B.C.’s private booze and cannabis sellers have considerable work to do in order to ensure the privacy and security of the personal information collected from people purchasing their products, B.C.’s information and privacy commissioner says.
“Surprisingly, many retailers didn’t understand that they collect personal information, despite the fact that all private licensed liquor and cannabis retailers collect some form of personal information from employees and customers who enter physical stores or make purchases online,” said Commissioner Michael McEvoy.
He asked how retailers can ensure they’re protecting personal information when they don’t recognize the fact they are collecting it. He said here are “serious gaps” in privacy protections
Indeed, McEvoy found, few such retailers maintain adequate privacy management programs or document privacy policies, despite obligations under B.C.’s private sector Personal Information Protection Act.
Among information retailers are collecting are: age, contact information, payment details; member information including contact data and, in some cases, purchase history; delivery transaction records including products purchased, prices charged, quantity, delivery fees and name and signature of recipient; web and computer information (IP address, geographical location of IP address, login credentials); and photographs or video surveillance images.
The findings came in the course of a compliance review of 30 retailers based on media stories and enquiries about the sector’s collection, use and disclosure of personal information.
The report said cannabis retailers are required to use security cameras to monitor all retail and product storage areas, entrances and exits, adding an additional collection of sensitive personal information.
McEvoy reported a small number of retailers collect biometric information from staff, customers, or both. This is being done partly through thumbprint scanners to document staff signing in and out for the day and the use of facial recognition software as part of a surveillance system.
“Unless there are exceptional circumstances to consider, B.C. cannabis and liquor stores are not authorized to use facial recognition technology, and I have signalled that this practice should stop immediately,” McEvoy said.
And, he said, biometric information, which can also include temperature-taking, should only be undertaken under extreme scrutiny.
“Unless there are exceptional circumstances to consider, B.C. cannabis and liquor stores are not authorized to collect biometric information,” the report said. “Such a collection is not what a reasonable person would consider appropriate in the circumstances.”
In online sales, McEvoy found, only five of 30 retailers examined had privacy policies online detailing the collection of personal information on retailer websites.
The report contains 18 recommendations for retailers to establish and maintain privacy management programs, including:
• designating someone to be responsible for ensuring the organization complies with PIPA;
• developing written policies; and
• monitoring compliance and conducting risk assessments to know that security safeguards are effective.
Please note: an earlier version of this story had included an image of a BC Cannabis Store. The story is in fact specific to private stores.