On October 17, 2018, the Federal Cannabis Act, S.C. 2018, c. 16 (“Act”) came into force and cannabis became legal across Canada. The Act regulates production, distribution and promotion of cannabis in Canada. Accompanying the legalization of cannabis has been a surge of new businesses to capitalize on the opportunity.
Most discussion of the Act and related business centers around the criminal, regulatory and employment implications of the legalization of cannabis, which are not insignificant. However, another aspect which has not been as widely considered is the privacy implications of cannabis businesses as they launch into selling cannabis and collecting customer data, including personal information.
Cannabis and privacy
As cannabis businesses become visible members of the Canadian commercial sector, they must be aware of and be compliant with privacy law requirements with respect to collection, use and disclosure of personal information (typically customer information, but this could include employee information as well).
Non-compliance with privacy laws and common law privacy obligations could mean financial and reputational liability for businesses, including cannabis businesses.
Different types of businesses will have different issues and potentially be subject to different privacy requirements – as such, we start by addressing the unique business model in Ontario and the applicable privacy laws, and then focus on the federal privacy law requirements, then provincial specific cases, data residency issues, health information issues, and concludes with a practical recommendation on how businesses entering the cannabis industry can meet the requirements under Canada’s privacy law framework.
While private sector businesses collecting personal information will be subject to federal or provincial private-sector privacy laws (and potentially health privacy laws), Ontario is somewhat unique in that it has established The Ontario Cannabis Retail Corporation, operating as the Ontario Cannabis Store (“OCS”), which is a Crown corporation established under the Ontario Cannabis Retail Corporation Act, S.O. 2017. The OCS is the exclusive legal online retailer for the sale of recreational cannabis. Since the OSC is a Crown entity, its privacy obligations are under the scope of Ontario’s Freedom of Information and Protection of Privacy Act, R.S.O. 1990 (“FIPPA”) which governs access to information held by public entities and protection of personal information.
Shortly after going live in November, 2018, the OCS experienced a data incident when its customers’ personal information was improperly accessed by an individual through a Canada Post delivery tracking tool. The OCS informed the Office of the Information and Privacy Commissioner of Ontario (“OIPC”) as well as the affected individuals. The OCS data breach incident serves as a reminder that cannabis organizations (whether government or private) are not immune to date incidents, and must manage their privacy obligations.
The Federal privacy law regime
Personal Information Protection and Electronic Documents Act, S.C. 2000 (“PIPEDA”) is a federal privacy legislation that applies to organizations that collect, use or disclose personal information in the course of their commercial activities. Commercial activity is defined broadly under PIPEDA and would capture most cannabis businesses. PIPEDA applies in those provinces that have not passed substantially similar provincial privacy legislation (to date, only BC, Alberta and Quebec have such provincial privacy legislation).
PIPEDA defines personal information broadly to mean information about an identifiable individual. This definition captures a wide array of information that can identify an individual such as name, address, date of birth, health information, and financial information. Business contact information is exempt. Private sector employee information is not covered (but may be subject to common law privacy considerations). Understanding the precise scope of PIPEDA and the meaning of personal information is relevant as cannabis businesses may collect information about their clients for business purposes such as customer relations management, sales records, marketing, retail sales and promotions, just to name a few.
Organizations subject to PIPEDA must have in place a comprehensive privacy program that addresses the ten privacy principles which are the foundation of PIPEDA. The full text of each principle is available in Schedule I of PIPEDA. Guidance on what the OPC expects businesses to do to comply with each principle is available in the OPC’s Privacy Toolkit for Businesses.
In addition to these principles, PIPEDA contains an overriding obligation that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would deem appropriate given the circumstances.
An organization is responsible for the protection and fair handling of personal information at all times. This applies throughout its organization and in dealings with third parties.
PIPEDA requires an organization’s security safeguards to be appropriate to the sensitivity of the information. In the federal Privacy Commissioner’s view, the personal information of cannabis users and purchasers will be considered “sensitive personal information: “Cannabis is illegal in most jurisdictions outside of Canada. The personal information of cannabis users is therefore very sensitive. For example, some countries may deny entry to individuals if they know they have purchased cannabis, even lawfully.” Personal information that is considered sensitive will require heightened security safeguards and cannabis businesses should take note of this.
In light of the mandatory breach notification provisions which came into force on November 1, 2018, compliance with PIPEDA has become even more important. The triggering event for notification is the any breach of security safeguards involving personal information under an organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. Compliance with the mandatory breach notification provisions essentially involve three key components: 1) assessing whether the incident is reportable; 2) if so, reporting it to the OPC in the form and manner required; 2) notifying affected individuals in the form and manner required. This process also involves notifying other organizations where an organization reasonably believes doing so could mitigate harm.
