26
practices to meet their responsibilities and demonstrate compliance. These include internal policies as well as external privacy notices. The Guidance reminds cannabis retailers that they are expected to emphasize the protection of personal information as company priorities and ensure that all of their staff are trained in, understand, and follow company privacy policies in everyday transactions.
Publicly facing privacy policies must also provide individuals with enough information about the retailer’s practices to ensure that consent is meaningful. For example, cannabis retailers with websites must inform users about any personal information that they collect, including tracking cookies and website analytics, why such information is collected and of course, how it is being used by the retailer. The OCS’ privacy policy for example does transparently speak to the use by the OCS of website cookies, server log data, web analytics services, among other things.
In typical OPC fashion certain aspects of the guidance is vague. For example, it’s great to say that cannabis retailers should employ strong passwords and encryption as mandatory technological security measures, but a cannabis retailer may reasonably ask what the OPC considers these to be or what minimum standards should be employed. Overall, the guidance is a good first step in reminding cannabis retailers of their obligations and cannabis consumers of their rights under PIPEDA.