The world’s largest legal cannabis market has some of the strictest security requirements. Here’s everything you need to know to stay compliant—and protected.

Why California Matters

California isn’t just another cannabis market—it’s the cannabis market. With over $5 billion in annual legal sales and thousands of licensed operators, the Golden State sets the standard for the industry.

But that size comes with scrutiny. The California Department of Cannabis Control (DCC) doesn’t mess around when it comes to security compliance. Violations can mean fines up to $30,000 per day, license suspension, or permanent revocation.

After the STIIIZY breach exposed 420,000+ customer records in early 2025, regulators are paying closer attention than ever. If you’re operating in California, your security program needs to be bulletproof.

California’s Regulatory Framework

The Department of Cannabis Control (DCC)

As of July 2021, the DCC consolidated what were previously three separate licensing authorities:

  • Bureau of Cannabis Control (retail, distribution, testing, microbusiness)
  • CalCannabis Cultivation Licensing (cultivation)
  • Manufactured Cannabis Safety Branch (manufacturing)

This means one agency, one set of rules, and one enforcement body watching everything you do.

Key Regulations

California Code of Regulations, Title 4, Division 19 governs cannabis licensing. The security-specific requirements are scattered throughout, but the main sections you need to know are:

  • §15044 - Video Surveillance System requirements
  • §15045 - Security Personnel requirements
  • §15046 - Locks and physical security
  • §15047 - Alarm System requirements
  • §15048 - Track and Trace (METRC) requirements

Video Surveillance Requirements (§15044)

California has some of the most detailed video surveillance requirements in any state.

Minimum Coverage Areas

Your camera system must cover:

  • All areas where cannabis goods are weighed, packed, stored, loaded, or unloaded
  • Limited-access areas (must be clearly identified)
  • Security rooms containing surveillance monitoring equipment
  • All points of entry and exit (interior and exterior)
  • All areas where cannabis waste is destroyed, stored, or composted
  • Anywhere cannabis goods are sold (dispensaries)

Technical Specifications

Requirement Specification

Resolution Minimum 1280×720 pixels

Frame Rate Minimum 15 FPS

Lighting Must operate in all lighting conditions (IR required)

Date/Time Stamp Accurate to within one minute, visible on all recordings

Retention Minimum 90 days (some local jurisdictions require more)

24/7 Monitoring vs. Recording

The DCC requires continuous recording during business hours but doesn’t mandate 24/7 live monitoring. However, many local jurisdictions (especially Los Angeles and San Francisco) add their own requirements for:

  • Live monitoring during operating hours
  • Direct connection to local law enforcement
  • Additional camera placements

Pro Tip: Always check your local city/county cannabis ordinances. They frequently exceed state minimums.

Access and Availability

Here’s where many operators get tripped up:

  • Recordings must be available immediately upon request by the DCC or law enforcement
  • You must have a dedicated monitor on-site for viewing recordings
  • The system must allow for export to USB/DVD or provide immediate electronic access
  • A current list of authorized users must be maintained

Physical Security Requirements

Limited-Access Areas (§15000.1)

Every California cannabis license requires designated “limited-access areas” where cannabis is present. These areas must have:

  • Clear signage identifying them as limited-access
  • Physical barriers preventing unauthorized entry
  • Access control systems that log all entries and exits
  • A current roster of authorized personnel

Only licensees, employees, contractors performing specific work, and authorized visitors (escorted at all times) may enter these areas.

Physical Security & Cybersecurity Integration GuideBridging the Gap Between Locks and Firewalls in Cannabis Facilities Your IP cameras are on the same network as your POS system. Your access control badges are managed by cloud software. Your alarm system calls out over the internet. Physical security IS cybersecurity—and most cannabis operators don’t realize itCanna SecureCannaSecure

Lock Requirements (§15046)

All cannabis storage areas must be secured with:

  • Commercial-grade, non-residential locks
  • Locks must be engaged whenever the area is not in use
  • Keys/access cards must be tracked and accounted for
  • Lost/stolen keys require immediate re-keying or code changes

Alarm Systems (§15047)

Your alarm system must:

  • Cover all entry points, windows, and roof hatches
  • Be monitored 24/7 by a licensed alarm company
  • Have silent alarm capability (no audible signals giving away status)
  • Maintain functionality during power outages (battery/generator backup)
  • Notify a designated licensee representative within one minute of activation

Documentation Required:

  • Name and contact information of the alarm company
  • Alarm permit number (many cities require separate permits)
  • Up-to-date call list for alarm notifications

METRC Compliance and Cybersecurity

California uses METRC (Marijuana Enforcement Tracking Reporting Compliance) as its statewide track-and-trace system. Every gram of cannabis from seed to sale must be logged.

