The personal information of cannabis users is arguably highly sensitive. The potential stigma associated with the purchase or use of cannabis, as well as risks associated with cross-border information transfers, mean that cannabis retailers must exercise caution before selling personal information to licensed cannabis producers.
The Alcohol and Gaming Commission of Ontario (AGCO) recently published a guidance document called Inducements Rules for Licensed Cannabis Retailers. The guidance document states that as of June 30, 2022, Ontario cannabis retailers will be allowed to sell personal customer information to licensed cannabis producers. However, they will still be expected to follow applicable privacy laws and regulations.
This article discusses the current privacy law regime in Ontario and how cannabis retailers can legally collect and disclose personal information.
Privacy law for the private sector in Ontario
In Ontario, there is presently no provincial private sector privacy law, meaning the federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to most private sector organizations and businesses (including cannabis retailers and cannabis producers) in Ontario that are conducting “commercial activity,” with commercial activity being very broadly defined.
If a company is engaged in a “commercial activity,” it will likely fall under PIPEDA. The law affects the way organizations collect, use, and disclose personal information about individuals.
Given the fact that cannabis is illegal in jurisdictions outside of Canada, the personal information of cannabis users is arguably highly sensitive. The potential stigma associated with the purchase or use of cannabis, as well as risks associated with cross-border information transfers, mean that cannabis retailers must exercise caution before selling personal information to licensed cannabis producers, and ensure that any personal information collected, used, stored or disclosed, is properly handled.
OPC guidelines for the use of personal information
The Office of the Privacy Commissioner of Canada (OPC) has previously published guidelines entitled, “Protecting Personal Information: Cannabis Transactions” (OPC Guidelines), to clarify, amongst other things, the rights and obligations of both cannabis retailers under PIPEDA. Cannabis retailers who would like to sell personal information of customers to licensed cannabis producers must consider the following:
1. Limit the collection of personal information to what is necessary
Cannabis retailers should only collect personal information that a reasonable person would consider “appropriate under the circumstances.” They are also required to obtain prior informed consent from the customer before collecting any personal information.
The guidelines provide an example where a retailer can request and review identification to ensure that the consumer has reached the age of majority. However, there is no need to record this information.
2. Obtain meaningful consent
The general rule under PIPEDA is that consent must be obtained from an individual prior to the collection, use, or disclosure of their personal information. Consent can be implied or express. If information at issue is sensitive and/or the collection, use, or disclosure thereof is outside the reasonable expectations of the individual, then businesses will generally need to obtain express consent.
When a business is collecting personal information, it must inform the individual of the purpose(s) for which their information is being collected and disclosed. The collection of personal information must then be restricted to what is necessary for the purpose(s) that were identified. Similarly, businesses cannot use, disclose, or retain the information for reasons other than the purpose(s) for which it was collected, unless the individual consents or they are otherwise required to do so by law.
3. Use appropriate safeguards for the storage of personal information
Any information collected must be stored in a secure manner by retailers. The OPC guidelines highlights the following measures in order to comply with PIPEDA:
- Designate a privacy officer to be in charge of ensuring compliance.
- Employ physical, organizational, and technological security measures to prevent unauthorized access, collection, use or disclosure of personal info.
- Develop and maintain appropriate policies and practices related to privacy.
In addition to using sufficient security safeguards, if the cannabis retailer is planning to sell customer information, the cannabis retailer should enter into a written contract with the cannabis producer to ensure the cannabis producer will implement appropriate safeguards to protect the personal information.
This article is a collaboration between several lawyers at Torkin Manes LLP: Roland Hung, Counsel; Lisa R. Lifshitz, Partner and Chair of the Firm’s Technology, Privacy & Data Management Group; Matt Maurer, Partner and Co-Chair of the Firm’s Cannabis Law Group and Chair of the Franchise Law Group; and Olivia Veldkamp, Associate.