A driver carrying $4,000 in cannabis products and cash is navigating to their next delivery stop when their app is hijacked. The GPS tracking goes dark. The customer verification step gets bypassed. The products are delivered to a location that wasn’t on the original manifest. By the time anyone realizes what happened, the driver is two counties over with no products, no cash, and a police report that’s going to trigger a METRC discrepancy that needs explaining to the state.

Cannabis delivery has become the industry’s fastest-growing retail channel. It’s also the channel with the most concentrated security vulnerabilities—spanning physical safety, digital security, customer data protection, and compliance integrity—all in a single role: the delivery driver.

If your operation offers delivery and you haven’t done a deliberate security design of that channel, you’re operating with exposure you haven’t fully mapped.

The Scale of Cannabis Delivery in 2026

Delivery legalization has expanded dramatically over the past three years. California, Colorado, Massachusetts, Michigan, New Jersey, Nevada, and a growing list of other states have either legalized delivery or significantly expanded its scope. In California, where delivery has been legal for years, it now accounts for a meaningful percentage of total cannabis retail revenue. Some cannabis-only delivery platforms—the equivalent of DoorDash or Instacart but regulated—have emerged as standalone businesses.

This expansion has created a new attack surface that is, in some ways, uniquely difficult to secure: it’s distributed, it involves physical handoff of high-value products, it requires staff operating outside a controlled facility environment, and it combines digital vulnerabilities (delivery apps, customer data, GPS tracking) with physical vulnerabilities (drivers carrying inventory and cash).

Driver Safety: The Most Immediate Risk

Cannabis delivery drivers face a documented and growing robbery threat. The combination of factors is straightforward: drivers carry known-quantity cannabis inventory plus cash change (in markets where cash delivery is still common), they follow predictable routes that can be identified from app tracking, and they’re typically alone.

High-profile robbery incidents against cannabis delivery drivers have occurred in California, Colorado, and Illinois. In several cases, attackers identified delivery drivers by watching dispensary parking lots, following them on their first stop, and robbing them en route to subsequent deliveries.

What effective driver safety programs include:

No fixed-schedule delivery routes: Vary the order of deliveries unpredictably. A driver who always does the east-side neighborhoods first, then loops west, creates a pattern that can be observed and exploited. Route algorithms should build in variation.

Randomized departure times: Attackers have observed dispensary delivery vehicle departures and timed robberies accordingly. Variable departure times—not on the hour, not predictably after opening—reduce this vulnerability.

Real-time GPS tracking visible to dispatch: Every delivery vehicle should have GPS tracking visible to a dispatcher in real time, not just logged after the fact. Tracking that only records history doesn’t help when a driver goes silent.

Duress codes and panic capabilities: Delivery apps used by some cannabis operations include silent duress features—a code that signals distress without alerting an attacker who may be watching the driver’s phone. Panic buttons that send GPS location and alert dispatch are increasingly standard in well-designed operations.

Driver communication protocols: Establish explicit check-in cadences. If a driver doesn’t confirm arrival at a delivery point within a reasonable window, dispatch initiates contact. If contact fails, a defined escalation follows. “We’ll figure it out if something goes wrong” is not a protocol.

Cash minimization: In markets where cashless payment is available, strongly incentivize it. Every cash transaction is a reason to carry cash. Every reason to carry cash increases robbery value. Same-day cash deposits rather than accumulated end-of-day totals reduce the maximum loss from any single incident.

Two-driver protocols for high-value routes: For deliveries of significant product value or in identified high-risk areas, require two drivers. The cost is justified by the risk reduction.

Background screening and behavioral monitoring: Insider-assisted robbery—where a driver tips off a third party about their route and cargo—is a documented risk. Background screening is table stakes; ongoing behavioral monitoring (monitoring for unusual route deviations, communications with suspended customers, abnormal delivery patterns) is the next level.

Customer Data: What Delivery Collects and Where It Goes

Delivery operations collect a data set about customers that’s significantly richer than in-store purchases—and the security implications are proportionally larger.

A typical cannabis delivery transaction generates:

  • Full name and address (for delivery)
  • Date of birth
  • Government ID (photograph, in most state delivery verification frameworks)
  • Phone number
  • Purchase history with delivery address associated
  • GPS delivery timestamp (pinpointing where the customer was at a specific time)
  • Device identifiers from the delivery app
  • Photo of delivery confirmation (in some protocols)
  • IP address and location data from app use

The delivery address—combined with purchase history and timing data—is significantly more sensitive than in-store data. It reveals where someone lives or works, what they buy, and when they receive it. For medical cannabis patients, that’s genuinely protected health information. For recreational customers, it’s data that a surprisingly large number of people would prefer not to have in a database somewhere.

The third-party data exposure problem: Many cannabis delivery platforms route through third-party logistics software, mapping APIs, and analytics platforms. Each integration is a potential data exposure point. If your delivery platform is passing customer addresses to Google Maps API, that data may be subject to Google’s data retention and use policies—not just yours. If your analytics platform is logging delivery addresses as part of session tracking, that’s data you may not be aware you’re collecting.

Customer data on driver devices: When a driver’s phone contains the delivery manifest—including customer names, addresses, and photos of government IDs—that device is carrying sensitive data. What happens when a driver loses their phone? Is that data protected? Are devices encrypted? Is there remote wipe capability? Are personal phones used (bringing all the attendant security concerns of BYOD into a regulated environment)?