METRC Security Requirements

Account Security:

  • Each employee must have their own unique login
  • No shared accounts (this is a common violation)
  • Passwords must be changed every 90 days
  • Accounts must be disabled immediately when employees leave

Access Control:

  • Assign minimum necessary permissions for each role
  • Budtenders don’t need admin access
  • Regularly audit user permissions (quarterly minimum)

Incident Reporting:

  • Any discrepancy between physical inventory and METRC must be reported
  • Suspected unauthorized access must be reported within 24 hours
  • Maintain logs of all METRC access for 7 years

The STIIIZY Lesson

The 2024-2025 STIIIZY breach wasn’t a direct METRC compromise—it came through a third-party POS vendor that had access to customer data. But it highlighted a critical issue: your METRC data and customer data often flow through the same systems.

If your POS integrates with METRC (most do), a breach of your POS vendor is effectively a breach of your compliance data too.

CCPA: California’s Privacy Law Hits Cannabis

The California Consumer Privacy Act (CCPA) and its 2023 expansion (CPRA) apply to cannabis businesses that meet certain thresholds:

  • Annual gross revenue over $25 million, OR
  • Buy, sell, or share personal information of 100,000+ consumers/households annually, OR
  • Derive 50%+ of annual revenue from selling/sharing personal information

If you’re a dispensary with a loyalty program, you almost certainly qualify.

What CCPA Requires

Consumer Rights:

  • Right to know what personal information you collect
  • Right to delete personal information
  • Right to opt-out of sale/sharing of personal information
  • Right to non-discrimination for exercising these rights
  • Right to correct inaccurate personal information (CPRA addition)

Business Obligations:

  • Provide a clear privacy policy explaining data practices
  • Implement “Do Not Sell My Personal Information” links
  • Respond to consumer requests within 45 days
  • Implement reasonable security measures (this is where it gets interesting)

CCPA + Cannabis = Sensitive Information

Here’s what makes cannabis particularly tricky under CCPA:

Medical cannabis purchases are considered “sensitive personal information” under CPRA. This triggers additional requirements:

  • Consumers can limit the use of sensitive information
  • Heightened security obligations
  • More detailed disclosure requirements

If you’re a medical dispensary, or you collect medical cannabis card information from any customer, you’re handling sensitive personal information under California law.

Practical CCPA Compliance Steps

  • Audit your data collection - What are you actually collecting? ID scans, medical cards, purchase history, loyalty program data, delivery addresses?
  • Update your privacy policy - Be specific about cannabis-related data collection
  • Implement request processes - How will customers request deletion? Do you have a web form? Email address?
  • Train staff - Budtenders need to know how to direct privacy requests
  • Verify deletion capability - Can you actually delete customer data from all systems? Including backups? POS? Loyalty platforms?
  • Document everything - Regulators want to see your compliance program, not just hear about it

Local Jurisdiction Requirements

California allows cities and counties to impose additional security requirements beyond state minimums. Some notable examples:

Los Angeles

  • Requires a Security Operations Plan approved by LAPD
  • Mandates armed security guards during operating hours for some licenses
  • Additional camera placement requirements
  • Annual security assessments

San Francisco

  • Requires community liaison meetings
  • Additional background check requirements
  • Specific signage requirements
  • Noise and light pollution considerations for security equipment

San Diego

  • On-site security manager required for cultivation over certain square footage
  • Quarterly security audits for some license types
  • Enhanced reporting requirements

Bottom Line: Before finalizing your security plan, contact your local cannabis licensing office. Ask specifically what requirements exist beyond state regulations.

Building Your California Compliance Program

The Security Operations Plan

California requires a written Premises Diagram and Security Plan as part of your license application. This should be a living document that includes:

Physical Layout:

  • Detailed floor plan with all camera locations
  • Identified limited-access areas
  • Entry/exit points
  • Alarm sensor locations
  • Safe/vault locations

Operational Procedures:

  • Opening and closing procedures
  • Cash handling protocols
  • Visitor escort procedures
  • Employee access protocols
  • Emergency response procedures

Technology Systems:

  • Video surveillance specifications
  • Alarm system details
  • Access control systems
  • METRC integration points
  • Network diagram (yes, they want to see this)

Personnel:

  • Security guard deployment (if applicable)
  • Background check procedures
  • Training requirements
  • Authorized personnel roster management

Annual Security Assessment

While not explicitly required by state law, the DCC expects you to maintain your security program. We recommend:

Quarterly:

