Canadian marijuana sellers have attracted more than new customers now that their product is legal.

A recent data breach at an Ontario online retailer shows the real risks to cannabis sellers who don’t protect consumer data. The Ontario Cannabis Store announced Nov. 1 that delivery information was accessed for approximately 2 percent of its users—roughly 4,500 orders.

Canada’s privacy office is taking a hard look at the industry that was legalized in October given the personal data it’s likely collecting from users, Corey Larocque, communications adviser for the Office of the Privacy Commissioner of Canada, told Bloomberg Law.

“The legalization of cannabis has raised a number of privacy issues,” Larocque said.

The OPC was notified of the Ontario Cannabis Store data breach, agency spokesman Tobi Cohen told Bloomberg Law. The regulator has “been in contact with the Office of the Information and Privacy Commissioner of Ontario and are also engaging with Canada Post to better understand what occurred and what is being done to mitigate the situation,” she said. A formal investigation hasn’t yet been opened by either privacy office, Cohen said.

Any privacy stumble could lead to costly enforcement penalties for the industry that could reach $2.3-$5.7 billion in sales by 2019, according to Canadian Imperial Bank of Commerce research.

Canadian cannabis companies that are hit by a data breach, possibly to get at sensitive consumer data, could be the most financially impacted by a regulatory investigation. According to the OPC, companies can be fined up to C$100,000 ($79,139) per day, for each person who should have been notified of a data breach.

The Canadian regulator is focusing on cannabis companies because they collect payment card data and identification card information, and store customer images taken from security cameras, Larocque said.

The OPC doesn’t directly issue privacy fines, but can refer offenses to Canada’s attorney general, who can seek monetary penalties, Cohen said. The attorney general must decide whether to pursue enforcement, she said.

Many marijuana purchases are being made through federal online marketplaces, Larocque said. That raises privacy and security risks because retailers are collecting their online information, such as names, birth dates, credit card numbers, purchase histories and email addresses, he said. Canada’s largest online dispensaries include Canopy Growth Corp., Aurora Cannabis Inc., and the Ontario Cannabis Store, according to Bloomberg data.

About 33 percent of those users are worried about the privacy and security of data they turn over to marijuana retailers, such as payment card information, according to a Deloitte LLP report cited by the Canadian privacy commissioner.

Canadian regulators “will look into it more intensely because of consumers heightened concerned over the data collection, use, and protection,” LIsa Lifshitz, privacy partner at Torkin Manes LLP in Toronto, told Bloomberg Law.

The consequences of a privacy breach in the Canadian cannabis industry may be severe, David Wood, senior cannabis associate at Borden Ladner Gervais in Calgary, Alberta, told Bloomberg Law. There’s still a social stigma to using marijuana that makes buyers very worried about their data, he said.

Cannabis businesses must follow Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), privacy attorneys and Larocque said. Companies may also have to follow similar provincial privacy laws in some regions, they said.

Industry Practices

Canadian pot sellers understand the risks and have taken steps to protect users’ sensitive data, the country’s leading marijuana industry group said.

“Privacy is always a concern” for the Canadian cannabis industry, Allan Rewak, director of the Cannabis Council of Canada, told Bloomberg Law. The industry gives privacy and data “protections above and beyond most e-commerce and commercial businesses,” he said. The group was created in 2018 by large marijuana groups: the Cannabis Canada Association, the Canadian Medical Cannabis Council and Canopy Growth.

Marijuana companies need to ensure they don’t collect more data than needed, Lifshitz said. In Canada, companies can “only collect personal information for the purpose for which it was intended,” and “safeguard collected information using adequate and reasonable” security, she said.

During age verification, cannabis companies should be careful about what data they collect, privacy attorneys said. Dispensaries should avoid “recording the details of the personal information when doing so to reduce the risk of over collection and misuse,” Ryan Berger, partner and co-chair of Norton Rose Fulbright Canada’s data and privacy group, told Bloomberg Law.

Taking a privacy-first approach will make “consumer confidence will be an important value in the industry and may eventually be a differentiator,” Berger said.