Data about Ontario marijuana buyers used by the warehouse that stores and ships the province’s legal cannabis is held only in Canada, the Ontario Cannabis Store says.
This week, the federal privacy commissioner urged cannabis buyers to boycott sellers who store consumer data outside the country, and to use cash as an alternative to credit cards, where possible.
“Opt to only purchase cannabis from those who keep your personal information in Canada,” the statement said.
“The personal information of cannabis users is … very sensitive. For example, some countries may deny entry to individuals if they know they have purchased cannabis, even lawfully.”
When an OCS customer places an online order (the only legal way to buy cannabis in the province at the moment), the payment is handled on the back end by Shopify, an e-commerce company. Shopify has signed a contract requiring it to store its data in Canada.
The charge then goes to a credit card company, where the data ends up on servers in the United States. It looks like this: “OCS/SOC TORONTO, ON”
Then the order is sent to the OCS’s warehouse, a facility in an industrial area in the western GTA, to be packed and mailed to the customer. The warehouse, the location of which is secret, is run by a third-party logistics company that the government refuses to name.
However that company, like Shopify, is required to keep its data in Canada, OCS spokesperson Daffyd Roderick wrote in an email.
For Ann Cavoukian, a former Ontario privacy commissioner who runs the Privacy by Design Center of Excellence at Ryerson University, the simple existence of cannabis customer data raises alarm bells.
“This is a target for hackers, and others, to get access to your data. These days, there is virtually a daily cybersecurity attack. To think that no one can access this data is a myth.”
The main concern is the U.S. border.
U.S. law allows non-Americans to be banned for life from the country for marijuana use, even if that use was legal.
Since legalization, however, U.S. border officials seem not to be using that power to its full potential.
The day before legalization took effect, they told a press conference that Canadians might be banned for legal marijuana use if a border officer decides that they are likely to consume it in the United States.
But the only known case of a Canadian being given a lifetime ban for cannabis-related reasons since legalization concerns a B.C. man who was going to Nevada to see a growing facility that he had invested in.
People given a lifetime ban at the border can apply for a “waiver” to be allowed to cross anyway, but the process is complicated, slow, expensive, intrusive, and has to be renewed every few years for the rest of the person’s life.
A U.S. border guard with access to a database of legal cannabis transactions could easily put a traveller in an impossible position: being banned for life for using marijuana, or being banned for life for lying.
“If you go into the United States, where cannabis is not legal, they can stop you at the border, they can deny you entry, and they can if they choose to, deny you entry for life,” Cavoukian says.
“There is enormous sensitivity associated with this data. This, in my view, would fall right at the top of the list of sensitive information that you would want to control, and you would not want to have disclosed.”
Ontario’s model for legalization — online sales only to start, 25 stores by April of next year (one for every 568,000 people) — seems like almost the worst-case scenario from a privacy point of view. Residents can’t legally buy cannabis anonymously now, and won’t be able to for the foreseeable future.
“The government probably thought they were being so progressive by putting it online. But they didn’t address the consequences.”
“The government didn’t think it through.”