Privacy watchdog finishes investigation of P.E.I. Cannabis
Privacy commissioner says company doing a good job protecting customers' privacy, but room for improvement
An investigation by P.E.I.'s privacy watchdog into P.E.I. Cannabis Management Corporation (PEICMC) has found that overall the corporation is doing a good job protecting Islanders privacy, but said there are areas that could be improved.
The investigation was launched in October 2018 — two days after the P.E.I. Cannabis retail stores opened — after complaints were made that scanners were being using to check customer's IDs and that some of that information was being stored for a 24-hour period.
Those machines were quickly pulled from the stores and Zach Currie, PEICMC's director of operations, said there are no plans to reintroduce machines like that in the near future.
The PEICMC has since switched to checking the ID of anyone who looks under 30, said Currie.
"We started this with the thought that we would ID everyone," said Currie. "We quickly learned that the Check 30 is probably a very appropriate policy and we've had a lot of success with that."
In the investigation, Karen Rose, P.E.I.'s information and privacy commissioner, said the company is "using reasonable security measures to protect personal information."
But, Rose did make recommendations on how PEICMC could improve its practices.
The report recommended the company should:
- Amend their in-store signs letting customers know that video surveillance is occurring, and adding more detail on the purpose for collecting the information and who has the legal authority to collect that information.
- Use a less invasive alternative than collecting individuals' dates of birth to access the website.
- Permit individuals to review the terms and conditions and PEICMC's privacy policy before accessing the website.
- Continue to provide regular education and training to employees on protecting customers' personal information.
- Incorporate proactive security measures into their safeguards, including periodic and comprehensive reviews and testing of their online security measures, taking into consideration known and developing online risks.
Changes already made
Currie said the company has already implemented the changes recommended by the privacy commissioner.
The company's website no longer asks users to enter their birth date to access the site — they just have to confirm they're over 19.
"We had thought the privacy policy and terms and conditions were both available prior to actually going through the age verification prompt, but because of a simple URL issue that we have now rectified, they were not," said Currie.
Currie said signs inside stores informing customers that they are being recorded have also changed to let customers know where they can go to learn more about that surveillance.
The company is also ramping up its focus on cyber security, doing more frequent reviews of the security protocols in place to make sure the online shopping experience for customers stays as safe as possible.
"We're also going to be doing some very extensive incremental things with some third-party IT [information technology] security firms that we work with to ensure that we're very tight, not only now, but well into the future," said Currie.