The Ontario Cannabis Store is making a change to its privacy policy that could potentially result in customers’ personal information being stored outside of Canada.

Effective August 17, 2023, the OCS says it is making this change in privacy policy in response to consumer demands. To meet those demands, it says it will consider new technology platforms, including those that may store their data outside of Canada. 

In a public post, the online cannabis retailer says that any new technology platforms they may adopt “will maintain a high level of security and will be offered by service providers that are required to adhere to laws that protect personal information.”

A representative with the OCS confirms with StratCann that under this change, customer personal information may be stored in countries such as the United States. Until then, OCS assures the public that all personal information collected from customers before the policy change will continue to be stored in Canada.

“Since legalization, our customers have asked us to improve their online shopping experience on OCS.ca,” says Amanda Winton, Manager of Communications and Strategic Engagement with the OCS. “Assessing new technology platforms will allow the OCS to make enhancements to OCS.ca informed by customer feedback that supports continuous improvement and to keep up with industry best practices.

“Any new technology platforms that OCS may adopt will maintain a high level of security and will be offered by service providers that are required to adhere to laws that protect personal information,” she adds.

“OCS will continue to meet legal, privacy and security requirements and standards. This is done by employing organizational, contractual, technical and physical security measures to protect personal information. This includes ensuring that each country where data may be securely stored is assessed and the appropriate data security measures are in place.”

The OCS has previously affirmed their commitment to keeping such data in Canada. Its privacy policy currently includes the statement: “All personal information collected from customers before the policy change will continue to be stored in Canada.”

In 2018, Canada’s Privacy Commissioner cautioned consumers against purchasing from retailers who stored their personal data outside the country.

Shopify, the eCommerce platform currently providing backend services for the OCS online cannabis store, also provides these services for several other provincial online stores. In 2022, Cannabis N.L. informed consumers who bought cannabis from Newfoundland’s online cannabis store that Shopify, which hosts the website, would be transferring consumer data from servers in Canada to servers in the United States as of July 31, 2022. 

Shopify did not respond to a request for comment for this article.

“The personal information of cannabis users is … very sensitive. For example, some countries may deny entry to individuals if they know they have purchased cannabis, even lawfully,” noted a report from the Privacy Commissioner in 2018. 

Newfoundland and Labrador Liquor Corporation chief marketing officer Peter Murphy told CBC that the company was notified of the transfer by Shopify in 2021. 

Brenda McPhail, the acting executive director, master of public policy in digital society at McMaster University and the former director of privacy, technology and surveillance with the Canadian Civil Liberties Association, says there is always some risk when a company stores information outside of Canada and that the risks increase when the information connects an individual to the purchase of a product that is still illegal in other jurisdictions.

“The data will be subject to the laws of that jurisdiction and it’s worth noting that many countries, including the US, don’t extend the same (or sometimes any) privacy protections to non-citizens, so even if there is a data protection law in that jurisdiction, it may or may not help a Canadian whose personal information about cannabis purchases is stored there. 

“The promise on the Ontario Cannabis Store website that data will only be stored in countries with data protection laws is insufficient without additional assurance that those laws will protect Canadians’ data to the standard of Canadian law,” she adds. “For people to feel safer about this move, the Cannabis Store should at a minimum be transparent about where data will be stored, what laws will apply, and what contractual provisions they have negotiated (and there should be some) to provide additional protection for Canadian’s sensitive data in a foreign jurisdiction.

McPhail says consumers should share any concerns they have with the OCS, or any other retailer before a deal is signed, as well as shopping in person and using cash. 

“It’s worth asking why they seem to have decided that “an improved online shopping experience” cannot be created using a platform that has servers in Canada, or better yet, by a Canadian or even an Ontarian platform, rather than subjecting customer’s information about cannabis purchases to any level of risk.”

Sam Andrey, the managing director at The Dais, a public policy and leadership institute at Toronto Metropolitan University also questions why the changes require using a service outside of Canada, but says customers of the OCS online store will have little recourse.  

“It isn’t clear why this is necessary—there are a variety of e-commerce solutions that allow customer data to be retained within Canada. Short of advocating for stronger privacy laws, there is little that OCS customers can do in this situation.”

“Unfortunately Ontario privacy law does not require users to consent to their personal data being transferred outside of Canada, and there are not meaningfully enforced limits on the transfer of data to jurisdictions with insufficient protection against unauthorized access or surveillance.”

Andrey says that in a survey that our team conducted in 2020, 86 percent of Canadians supported requirements to keep Canadians’ data within Canada.

“Only BC and Nova Scotia require public organizations to keep personal data stored in Canada,” he adds.