privacy Commissioner of Canada (OPC) released its own guidelines to help private-sector cannabis retailers comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
In the first part of this series, Murphy, partner with Shibley Righton LLP, explained how the heightened sensitivity of cannabis purchase information raises the standards private operators must satisfy to comply with PIPEDA and to succeed in a market that promises to grow ever more competitive in the coming years.
“Some conflicts arise from the interplay between the heavily regulated environment of cannabis sales, and the demands of privacy law compliance,” he says. “Satisfying both will be a challenge, and retailers should seek expert privacy law and cannabis regulatory advice to assist them.”
Murphy says the OPC guidelines for privacy in cannabis sales are typical of most Canadian government missives on privacy law — written as they are in “broad strokes” and without many specifics requirements.
“While the principles-based guidelines afford retailers some flexibility, they also make it more difficult for retailers to know if they are in compliance,” he says. "Knowledge of how the privacy law has been interpreted and applied in the past is necessary to achieve compliance in the present, particularly in this new industry."
For example, Murphy points out that the OPC's guidelines advise retailers to only collect and use personal information in a way that “a reasonable person would consider to be appropriate in the circumstances.”
“That language reflects PIPEDA, and it’s important for retailers to be aware that this 'reasonable person' standard applies regardless of whether or not the individual consented to the collection or use of the information,” Murphy says.
He says the OPC's guidelines "urge retailers to obtain meaningful consent to the collection and use of customer personal information, by informing customers about what is being collected and why, as well as who it may be disclosed to, and any residual risks of harm," he says.
"Retailers will have to develop procedures with care to ensure consent is obtained in a compliant way."
Murphy says the OPC's guidelines also call for cannabis retailers to use video surveillance only if “less privacy-intrusive measures cannot achieve the same ends,” and requires retailers to notify individuals with clearly visible signage before they enter the store.
He says these guidelines could bump up against Ontario’s cannabis regulations, which require 24-hour video surveillance both inside and outside stores.
“While the cannabis regulations make video surveillance a must for retailers, the privacy law still applies,” Murphy says. “Retailers must have policies and procedures in place to limit employee access to the recordings to those who need it for legitimate purposes, to ensure the information is properly safeguarded and to ensure the videos are retained only as long as they’re needed — keeping in mind the retention requirements in the cannabis regulations.”
Another potential conflict arises in the area of customer identification, he says, because provincial regulations require retailers to check customers’ identification to prove they are over 19 years of age.
"The regulations also require retailers to provide the regulator, on request, with records demonstrating the retailer's compliance with this requirement."
Murphy says retailers may be tempted to keep copies of customer IDs in order to ensure they have the necessary records to satisfy the regulator.
Doing so, he says, "would likely be in breach of privacy laws. For example, the OPC guidelines direct retailer to only collect the least amount of personal information necessary to achieve the retailer's legitimate purpose.
“Customers are not going to be comfortable with retailers keeping copies of their IDs, given the sensitivity of the personal information,” he says. "Retailers should establish some other form of documentation to satisfy the regulator, such as policies and procedures and employee sign-off sheets."
The sensitive nature of buying cannabis also raises concerns about the use of payment cards and where that information will be processed, says Murphy. While PIPEDA does not bar custodians of personal information from processing data on servers outside Canada, the guidelines are clear that it is generally safer to use servers based in this country.
"There is a good chance that payment card information will be processed outside Canada, making that information potentially accessible by foreign law enforcement," he says.
“Retailers should notify customers up front if payments will be processed outside Canada,” Murphy says. “Consumers who are mindful of that fact may choose to patronize retailers who provide an assurance that their information will not be processed at any point outside Canada, or they may wish to limit their purchases to cash transactions.”
The OPC guidelines conclude by noting that organizations must create privacy policies and practices to comply with PIPEDA, including procedures for accepting and responding to complaints from customers. To ensure they are effective, the OPC also recommends training for all staff.
“Retailers should keep in mind that policies are not static documents,” Murphy says. “They must reflect the existing practice of the organization and the current state of both privacy laws and cannabis regulations, which means they need to be regularly updated and consistently followed in practice.”
Click here to read part one, where Murphy discussed the role that privacy will play in the market.