A report from 2021 included 18 recommendations for cannabis and liquor stores in BC to improve their oversight of private information collected from customers and employees.
The Office of Information and Privacy Commissioner for BC (OPIC) says they are pleased with efforts by cannabis and liquor retailers in the province to ensure the privacy and security of the personal information they collect.
The newest report, published June 7, is a follow-up to a similar report from the agency published in 2021. That report showed a number of these retailers have “considerable work to do in order to ensure the privacy and security of the personal information they collect is kept in accordance with the law”.
The report looked at 15 cannabis stores and 15 liquor stores across British Columbia and contained 18 recommendations for retailers to address the gaps identified by the commission.
It found that while some retailers do have processes in place to protect the personal information of their customers and staff, many were not even aware that they were collecting people’s personal information.
The initial report also noted that a small number of the surveyed retailers collect biometric information from staff, customers, or both. In one case, a retailer even informed inspectors that they use facial recognition as part of their surveillance system, something the commission report highlights is not allowed. (The report did not note if this was a liquor or cannabis store).
Other types of data collection included asking for customer ID, as well as information collected for online sales, which at times could include information such as IP address as well as home address and credit card numbers.
Many of the retailers also did not have a privacy officer or privacy policies for the personal information they collect, or any training for staff or managers relating to the management of this private information.
The follow-up report published this year, which covered 29 of the 30 original stores, notes significant improvements and efforts to address these and other concerns.
OPIC’s report notes that 70% of the recommendations have been fully implemented and 22% have been partially implemented, meaning retailers had made some progress to incorporate the recommendations into their own privacy management program.
The Information and Privacy Commissioner for BC will continue to follow up with retailers to ensure further compliance.
There were also some differences noted between liquor and cannabis retailers when it comes to the implementation of some recommendations.
Auditors found that liquor retailers appeared more likely to have a designated privacy officer, written privacy policies, and expectations for privacy protection included in contracts. Cannabis stores are encouraged to follow these examples as well, especially since a breach for a cannabis retail organization can have negative implications due to the ongoing stigma of cannabis use.
Both reports can be read here and here for a more in-depth review of the recommendations and issues.