Privacy concerns over credit card use for legal online pot purchases
By The Canadian PressNews Data Security cannabis credit card security online purchases privacy commissioner
TORONTO — Canada's privacy commissioner is planning to issue guidance for buyers and sellers of legal cannabis amid ongoing concern about potential fallout, such as being barred from the United States, if transactions become known by third parties.
The concern has been heightened in provinces where anonymously paying cash in-store is not possible in light of a controversial Statistics Canada initiative to obtain detailed bank records from all Canadians.
“Our office recognizes the sensitive nature of cannabis-related transactions —particularly if information about those transactions is processed in a jurisdiction where cannabis consumption is not legal,” said Tobi Cohen, a spokeswoman for the federal privacy commissioner. “Organizations need to make it plain to individuals that their information may be processed in a foreign country, and that it may be accessible to law enforcement and national security authorities of that jurisdiction.”
British Columbia has already issued its own guidance and privacy-protection tips. For example, it notes that online sellers collect personal information such as name, date of birth, home address, credit card number, purchase history and email address.
“Providing personal information, especially through online formats, creates additional security risks,” the document by B.C.’s privacy commissioner notes. “Cannabis is illegal in most jurisdictions outside of Canada; the personal information of cannabis users is therefore very sensitive.”
Legal online purchases across Canada show up on bank statements in a variety of ways, depending on the retailer.
In Manitoba, for example, an order from the outlet Delta 9 shows up as “D9-2 -8675309 Winnipeg MB,” while purchases in British Columbia appear as “BCS Online Vancouver.” Those in Nova Scotia are recorded as coming from the provincial liquor corporation — “NSLC #2098/e-commerce Halifax.” Similarly, in Newfoundland and Labrador, orders register as NLC #700 St. John’s N.L.
In Ontario, where the only way to buy marijuana legally is online through the Ontario Cannabis Store using a credit card, transactions show up as “OCS/SOC.”
Jesse, 39, of Toronto, who’s in marketing and who asked his last name not be used, said he has mixed feelings about “OCS/SOC” appearing on his credit-card statement.
“I’m not crazy about being potentially profiled at the U.S. border because of a purchase that’s thrown up in my credit history,” Jesse said. “At the same time, I’m not losing sleep over it because there’s no precedent (for that) yet.”
In the pre-legal era, online outlets usually masked credit-card purchases, perhaps by using a generic notation such as “Organics,” and some still do so now. However, a spokeswoman for the Ontario Cannabis Store said such an approach doesn’t fly.
“As a legal business operating in Ontario, it is required that we operate with transparency,” Amanda Winton said. “This includes using our registered business name for payment services.”
Ontario’s privacy commissioner, Brian Beamish, said his office recommends redacting sensitive information in a case where, for example, a landlord might ask a prospective tenant for a credit card statement. Beamish also said a generic name used to record cannabis transactions could become widely known.
“The key issue here is the protection of bank information, whether it’s related to legal cannabis transactions or any other personal banking decision,” Beamish said.
Troy Patterson, who works with a licensed cannabis producer in Kincardine, Ont., said pot is legal and he wasn’t particularly worried about purchases showing up on credit card or similar statements.
“Now, if that info were to be weaponized against people, say for insurance or other purposes, that would be a huge issue,” Patterson said.
— Colin Perkel
Print this page
- Trump on Khashoggi death tape: ‘No reason for me to hear it’
- ‘Quebec is an embarrassment’: Province urged to do more on cybersecurity