What best practices look like:

  • Delivery apps should display only the information the driver needs for the current delivery—not the full day’s customer list
  • Customer ID photographs should not persist on driver devices after delivery completion
  • All delivery app traffic should be encrypted in transit
  • Driver devices should be company-issued and MDM-enrolled, or the delivery platform should be browser-based with no local data caching
  • Delivery data should be retained only as long as required by state compliance rules, then deleted per your retention policy

Chain of Custody and METRC Compliance

Every state that requires seed-to-sale tracking requires that delivery maintains chain of custody documentation from the moment product leaves the facility to the moment it’s transferred to the customer. When chain of custody breaks—through driver error, tech failure, or deliberate tampering—you have a METRC discrepancy that regulators will ask you to explain.

Common chain-of-custody vulnerabilities in delivery operations:

Manual manifest errors: Drivers working from paper manifests or basic spreadsheets introduce human error into the compliance record. Products get attributed to the wrong transaction. Quantities get transcribed incorrectly. When these errors reach METRC, they require correction processes that create additional audit exposure.

Failed METRC sync during delivery: Most METRC integrations sync transfer completion when the driver marks delivery complete in the app. If the driver has poor cellular connectivity and the sync fails silently, the transfer shows as incomplete in METRC until someone manually resolves it. How often does your team check for failed syncs?

App-based delivery confirmation bypass: If a driver can mark a delivery complete without completing all required verification steps—customer ID check, product handoff confirmation—the compliance record doesn’t accurately reflect what happened. This can happen through app bugs, workarounds that developed because verification steps felt onerous, or deliberate falsification.

Undelivered product handling: Products that couldn’t be delivered (customer not home, ID verification failure, address not found) need to return to inventory with proper METRC documentation. Many operations have informal processes for this that create compliance gaps. Every returned product needs a documented return transfer in METRC.

Best practice delivery compliance stack:

  • Delivery app with mandatory ID scan verification at delivery point (not a checkbox—an actual scan)
  • Integrated METRC sync that logs success/failure for every transfer completion
  • Real-time failed sync alerts to a manager
  • Documented undelivered product return procedures with METRC transfer records
  • End-of-day reconciliation that matches manifest against METRC against physical returns

Regulatory Requirements for Delivery in Your State

State delivery regulations vary significantly, and operators who deliver across county or city lines may face additional local requirements. Key items to verify for your jurisdiction:

Driver requirements: Most states require delivery drivers to maintain specific certifications, background check clearances, or employee badges. Some require additional training beyond standard dispensary staff.

Vehicle requirements: Many states specify that delivery vehicles must be unmarked (no cannabis branding), locked cargo compartments, and in some cases specific GPS tracking hardware.

Product limits per vehicle: States often limit the value or quantity of cannabis products a single delivery vehicle can carry at one time. Exceeding this limit isn’t just a compliance violation—it increases the attractiveness of the vehicle as a robbery target.

Hours of operation: Delivery is often restricted to specific hours, with requirements that no deliveries begin or conclude outside those windows.

Customer verification requirements: Most states specify what verification is required at the customer’s door—state ID scan, age confirmation, sometimes a signature. The method matters; a photo of the ID retained on a company server has different data handling requirements than a scanned-at-point-of-delivery confirmation.

Manifest documentation: Paper vs. digital manifest requirements vary. Some states require physical manifests in the vehicle. Some accept digital. Some require specific fields. Know your state’s current requirement—they’ve changed in several jurisdictions over the past year.

The Insurance Gap

A gap that many cannabis delivery operations discover only after an incident: standard commercial auto insurance and general liability policies often exclude cannabis delivery. And cyber liability policies may exclude losses arising from theft of physical inventory combined with a data compromise.

Verify specifically:

  • Your commercial auto policy covers your drivers while carrying cannabis inventory
  • Your general liability policy covers customer incidents related to delivery
  • Your cyber liability policy covers data breaches involving delivery customer data
  • Your crime policy covers theft from delivery vehicles

If you’re using gig-economy style contract drivers rather than employees, the coverage gap is likely larger—contract drivers’ personal auto policies almost certainly don’t cover cannabis delivery, and your liability exposure for their vehicles is unclear.

Building a Delivery Security Program

A delivery security program isn’t a checklist—it’s an ongoing operational discipline. The starting point:

Map your current exposure: Walk through a complete delivery cycle from product staging through customer handoff to METRC sync confirmation. At each step, identify what could go wrong, what data is generated and where it goes, and what the compliance documentation requirement is.

Assess your driver safety protocols against actual incidents: Look at documented cannabis delivery robberies in your market over the past 18 months. What patterns do they show? What protocols would have reduced the risk or the loss?

Audit your delivery platform’s data practices: Get from your delivery software vendor a complete description of what data they collect, where they store it, who has access to it, and what their retention policy is. If they can’t provide this clearly, that’s a risk you need to address.

Test your METRC sync: Deliberately create a scenario where a sync should fail and verify your team catches it within the timeframe you expect. If no one would catch a failed sync for 48 hours, fix that process.

Review your driver device policy: Are drivers using personal phones? If so, you have no control over data security, no ability to remote-wipe after a loss, and potentially BYOD compliance problems. Company devices with MDM enrollment eliminate most of these risks.

The cannabis delivery channel is growing faster than most operators’ security programs are keeping pace with. The next significant delivery-related incident in your market—robbery, data breach, METRC compliance failure—will likely hit an operation that built the channel fast and built the security slow.

CannaSecure conducts delivery security assessments for cannabis operators, covering driver safety protocols, data handling practices, and METRC compliance for delivery operations. Contact us to schedule a delivery security review.