31
cannabis acquisition on servers located in Canada and then more forcefully recommends that customers ask cannabis retailers whether their personal information is stored on servers outside of Canada. The OPC even goes so far as to suggest that purchasers may want to opt to “purchase cannabis from those retailers who keep your personal information in Canada.” Interestingly, the OCS speaks to this concern in its privacy policy, stating that it “stores customer personal information under its custody or control in Canada.”
While some Canadian cannabis retailers may wish to heed such advice by choosing local Canadian cloud vendors, in my view they will also be required to engage in further due diligence to confirm that such so-called Canadian cloud providers actually host and retain all their data on servers located in Canada rather than using third-party service providers, subcontractors and sub-processors or Canadian affiliates of large foreign vendors whose actual networks (or portions thereof) are located in other jurisdictions, which still puts Canadian personal information at risk of third party government or other exposure.
Any such cloud-computing agreements between such Canadian cannabis retailers and cloud vendors should also contain the necessary contractual provisions to specify and lock-down the location of customer personal information held by such cloud vendor and its subcontractors and sub-processors and the servers used to host and store such data.
Designate privacy officers
All cannabis retailers are required to designate privacy officers who are responsible for ensuring compliance with PIPEDA and such organizations must provide that person’s position, name or title and contact information when requested by a customer or otherwise. It is also expected that such persons will be responsible for responding to any customer concerns regarding the collection, use, storage, disclosure or disposal of personal information.
Create meaningful privacy policies
Under PIPEDA organizations are required to develop policies and policies and practices to meet their responsibilities and demonstrate compliance. These include internal policies as well as external privacy notices. The Guidance reminds cannabis retailers that they are expected to emphasize the protection of personal information as company priorities and ensure that all of their staff are trained in, understand, and follow company privacy policies in everyday transactions.
Publicly facing privacy policies must also provide individuals with enough information about the retailer’s practices to ensure that consent is meaningful. For example, cannabis retailers with websites must inform users about any personal information that they collect, including tracking cookies and website analytics, why such information is collected and of course, how it is being used by the retailer. The OCS’ privacy policy for example does transparently speak to the use by the OCS of website cookies, server log data, web analytics services, among other things.
In typical OPC fashion certain aspects of the guidance is vague. For example, it’s great to say that cannabis retailers should employ strong passwords and encryption as mandatory technological security measures, but a cannabis retailer may reasonably ask what the OPC considers these to be or what minimum standards should be employed. Overall, the guidance is a good first step in reminding cannabis retailers of their obligations and cannabis consumers of their rights under PIPEDA.
25