One of the federal government’s key stated objectives in legalizing weed has been to keep it out of the hands of children. As such, retail stores across the country are being careful about verifying customers’ ages, and in some cases scanning identification cards to validate them.

The Hunny Pot on Toronto’s Queen Street West told VICE it is scanning IDs to alleviate wait times, but that it is optional and customers are made aware that they can have their ID verified manually. Ameri, a weed shop in Yorkville, said it mostly checks IDs manually but also has a scanning gun available to “maintain compliance, catch fake IDs and lower human error.”

As for storing customers’ information, the software, Cova, can do that if a customer chooses to create a profile at the store, said The Hunny Pot spokesman Cameron Brown in an email. But it’s not mandatory.

(A consultant for Ameri told VICE all information the store scans is erased immediately.)

But cannabis lawyer Jack Lloyd told VICE there’s reason to be concerned about potential privacy breaches. The legal cannabis industry has been hit with a number of breaches that have compromised patient and customer information.

“There’s issues with the border, issues with other countries where cannabis is extraordinarily illegal,” Lloyd said, noting one of his former clients was turned away upon arrival in Japan due to a cannabis-related charge that had been withdrawn.

In an interview with VICE, Gary Cohen, CEO of Cova, said his company’s software has been implemented in more than 100 legal weed shops across Canada and that most of those shops are using the ID scanning technology.

He said Cova created the scanning software in response to requests from American legal weed retailers who were concerned front line staff members weren’t doing a good enough job of verifying customers’ IDs. The software will scan any provincially-issued ID but not a passport or health card, he said.

“In the US particularly, they said ‘look, this is a minimum wage job, these guys aren’t paying that much attention,’” Cohen told VICE. “The validity of the ID and the age verification takes the human error out of it.”

There is no province that requires ID scanning at weed retail stores.

Cohen said the default setting in all stores is not to keep a record of customer information unless the customer consents to starting a profile. He said the company has taken several measures to protect customer data, including storing Canadian customer data on Canadian servers.

All of the data is “highly encrypted,” Cohen added.

“We’re paying the most to keep that data safe.” He said the company has never had any privacy breaches.

Last December, Canada’s Privacy Commissioner Daniel Therrien advised Canadians to use cash to purchase weed when possible, and to avoid giving out more information than necessary.

“Some countries may deny entry to individuals if they know they have purchased cannabis, even lawfully,” he said.

US border officials have made it clear that Canadians who use cannabis are at risk of being rejected at the border.

“Any arriving alien who is determined to be a drug abuser or addict, or who is convicted of, admits having committed, or admits committing, acts which constitute the essential elements of a violation of… any law or regulation of a State, the United States, or a foreign country relating to a controlled substance, is inadmissible to the United States,” says a statement from US Customs and Border Protection.

However, purchasing with cash is obviously not a possibility when ordering weed online.

In November, Ontario Cannabis Store, the province’s online recreational retailer, said the data of 4,500 customers—including the names of people who signed for deliveries—was accessed during a breach via Canada Post.

Lloyd noted medical cannabis patients who have no choice but to use a mail order system are particularly susceptible to data breaches, including medical records.

Natural Health Services, a chain of medical cannabis clinics, is currently facing a class action lawsuit over a privacy breach that resulted in 34,000 patients’ records being accessed. Last week licensed producer Aphria notified patients that fraudulent Aphria websites are being created in an attempt to access patient information. However, the LP said it was not aware of any data breaches.

Prior to legalization, some black market dispensaries also scanned customers’ IDs or stored their information.