How Shopify and the LCBO plan to protect cannabis consumer data

Cannabis is federally illegal in the United States, where Shopify keeps some of its servers. Will Ontarians’ privacy be protected?

Last week, the Liquor Control Board of Ontario (LCBO) announced that Shopify, Canada’s homegrown e-commerce success story, was selected to handle all the nuts-and-bolts of the province's cannabis sales. They will host the infrastructure for online sales and the in-store processing will be conducted on iPads using Shopify software.

But who will have access to the records of your future cannabis purchases?

Shopify Ontario OCRC

According to the province, data will not be stored on Shopify’s U.S.-based servers. Nicole Laoutaris, a spokesperson for the LCBO, said that all data would be stored in Canada, and that all relevant privacy laws in Canada would be adhered to.  

“The types of data being handled include transaction and sales metrics and history; master data for inventory items; and customer-related information required to administer a requested service, such as the home delivery of product,” she said in an email. “Again, all data will be stored in Canada.”

It’s not clear, however, whether that means it will be stored on government servers or on Shopify servers. Sheryl So, a spokesperson for Shopify, says that they are not releasing those details.

“At Shopify, we know how important it is that our platform be safe and reliable,” she said in a statement. “That’s why we have extensive measures in place to ensure that everyone on our platform is protected and secure.”

Shopify’s privacy policy clearly spells out the wide net of data it collects: “We collect our merchants’ customers’ name, email, shipping and billing address, payment details, company name, phone number, IP address and device data,” reads its current policy. This data is collected “when a customer visits a merchant’s site, places an order or signs up for an account on a merchant’s site.”

Ontario will not be Shopify’s first cannabis-related client. Many cannabis-adjacent businesses run on the platform, and some seed retailers had their accounts terminated for not being licensed by Health Canada to sell last fall. Online head shop Cannabis Jar collects information like your name, address, email, and so on. According to the company’s privacy policy, that data “is stored through Shopify’s data storage, databases and the general Shopify application.” (And for many medical cannabis patients, this will be nothing new: Canopy Growth has hosted its online stores through Shopify for a number of years.)

That the LCBO and its new Ontario Cannabis Retail Corporation plans to store customer data in Canada does not necessarily mean it is out of the reach of American authorities. Heidi Bohaker, Lisa Austin, Andrew Clement and Stephanie Perrin — three researchers in the law faculty at the University of Toronto — found in a recent study that even data that was being sent within the city of Toronto found its way through American data centres.

“Because of the way the networks that make up the Internet are configured in North America,” write the researchers, “much domestic Internet traffic passes through the United States on its way between Canadian endpoints, even when geographically close.”

Thus far, the Ontario government has not completely protected against data being routed through the United States, according to the study’s authors. “Many Canadians, wherever they may be, communicating via the Internet with their federal or provincial government departments will have their data transit the United States,” they write. “This can even occur between public bodies in the same province, the same city or even the same neighbourhood block.

“Sustained public pressure,” they continue, “is now required to encourage our politicians, organizations and corporations to act with renewed vigour on our behalf.”

Photo courtesy of Shopify via Flickr

In this article

Join the Conversation