Pot buyers’ data stored only in Canada: Ontario Cannabis Store

The home page for the Ontario Cannabis online store is shown in this photo illustration on Oct. 17, 2018. THE CANADIAN PRESS

Data about Ontario marijuana buyers used by the warehouse that stores and ships the province’s legal cannabis is held only in Canada, the Ontario Cannabis Store says.

This week, the federal privacy commissioner urged cannabis buyers to boycott sellers who store consumer data outside the country, and to use cash as an alternative to credit cards, where possible.

“The personal information of cannabis users is … very sensitive. For example, some countries may deny entry to individuals if they know they have purchased cannabis, even lawfully.”

When an OCS customer places an online order (the only legal way to buy cannabis in the province at the moment), the payment is handled on the back end by Shopify, an e-commerce company. Shopify has signed a contract requiring it to store its data in Canada.

Story continues below advertisement

The charge then goes to a credit card company, where the data ends up on servers in the United States. It looks like this: “OCS/SOC TORONTO, ON”

WATCH: Security breach at Ontario Cannabis Store
Click to play video: 'Security Breach at Ontario Cannabis Store'
Security Breach at Ontario Cannabis Store

Then the order is sent to the OCS’s warehouse, a facility in an industrial area in the western GTA, to be packed and mailed to the customer. The warehouse, the location of which is secret, is run by a third-party logistics company that the government refuses to name.

However that company, like Shopify, is required to keep its data in Canada, OCS spokesperson Daffyd Roderick wrote in an email.

For Ann Cavoukian, a former Ontario privacy commissioner who runs the Privacy by Design Center of Excellence at Ryerson University, the simple existence of cannabis customer data raises alarm bells.

Story continues below advertisement

“This is a target for hackers, and others, to get access to your data. These days, there is virtually a daily cybersecurity attack. To think that no one can access this data is a myth.”

The main concern is the U.S. border.

WATCH: Premier Ford contradicts campaign promise on pot store locations
Click to play video: 'Premier Ford contradicts campaign promise on pot store locations'
Premier Ford contradicts campaign promise on pot store locations

U.S. law allows non-Americans to be banned for life from the country for marijuana use, even if that use was legal.

Since legalization, however, U.S. border officials seem not to be using that power to its full potential.

The day before legalization took effect, they told a press conference that Canadians might be banned for legal marijuana use if a border officer decides that they are likely to consume it in the United States. 

But the only known case of a Canadian being given a lifetime ban for cannabis-related reasons since legalization concerns a B.C. man who was going to Nevada to see a growing facility that he had invested in.

Story continues below advertisement

People given a lifetime ban at the border can apply for a “waiver” to be allowed to cross anyway, but the process is complicated, slow, expensive, intrusive, and has to be renewed every few years for the rest of the person’s life.

A U.S. border guard with access to a database of legal cannabis transactions could easily put a traveller in an impossible position: being banned for life for using marijuana, or being banned for life for lying.

WATCH: Ford government may face lawsuit over cannabis labour contract with OPSEU
Click to play video: 'Ford government may face lawsuit over cannabis labour contract with OPSEU'
Ford government may face lawsuit over cannabis labour contract with OPSEU

“If you go into the United States, where cannabis is not legal, they can stop you at the border, they can deny you entry, and they can if they choose to, deny you entry for life,” Cavoukian says.

Story continues below advertisement

“There is enormous sensitivity associated with this data. This, in my view, would fall right at the top of the list of sensitive information that you would want to control, and you would not want to have disclosed.”

Ontario’s model for legalization — online sales only to start, 25 stores by April of next year (one for every 568,000 people) — seems like almost the worst-case scenario from a privacy point of view. Residents can’t legally buy cannabis anonymously now, and won’t be able to for the foreseeable future.

“The government probably thought they were being so progressive by putting it online. But they didn’t address the consequences.”

Sponsored content