In addition, even where an incident is not reportable, new record keeping requirement oblige businesses to keep records of all breaches of security safeguards, regardless of their materiality.
It is an offence to knowingly contravene PIPEDA’s reporting, notification and record-keeping requirements relating to breaches of security safeguards, and doing so could lead to fines.
Province-specific privacy law requirements
In addition to PIPEDA, there are province-specific private-sector privacy laws that are substantially similar to PIPEDA. In Alberta, British Columbia and Quebec, their respective personal information protection legislations would apply and impose a substantially similar compliance regime. Privacy in Quebec is also governed by the Civil Code of Quebec (“C.C.Q”), at articles 3, and 35 to 41. More specifically, article 35 states a general principle under which every person has a right to the respect of his or her reputation and privacy, and that no one may invade the privacy of a person without the consent of such person unless authorized by law. Article 36 details the type of activities which may be considered as an invasion of privacy of a person.
Thus, cannabis businesses operating in those provinces should be particularly aware of any province-specific privacy laws and be familiar with the applicable provincial privacy regulator. Notably, Alberta also has a mandatory breach reporting regime and cannabis businesses that collect the personal information of persons in Alberta must be cognizant of the appropriate breach protocol.
Organizations, including cannabis businesses, may be subject to more than one privacy regime.
Data residency issue
Data residency refers to the geographical location of data. In some provinces, there are legislative requirements that impose specific data residency rules. In particular, in Nova Scotia and British Columbia, personal information held by public organizations must be kept in Canada, unless the limited statutory exceptions apply. For example, and for both British Columbia and Nova Scotia purposes, if an individual consents in a prescribed manner, the data may be transferred out of Canada. Data residency is likely not an issue for most cannabis businesses provided that they are not public bodies. However, data residency issues could become relevant if a cannabis business becomes a service provider to a public sector organization in those provinces.
Private sector organizations have to comply with the Quebec Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1. This Act requires an organization contemplating transferring personal information outside of Quebec to take reasonable steps that the information will not be used for purposes not relevant to why it was collected, or communicated to third persons without the consent of the persons concerned, among other things.
Under Alberta’s privacy legislation, an organization that intends to transfer personal information outside of Canada for processing (e.g., outsourcing activities, including customer relationship management services) must previously have provided notice to individuals of its policy and procedures addressing such transfer. It must also provide contact information for a person who can respond to questions regarding such activities.
Provincial privacy laws also apply to private sector employees, and cannabis businesses may have obligations in that regard as well.
Health information and privacy law issues
Cannabis businesses operating under license issued under the Cannabis Regulations, SOR/2018-144 ( “Regulation”) will necessarily have sensitive medical information due to the requirement to register clients. As such, licensed cannabis businesses operating under the Regulation will be subject to various provincial health information legislations.
In Ontario, for instance, the Personal Health Information Protection Act, S.O. 2004 governs how personal health information is handled. It requires express consent for disclosure of personal health information which could become an issue if the data is being transferred out of the province. Other provinces have enacted substantially similar health information legislation.
Practical recommendations for cannabis businesses and their privacy practices
Data, particularly personal information, is an increasingly important business asset in today’s digital economy, and cannabis businesses are embracing data uses being explored by other businesses – for instance, aggregating and/or anonymizing personal information for the purposes of performing analytics.
While much of this work will be of value internally, cannabis businesses will likely recognize their ability to generate revenue from derived insights, including customer segmentation and matching for the purposes of marketing.
Cannabis businesses which choose to participate in this emerging data ecosystem will need to be careful about obtaining appropriately scoped consents, as well as ensuring data ownership, licences, scope of use, and liability and indemnity provisions are addressed in any agreements with such third parties.
For more information about Denton’s data expertise and how
we can help, please see our
Transformative Technologies and Data Strategy page. For more information on
Denton’s Cannabis practice, see our webpage here.
1 See Office of the Privacy Commissioner of Canada, “Protecting personal information: Cannabis transactions”, December 2018.
2 Personal Information Protection Act, 2003 Chapter P-6.5; Personal Information Protection Act, SBC 2003, Chapter 63; Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1.
3 S. 30.1 Freedom of Information and Protection of Privacy Act, RSBC 1996 [FOIPA]; s. 5 Personal Information International Disclosure Protection Act [PIIDPA].
4 S. 30.1(a) FOIPA; s.5(1)(a) PIIDPA.
5 S. 297(1) Regulation.
5 S. 29(1) PHIPA.