Last week, the Liquor Control Board of Ontario (LCBO) announced that Shopify, Canada’s homegrown e-commerce success story, was selected to handle all the nuts-and-bolts of the province's cannabis sales. They will host the infrastructure for online sales and the in-store processing will be conducted on iPads using Shopify software.
But who will have access to the records of your future cannabis purchases?
According to the province, data will not be stored on Shopify’s U.S.-based servers. Nicole Laoutaris, a spokesperson for the LCBO, said that all data would be stored in Canada, and that all relevant privacy laws in Canada would be adhered to.
“The types of data being handled include transaction and sales metrics and history; master data for inventory items; and customer-related information required to administer a requested service, such as the home delivery of product,” she said in an email. “Again, all data will be stored in Canada.”
It’s not clear, however, whether that means it will be stored on government servers or on Shopify servers. Sheryl So, a spokesperson for Shopify, says that they are not releasing those details.
“At Shopify, we know how important it is that our platform be safe and reliable,” she said in a statement. “That’s why we have extensive measures in place to ensure that everyone on our platform is protected and secure.”
That the LCBO and its new Ontario Cannabis Retail Corporation plans to store customer data in Canada does not necessarily mean it is out of the reach of American authorities. Heidi Bohaker, Lisa Austin, Andrew Clement and Stephanie Perrin — three researchers in the law faculty at the University of Toronto — found in a recent study that even data that was being sent within the city of Toronto found its way through American data centres.
“Because of the way the networks that make up the Internet are configured in North America,” write the researchers, “much domestic Internet traffic passes through the United States on its way between Canadian endpoints, even when geographically close.”
Thus far, the Ontario government has not completely protected against data being routed through the United States, according to the study’s authors. “Many Canadians, wherever they may be, communicating via the Internet with their federal or provincial government departments will have their data transit the United States,” they write. “This can even occur between public bodies in the same province, the same city or even the same neighbourhood block.
“Sustained public pressure,” they continue, “is now required to encourage our politicians, organizations and corporations to act with renewed vigour on our behalf.”
Photo courtesy of Shopify via Flickr