An overlooked aspect of recreational cannabis legalization in Canada is the privacy implications of the distribution systems, especially in the online environment.
The privacy and security risks are substantial, and protecting the online rights of consumers needs more attention. Highly sensitive personal information will be exposed to the risks of redistribution and data breaches, and these risks are magnified if the data is stored or processed in the United States.
In the province of Ontario, the framework put in place by the former Liberal government has been dramatically changed by the new Doug Ford government. While the Liberal’s plan had its flaws, the problems will be exacerbated by the premier’s move to privatize retail sales.
The previous plan was to centralize sales through the Ontario Cannabis Store (OCS), a subsidiary of the Liquor Control Board of Ontario (LCBO). In reversing this plan, the government is essentially handing over a new and lucrative market to the private sector.
A 2018 Deloitte report estimates Canadians will spend as much $7.17 billion on cannabis products in 2019, with about 35 per cent of that estimated to be online. Under Ford’s plan, the OCS will only handle online sales with physical retail outlets under a private model, expected to open in April 2019.
With this policy shift, legislation will need to be hurriedly amended and, not surprisingly, the reversal is controversial. While applauded by industry interests, it’s been denounced by other groups. Their concerns shouldn’t be ignored in the rush to meet the self-imposed deadlines for online and retail sales.
Will consumer data be transferred to the U.S.?
OCS is a public agency, but the actual online transactions will be handled by Shopify, a Canadian e-commerce platform. When recreational marijuana use becomes legal in October, consumers will have no choice but to use this online system until the retail stores open in 2019. This gap is where serious privacy concerns come into play.
Canadian privacy law requires that organizations holding personally identifiable information comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). The law’s purpose
is to protect Canadians regarding the collection, use, storage and distribution of their personal information. Yet data breaches are a growing concern, and different rules apply when data crosses the border.
With cannabis transactions, a security breach or even a routine data transfer to a U.S. affiliate could have far-reaching negative effects on the consumer. Insurance companies, employers and local police could be interested in accessing this data.
Personal stigma is an important issue, but perhaps the biggest problem concerns data transfers into the U.S. Once across the border, U.S. security agencies could obtain information about the cannabis consumption patterns of Canadians who have joined the online system. This could lead to increased border crossing delays, more intrusive questioning and searches, and could result in orders banning Canadians from entering the U.S. because of their cannabis consumption.
“While Shopify Inc. is a Canadian company, we provide services to individuals and our technology processes data from users around the world. Accordingly, Shopify may transmit your personal information outside of the country, state, or province in which you are located.”
“Shopify works with a variety of third parties and service providers to help provide you with our Services and we may share personal information with them to support these efforts.”
This third-party sharing includes Google Accounts, PayPal Express and Apple Pay. When a Shopify account is opened, partner accounts are established, each having their own terms and privacy policies. This framework is inappropriate for online cannabis sales because excessive data sharing with more parties increases the risk of breach, and the likelihood of data crossing into the United States.
What about data breaches?
The security of online personal information is a growing problem. Data is increasingly susceptible to being breached, leaked, hacked or misplaced. Breaches like those at Ashley Madison, Equifax, Hudson’s Bay, Yahoo and eBay get significant attention, but breaches have become so widespread that a 2015 Ernst and Young report says “…cyberattacks are no longer a matter of ‘if’ but ‘when.’”
PIPEDA requires security safeguards, but its language is vague. A 2017 report about the Internet of Things concluded the current safeguarding language needs to be strengthened to reflect technological developments. These considerations apply to online platforms like Shopify.
While Shopify claims it will protect its customers’ data, the details of how they will do so haven’t been disclosed, and too many questions remain unanswered. How can Shopify guarantee this same high level of commitment on the part of their U.S.-based third party affiliates with whom they share information?
With online delivery starting in October, many important operational details must still be determined and disclosed. Since Ontario lacks the data localization requirements present in British Columbia, these details are all the more urgent. For consumers to make informed choices about whether they want to risk online transactions, more transparency and certainty is needed.
Privacy must not be an afterthought
The problem of online security extends beyond cannabis sales and isn’t going to be resolved overnight. The same challenges confront other online retailers. But online cannabis data is particularly sensitive, and the stakes are much higher. While the former Ontario plan didn’t fully address privacy concerns, the new changes will add complexity, making things worse.
If consumers lack confidence that their sensitive information will be fully protected, or worry it could cross into the U.S., the system will fail. The 2018 Deloitte Report states emphatically that privacy concerns are vital:
“Cannabis consumers worry about the privacy and security of their personal information, and they expect that information to be protected, especially online. Retailers will need to ensure they invest in robust privacy and e-commerce cybersecurity.”
Without such strong confidence, cannabis users will likely continue their current purchasing practices, and the implementation of legal sales will not be effective.
In Ontario, the Ontario Cannabis Store/LCBO is well-positioned to implement sales in a safe and secure manner, but their online practices also need to be scrutinized. Adding so many new private retailers into the mix, as Ford is now doing with his privatization plan, will only magnify the problems.
Privacy concerns can’t be an afterthought; they must be designed into the system from the outset, and there is little comfort this is happening.
Samuel E. Trosow, Associate Professor, University of Western Ontario, Faculty of Law and Faculty of Information & Media Studies