“There is definitely concern regarding privacy in respect of cannabis purchases by Canadians,” he says. “Outside of public sector privacy legislation in British Columbia and Nova Scotia, there is no express requirement that the personal information of Canadians must remain in Canada.”

Credit card and other purchasing information stored outside of Canada, particularly in the United States, may be accessible by law enforcement there. This issue was recently raised in a new guidance document released by the Office of the Information and Privacy Commissioner for British Columbia.

“This document notes that personal information of cannabis users will in most cases be considered ‘sensitive,’ given that cannabis is illegal in most jurisdictions outside of Canada and that some countries may deny entry to individuals if they know they have purchased cannabis,” says Hayes.

According to the guidance document — "Protecting Personal Information: Cannabis Transactions" — access to the personal information of cannabis users may be used by some countries to deny entry. The four-page overview also points out that, in a digital age, the privacy issue is not moot. “Keep in mind,” it notes, “that storing data in the Cloud or in proprietary software means there is likely disclosure of that personal information outside of Canada. It is much more privacy protective to store personal information on a server located in Canada to prevent access by unauthorized third parties.”

Bernice Karn, a partner with Cassels Brock & Blackwell LLP in Toronto, says that any organization that collects, uses or discloses personal information in the course of commercial activities has privacy obligations under the federal Personal Information Protection and Electronic Documents Act. “That includes Canadian retailers, banks and credit card companies in respect of any type of business that they are transacting in Canada.”