Skip to Main Content

Cannabis NL Transferring Data to US

The world around us has changed significantly since the onset of the COVID-19 global pandemic, impacting and altering the ways in which we interact, communicate and share information with one another. Supported by an accelerated digitization of our environments, these changes have influenced behaviour and attitudes.

For cannabis retailers, it’s shown up most dramatically in an increase in online purchases made by customers. With the maturation of ecommerce comes the opportunity for merchants to offer their customers greater flexibility, choice, and convenience. However, as cannabis retailers operating in Newfoundland and Labrador are experiencing, accepting purchases through online channels may be placing their customers’ privacy in potential jeopardy.

Potential Data Compromise?

Online customers purchasing product through the Cannabis NL website have received emails asking them to provide consent to allow the transfer of their data from servers in Canada to servers in the United States. The email, which was sent by Cannabis NL, the purveyor of cannabis products, which is owned and operated by Newfoundland and Labrador’s Crown liquor corporation, explains to customers that ecommerce platform, Shopify, which hosts the cannabis retailer’s website, is set to transfer the data on July 31, 2022.

Many within the realm of cybersecurity are suggesting that by moving the data, retailers in Canada are giving up a considerable amount of control concerning the protection and safety of the data. Stephen O’Keefe, retail loss prevention expert and Founder of consultancy Bottom Line Matters, says that a loss of control in the aftermath of the transfer could result in consequences more severe than some might imagine.

“Customers are increasingly expecting the ease and convenience that online channels offer them,” he admits. “However, given the technological capabilities available today, combined with the importance of the data that’s being collected, today’s customer is also expecting that the retailers they engage and shop with are going to do their utmost to ensure the protection of their safety. That means having a robust loss prevention management system in place within the organization. And that differs from the presence of a security or loss prevention department. It’s an underlying foundation of culture and policy that informs how employees conduct their daily activities on behalf of the retailer. In this case the question would be; what steps have been taken to evaluate a supplier’s compliance to the Canadian-based regulatory requirements when it comes to the protection of their customers’ personal information?”

In Canada, the Federal Government’s PIPEDA Fair Information Principles provide businesses with clear guidance as to their responsibility to protect customer personal information. In most cases, the personal information collected should be limited to information they absolutely need to run their business and limited in scope as to where it is stored. And, in the event of a concern, the Office of the Privacy Commissioner of Canada uses a litmus test to assess the businesses conduct, which stresses one key element—whether or not an alternative approach was available which would have served to better protect the personal information. O’Keefe says that it’s an element that all retailers should be taking into serious consideration when making any decisions that might impact their customer’s personal information.

“There are blurred lines between shortcuts and efficiencies,” says O’Keefe. “It’s not a surprise that businesses today are starting to look at expenses to make the bottom line work. One easy fix to that is the consolidation of IT systems. Because it is so seamless and transparent, moving data out of Canada might go unnoticed until the personal data leaks. However, what seems like a rather benign change to a practice in order to save money may actually cost more in the long-run because the shortcut does not comply with loss prevention, health and safety, or regulatory requirements.

Importance of Data Protection

Newfoundland and Labrador Liquor Corporation has stated that the company was made aware of the pending transfer in 2021 and that it’s confident that adequate levels of transparency and privacy will be maintained. Though, the province’s crown corporation seems to be an outlier in contrast with the rest of the country. A spokesperson for BC Cannabis said that while Shopify hosts its online platform, it has no intention of transferring its customer data to the United States. It’s a sentiment that’s been echoed by the Ontario Cannabis Store, which was victim of a data breach earlier this year. And, with data breaches and cybercriminal activity on the rise throughout North America, O’Keefe warns that there will not be a better time than now for the cannabis industry in Canada to understand their obligation and accountability around data protection and to act accordingly, despite the cost-savings that could be on the table.

“The evolution of the digital world opens up a whole new level of due diligence that’s required before moving personal data,” he says. “The consolidation of systems by multinational companies whereby personal data from Canadian citizens is retained south of the border may be cheaper and result in cost-savings. And businesses operating today may claim that efficiencies are required in order to continue serving customers. But there are factors that need to be considered such as the impact that the USA Patriot Act may have on the company’s ability to comply with Canadian regulation south of the border. The Patriot Act is overreaching and will severely limit a Canadian company’s ability to protect the data while in the US. It’s really a matter for organizations to decide whether to do whatever it takes to avoid costly mistakes that might impact their customers, brand and bottom line, or essentially throw caution to the wind and open themselves up to incidents and activity that will be detrimental to their business.”

Tags: Cannabis NL (1), Cannabis Retail (331), customer data (1), customer information (2), cybersecurity (5), data privacy (1), data protection (2), digital retail (1), ecommerce (9)