08/19/2018 16:04 EDT | Updated 08/19/2018 16:04 EDT

Experts Warn That Online Pot Sales Raise Privacy Issues

Buying weed online will mean giving up a potentially dangerous amount of personal information, experts say.

Darryl Dyck / The Canadian Press
A young man smokes a marijuana joint during a rally in downtown Vancouver, B.C., on Wednesday April 20, 2011.

TORONTO — Buyers who have to provide personal information to purchase recreational pot online after legalization this fall should be able to rely on existing laws to protect their privacy but the issue needs to be watched closely to ensure regulations are obeyed and mistakes are avoided, experts say.

The matter is important given the stigma many people still attach to marijuana use, and the potential for Canadians to be barred from the United States if their otherwise legal indulgence becomes known to American border agents.

Privacy experts raise concerns

"We need to keep eyes on it, meaning we have to make sure this information is not abused or used for secondary purposes that were never intended," Ann Cavoukian, Ontario's former privacy commissioner and now an expert at Ryerson University, said in an interview. "Theoretically, it should not be used for any other purpose."

Moe Doiron / The Globe and Mail via CP
Ontario's former Information and Privacy Commissioner Ann Cavoukian in Toronto in 2013.

A spokeswoman for federal Privacy Commissioner Daniel Therrien said the office had not looked specifically at online marijuana sales. At the same time, the commission said it recognized privacy concerns around buying or using marijuana given its longtime status as a controlled substance.

"The legal sale and use of both medicinal and recreational marijuana raises privacy issues, particularly since laws and regulations differ from country to country and even within countries," Tobi Cohen said. "We have repeatedly raised concerns about the effectiveness of (Canada's two privacy laws) in the digital age and have called for both laws to be strengthened."

Ontario's online sales will require consumers to provide government-issued ID

Last week, Ontario's new Progressive Conservative government announced that consumers 19 years or older will have to go online to buy weed after federal legalization on Oct. 17 because private retail stores won't be up and running until April. A government agency called the Ontario Cannabis Store will run the online sales, although private e-commerce provider Shopify will be involved.

Online buyers will, at minimum, have to provide a name along with email and delivery address, and payment information. In Ontario, as is currently the case with online alcohol sales, buyers will be able to order as a "guest" without creating an online account.

We have repeatedly raised concerns about the effectiveness of (Canada's two privacy laws) in the digital age and have called for both laws to be strengthened.Tobi Cohen, spokesperson for federal Privacy Commissioner Daniel Therrien

However, Scott Blodgett, a spokesman for the Ministry of Finance, said buyers will have to provide proof of age via government-issued ID, which a delivery person will verify but not copy. The cannabis store website will have data security and privacy controls "aligned with global e-commerce best practice," he said.

Personal data will remain in Canada and not be shared with third parties, Blodgett said.

Ontario's Privacy Commissioner Brian Beamish was unavailable to discuss the issue but his office said in a statement that public institutions are accountable for the information they collect.

"All public institutions are responsible for having strong privacy protections in place to ensure personal information remains secure and protected at all times," the office said. "Personal information provided to a public institution for the purposes of buying cannabis is no exception."

Adrian Wyld / The Canadian Press
Federal Privacy Commissioner Daniel Therrien responds to a question during a press conference in Ottawa in 2016.

In addition, the office said, contracts by which a private company collects personal information for the government must spell out the terms, use and security of the data.

"These legal requirements must be met by the institution regardless of where the data resides or who is accessing it," the office said.

Informed consent needed for collection of personal information

In general, privacy laws mandate that personal information can only be collected with informed consent. Among other things, that means spelling out why the information is needed, how it will be used, who it might be shared with, and how long it will be stored.

The laws are in place. We just have to make sure they are enforced and the data is properly used.Former Ontario Privacy Commissioner Ann Cavoukian

Key among the various rules is that personal information should be securely stored and only used for the stated purpose.

"Government is not supposed to use the information for any other purpose," Cavoukian said. "Theoretically, the laws are in place. We just have to make sure they are enforced and the data is properly used."

Exceptions exist

One obvious exception is where a person is suspected of a crime. In that case, police can force a government agency or private company to release otherwise private information — after obtaining a search warrant.

"But without a warrant, no, they're not supposed to make (private information) available to the police or law enforcement or border crossing," Cavoukian said. "It's supposed to be used only for a very limited primary purpose."

Mistakes can also happen. In 2013, for example, Health Canada inadvertently breached the rules when it sent about 40,000 letters to individuals about the medical marijuana program with envelopes labelled to indicate they were sent by the program.

Also on HuffPost: