February 14, 2019

Cannabis Data Privacy & Security

Ryan Lalonde profile image
Ryan Lalonde

It’s crazy to think that it’s already been over 100 days since cannabis legalization on October 17, 2018. The industry continues to face growing pains of course, but it’s also maturing at a rapid pace. Many companies are taking advantage of the industry slowdown by reexamining their processes and making improvements for the future while there’s ample planning time available.

Recently, a hot button topic for cannabis shoppers and retailers alike has been data privacy. If you’re starting to hear more about PEPIDA, CASL etc., you’re not alone. Cannabis businesses are subject to the same data privacy laws as most other businesses, but with the sensitivity of cannabis user data, some special considerations should be made.

What is Personal Information / Data?

Personal information is a somewhat broad term, but PEPIDA defines it as “information about an identifiable individual.” In other words, any information that could be traced back to a specific person is considered personal information. Some examples include:

● Name

● Date of birth

● Phone number

● Address

● Driver’s license number

● Medical information

● Physical description

● Social insurance number

● Financial information (such as a credit card number)

… and more.

So that being said, here are a number of suggestions directly from the Office of the Privacy Commissioner (OPC) on how to treat your cannabis customer’s personal information .

PEPIDA (or Provincial variations) Still Applies

The Personal Information Protection and Electronic Documents Act (PIPEDA) broadly states that organizations must obtain an individuals consent when any personal information is requested and collected. For example, for a cannabis retailer, this would mean obtaining consent which is reasonable for the sensitivity of the information collected; the more sensitive the information, the more explicit consent should be given & documented.

Companies collecting any kind of personal information should be upfront about their data policies, and only utilize data in the way the individual consented for it to be used. Further to this, the individual has the right to access their data, challenge its accuracy, and must be re-consented if their information is going to be used for any purposes outside of their original consent.

NOTE: PEPIDA is a federal act, but many provinces have instituted their own variations of this act, which follow the original in a manner deemed “substantially similar”.

Only Collect What is Needed

Consent being a given, PEPIDA also requires that data collection be limited to what “a reasonable person would consider appropriate in the circumstances”. Since this leaves some subjectivity, here are some general guidelines for what is deemed inappropriate:

  1. The collection, use or disclosure that is otherwise unlawful
  2. Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law
  3. The collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual
  4. Publishing personal information with the intended purpose of charging individuals for its removal
  5. Requiring passwords to social media accounts for the purpose of employee screening
  6. Surveillance by an organization through audio or video functionality of the individual’s own device

A general rule-of-thumb for cannabis businesses is to collect the minimum amount of data required for their business purposes, but no more. For example, if a retailer is processing a transaction, identification may be needed to confirm that person’s age, but it would not be necessary to keep a permanent record of that individual’s ID. There may be another reason to keep this information on file, but it’s always subject to consent, and what is deemed “reasonable” within that context.

Also, a business should always consider the lowest level of data sensitivity to accomplish their business goal(s). For example, if you’re customers are offered an opt-in program wherein they will receive communications from a store, then an email would be better than collecting a name or phone number.

Safeguarding Customer Data

Cannabis businesses who are looking to collect any form of customer information are responsible for ensuring that all data is secure from unauthorized access, disclosure, use, copying, or modification. Businesses should be sure to consider the physical, technological, and organization security of their customer’s data.

Physical Security: Paper-based data & information should be kept secure under lock & key. When that data is no longer required, it should be destroyed appropriately.

Technological Security: Cannabis businesses should restrict access to information using strong passwords, using data encryption & firewalls, and deleting all data that is no longer needed.

Organizational Security: Cannabis business must ensure that any personal information access is restricted to appropriate personnel. Organizations should also create data access “paper trails” which can be linked back to specific individuals. Security screening and staff training about how to treat data appropriately should be used during employee onboarding.

In all cases, a general rule-of-thumb is that once the purpose of keeping data is no longer necessary, the personal information should be securely destroyed.

Store Personal Information on Canadian Servers

Any data which is stored in out-of-country servers, such as US-based servers, could potentially be accessed by foreign law enforcement. Since cannabis is still illicit in nearly all other jurisdictions, it will generally be more privacy-protective to store personal information on a server located in Canada.

When considering purchasing a technology service, ensure you understand where your customer’s data will be stored, and the risks assumed therein if data could potentially be compromised.

Develop Organizational Privacy Policies

All cannabis businesses are required by law to develop and document their privacy policies, and to keep these policies up-to-date which current data practices. The OPC is careful to note that the development of these policies is only half the battle, and ensuring that staff are properly trained and activity complying with these policies is critical.

All organizations should also have a designated Privacy Officer who ensures ongoing policy development, training, compliance, and can be made available to respond to any complaints about management or use of personal information.

For further information on the OPC’s “Protecting Personal Information: Cannabis Transactions”, see:

What is CASL?

Canada’s Anti-Spam Legislation (CASL) was developed to ensure that individuals only receive electronic communications which they’ve consented to.

The Canadian Radio-television and Telecommunications Commission (CRTC) states that there are three general requirements for sending a commercial electronic message (CEM) to an electronic address:

  1. Obtain consent (express or implied)
  2. Provide identification information
  3. Provide an unsubscribe mechanism

For example, a cannabis retailer may choose to send customers electronic communications regarding promotions. That retailer must have the consent from the customer, must identify that the communication is coming from their business, and provide the user with the option to unsubscribe from receiving future communications.

For further information on CASL, see:

How Buddi Can Help

Buddi offers in-store customer experience, in-store & online shopping, & education solutions. Along with PEPIDA & CASL compliance, Buddi’s data is stored exclusively in Canada, making it a secure way to engage with customers and keep their personal information safe & secure.

To learn more, book your free demo today at, or email