  • Test all cameras and alarm sensors
  • Review access logs for anomalies
  • Audit METRC user permissions
  • Update authorized personnel lists

Annually:

  • Full penetration test of network systems
  • Physical security walkthrough with fresh eyes
  • Policy and procedure review/update
  • Employee security training refresh

After Any Incident:

  • Root cause analysis
  • Control gap assessment
  • Remediation plan with deadlines
  • Documentation for regulators

Preparing for DCC Inspections

The DCC conducts both routine inspections and complaint-driven investigations. Here’s what they’re looking for:

Common Security Violations

Based on DCC enforcement data, the most frequent security citations include:

  • Video surveillance gaps - Cameras not covering required areas, footage not retained 90 days
  • Limited-access violations - Unauthorized persons in restricted areas, missing signage
  • METRC discrepancies - Inventory doesn’t match track-and-trace records
  • Alarm system failures - Lapsed monitoring contracts, failed notification tests
  • Documentation gaps - Can’t produce records, policies outdated

Inspection Best Practices

Before Inspectors Arrive:

  • Ensure all cameras are operational (test weekly)
  • Verify alarm monitoring is current
  • Have your license, permits, and security plan readily accessible
  • Confirm METRC is reconciled

During the Inspection:

  • Designate one person to accompany inspectors
  • Take notes on everything they ask for or cite
  • Don’t volunteer information beyond what’s asked
  • Be professional and cooperative

After the Inspection:

  • Address any citations immediately
  • Document your remediation
  • Update policies based on feedback

Incident Response: California Edition

When something goes wrong, California has specific notification requirements.

Breach Notification Timeline

Within 24 hours:

  • Report to DCC any theft, loss, or criminal activity
  • Report significant METRC discrepancies

Within 72 hours:

  • California data breach notification law requires notification to affected consumers “in the most expedient time possible and without unreasonable delay”
  • If over 500 California residents affected, notify the California Attorney General

Within 10 days:

  • File detailed incident report with DCC
  • Include root cause analysis and remediation steps

What to Report

To the DCC:

  • Date/time of incident
  • Description of what happened
  • Cannabis goods affected (weight, type, value)
  • Law enforcement report number
  • Remediation steps taken

To Consumers (if data breach):

  • Description of incident
  • Types of information involved
  • Steps taken in response
  • Contact information for questions
  • Free credit monitoring offer (recommended)

2026 Compliance Checklist

Use this checklist to assess your California cannabis security compliance:

Video Surveillance

  • All required areas covered (storage, sales, entry/exit, waste)
  • Minimum 1280×720 resolution
  • Minimum 15 FPS
  • Date/time stamps accurate and visible
  • 90-day retention verified
  • On-site viewing monitor available
  • Export capability functional
  • Authorized user list current

Physical Security

  • Limited-access areas identified and signed
  • Commercial-grade locks on all cannabis storage
  • Access control system logging entries/exits
  • Alarm system covering all entry points
  • 24/7 alarm monitoring active
  • Backup power for alarm system tested
  • One-minute notification verified

METRC Compliance

  • Individual accounts for all users
  • No shared credentials
  • Passwords changed within 90 days
  • Terminated employee accounts disabled
  • User permissions audited (quarterly)
  • Inventory reconciled (daily)

CCPA Compliance

  • Privacy policy updated for cannabis-specific data
  • “Do Not Sell” mechanism implemented
  • Consumer request process documented
  • Staff trained on privacy requests
  • Data deletion capability verified
  • Records retention policy documented

Documentation

  • Security Operations Plan current
  • Premises diagram accurate
  • Incident response plan documented
  • Emergency contacts updated
  • Insurance policies current
  • Local jurisdiction requirements verified

Resources

State Resources:

Industry Resources:

  • Cannabis ISAO - Industry threat intelligence
  • National Cannabis Industry Association (NCIA) - Compliance guides
  • California Cannabis Industry Association (CCIA) - State-specific resources

The Bottom Line

California cannabis compliance isn’t just about avoiding fines—it’s about protecting your customers, your data, and your business. The STIIIZY breach showed what happens when security fails: hundreds of thousands of customers exposed, regulatory scrutiny, class action lawsuits, and permanent reputational damage.

The good news? California’s requirements, while detailed, create a solid security foundation. If you’re meeting DCC standards, you’re ahead of most businesses in any industry.

Don’t wait for an incident to take security seriously. Build your compliance program now, test it regularly, and treat it as a core business function—not an afterthought.

Your customers trusted you with their most sensitive information. Honor that trust.

CannaSecure provides cybersecurity guidance for the cannabis industry. Follow us for compliance updates, threat intelligence, and practical security guidance.