Online sale of pot after legalization raises privacy concerns, experts say
Existing laws should protect privacy, but one ex-privacy commissioner says, 'we need to keep eyes on it'
Buyers who have to provide personal information to purchase recreational pot online after legalization this fall should be able to rely on existing laws to protect their privacy but the issue needs to be watched closely to ensure regulations are obeyed and mistakes are avoided, experts say.
The matter is important given the stigma many people still attach to marijuana use, and the potential for Canadians to be barred from the United States if their otherwise legal indulgence becomes known to American border agents.
"We need to keep eyes on it, meaning we have to make sure this information is not abused or used for secondary purposes that were never intended," Ann Cavoukian, Ontario's former privacy commissioner and now an expert at Ryerson University, said in an interview. "Theoretically, it should not be used for any other purpose."
A spokesperson for federal Privacy Commissioner Daniel Therrien said the office had not looked specifically at online marijuana sales. At the same time, the commission said it recognized privacy concerns around buying or using marijuana given its longtime status as a controlled substance.
"The legal sale and use of both medicinal and recreational marijuana raises privacy issues, particularly since laws and regulations differ from country to country and even within countries," Tobi Cohen said. "We have repeatedly raised concerns about the effectiveness of (Canada's two privacy laws) in the digital age and have called for both laws to be strengthened."
Last week, Ontario's new Progressive Conservative government announced that consumers 19 years or older will have to go online to buy weed after legalization federally on Oct. 17 because private retail stores won't be up and running until April. A government agency called the Ontario Cannabis Store will run the online sales, although private e-commerce provider Shopify will be involved.
Personal data will remain in Canada
Online buyers will, at minimum, have to provide a name along with email and delivery address, and payment information. In Ontario, as is currently the case with online alcohol sales, buyers will be able to order as a "guest" without creating an online account.
However, Scott Blodgett, a spokesperson for the Ministry of Finance, said buyers will have to provide proof of age via government-issued ID, which a delivery person will verify but not copy. The cannabis store website will have data security and privacy controls "aligned with global e-commerce best practice," he said.
Personal data will remain in Canada and not be shared with third parties, Blodgett said.
Ontario's Privacy Commissioner Brian Beamish was unavailable to discuss the issue but his office said in a statement that public institutions are accountable for the information they collect.
"All public institutions are responsible for having strong privacy protections in place to ensure personal information remains secure and protected at all times," the office said. "Personal information provided to a public institution for the purposes of buying cannabis is no exception."
In addition, the office said, contracts by which a private company collects personal information for the government must spell out the terms, use and security of the data.
"These legal requirements must be met by the institution regardless of where the data resides or who is accessing it," the office said.
In general, privacy laws mandate that personal information can only be collected with informed consent. Among other things, that means spelling out why the information is needed, how it will be used, who it might be shared with and how long it will be stored.
Ensure data 'is properly used'
Key among the various rules is that personal information should be securely stored and only used for the stated purpose.
"Government is not supposed to use the information for any other purpose," Cavoukian said. "Theoretically, the laws are in place.
"We just have to make sure they are enforced and the data is properly used."
One obvious exception is where a person is suspected of a crime.
In that case, police can force a government agency or private company to release otherwise private information — after obtaining a search warrant.
"But without a warrant, no, they're not supposed to make (private information) available to the police or law enforcement or border crossing," Cavoukian said. "It's supposed to be used only for a very limited primary purpose."
Mistakes can also happen. In 2013, for example, Health Canada inadvertently breached the rules when it sent about 40,000 letters to individuals about the medical marijuana program with envelopes labelled to indicate they were sent by the program.