USA Cannabis Compliance & Cybersecurity

State-by-State Cannabis Compliance & Security

Navigate the patchwork of US cannabis regulations — from HIPAA and biometric privacy laws to state-specific cybersecurity mandates. Protect patient data, secure seed-to-sale systems, and stay compliant across every jurisdiction you operate in.

Explore State Guides PHI/ePHI Requirements
✓ 24 Legal States Covered ✓ HIPAA + State Privacy Laws ✓ Updated for 2026

Why US Cannabis Compliance Is Uniquely Complex

Unlike any other US industry, cannabis businesses must navigate a maze of overlapping federal, state, and local regulations — while operating in a federally-illegal market that bars them from standard banking, insurance, and legal protections. The result: cannabis operators face more compliance obligations and fewer safety nets than virtually any other business sector.

With Schedule III rescheduling accelerating, new state privacy laws going live every quarter, and biometric lawsuits reaching billion-dollar settlement territory, your compliance posture is your survival strategy.

$5B+
BIPA Settlements (IL alone)
19
States with Privacy Laws
24
Metrc-Tracked States
72 hrs
Fastest Breach Deadline

PHI, ePHI & PHII: What Cannabis Businesses Must Know

If your cannabis business touches medical patients, you are likely handling Protected Health Information. Understanding the different categories of health data — and your legal obligations — is non-negotiable.

PHI — Protected Health Information

HIPAA Regulated

Any individually identifiable health information held by a covered entity or business associate. Includes patient names, medical marijuana card numbers, qualifying conditions, dosage recommendations, and purchase history tied to medical recommendations.

Cannabis-Specific Examples:

  • Medical marijuana patient registry data
  • Qualifying condition documentation (PTSD, chronic pain, epilepsy, etc.)
  • Physician recommendation letters and certifications
  • Patient purchase history at medical dispensaries
  • Dosage and strain recommendation records
  • Patient allergy and drug interaction notes

ePHI — Electronic Protected Health Information

HIPAA Security Rule

PHI stored, transmitted, or processed electronically. This is where the HIPAA Security Rule kicks in with specific technical, administrative, and physical safeguard requirements. Most cannabis patient data today is ePHI.

Where ePHI Lives in Cannabis Operations:

  • POS systems (Dutchie, Jane, Treez, Meadow)
  • Seed-to-sale platforms (Metrc, BioTrack, Leaf Data)
  • Patient verification systems and ID scanners
  • Online ordering and delivery apps
  • Employee health records and drug testing results
  • Cloud-based dispensary management platforms

PHII — Personal Health Identifiable Information

State & Emerging Laws

A broader category used in newer state privacy laws (WA My Health My Data Act, CA CCPA health data provisions) covering ANY health-related data, even outside HIPAA coverage. This catches cannabis businesses that thought they weren't "covered entities."

What This Catches for Cannabis:

  • Recreational purchase patterns suggesting medical use
  • Wellness and symptom data from intake forms
  • Consumer health preferences shared with budtenders
  • App usage data revealing health conditions
  • Loyalty program data linked to product categories (edibles for sleep, CBD for anxiety)
  • Delivery addresses correlated with medical facility proximity
Critical: Even recreational-only dispensaries may handle PHII under newer state laws. If a customer tells your budtender they're buying CBD for anxiety, that's health data under the WA My Health My Data Act, the CCPA's health data provisions, and similar emerging state frameworks.

Biometric Privacy: The $5 Billion Risk Cannabis Can't Ignore

Cannabis dispensaries are uniquely exposed to biometric privacy lawsuits. Age verification, employee time clocks, security cameras with facial recognition, and patient identification systems all collect biometric data — often without the legally required notice and consent.

Illinois BIPA

EXTREME RISK $1,000–$5,000 per scan

Private right of action. No harm requirement. Per-scan damages. Over $5B in settlements. Every fingerprint clock-in, every facial recognition scan, every iris scan without written consent = separate violation.

  • Written consent BEFORE first scan
  • Published data retention/destruction policy
  • No sale or profit from biometric data
  • Class action eligible — massive aggregated liability

Texas CUBI

HIGH RISK $25,000 per violation

AG enforcement. Covers biometric identifiers (retina, iris, voice, face, hand geometry). Requires informed consent and reasonable protection. No private right of action but AG is actively enforcing.

Washington HB 1493

HIGH RISK CPA penalties

Requires notice and consent before enrolling biometric identifiers. Prohibits commercial use without consent. Combined with My Health My Data Act, creates one of the strictest biometric/health data frameworks in the US.

NYC Local Law 3

HIGH RISK $500–$5,000/violation

Applies to commercial establishments collecting biometric identifier information. Must post clear signage. Cannot sell, lease, or trade biometric data. Private right of action for NYC-based dispensaries.

Colorado CPA Biometrics

MODERATE RISK AG enforcement

CPA classifies biometric data as "sensitive data" requiring opt-in consent. Applies to all businesses including cannabis. Data protection assessments required for biometric processing. AG enforcement with potential injunctive relief.

Emerging State Laws

GROWING RISK Varies

CT, VA, OR, MN, MT, and MD all have comprehensive privacy laws that include biometric data as sensitive data requiring heightened protections. More states are expected to pass BIPA-style laws. Cannabis businesses must track these developments.

Biometric Compliance Checklist for Cannabis Businesses

Cannabis Cybersecurity Requirements by State

Beyond privacy laws, most cannabis-legal states impose specific cybersecurity requirements as part of licensing. Failure to maintain adequate security can result in license revocation — the nuclear option for any cannabis business.

Seed-to-Sale Security

Metrc (24 states), BioTrack, and Leaf Data Systems contain your entire operational record. A compromise means regulatory catastrophe.

  • Multi-factor authentication on all tracking accounts
  • API key rotation every 90 days
  • Separate admin accounts per employee
  • Audit log monitoring for anomalous entries
  • Offline backup of tracking data

POS & Payment Security

Cannabis POS systems handle payment data, patient data, and inventory data simultaneously. A single breach can trigger multi-vector compliance failures.

  • PCI DSS compliance for card processing
  • End-to-end encryption for payment data
  • Network segmentation — POS on separate VLAN
  • Regular vulnerability scanning
  • Vendor security assessments (SOC 2, ISO 27001)

Surveillance & Physical Security

Every cannabis state requires video surveillance. These systems are increasingly IP-based and internet-connected — creating cybersecurity attack surfaces.

  • Camera system on isolated network segment
  • Default credentials changed on all NVRs/DVRs
  • Firmware updates within 30 days of release
  • Video retention per state requirements (72 hrs to 90 days)
  • Access controls on footage viewing and export

Employee & Access Controls

Cannabis businesses face unique insider threat risks due to the high value of product and data, combined with industry-specific workforce challenges.

  • Background checks per state licensing requirements
  • Role-based access control (RBAC) for all systems
  • Immediate access revocation on termination
  • Security awareness training (phishing, social engineering)
  • Incident reporting procedures for all staff

Network & Infrastructure

Cannabis dispensaries typically run complex networks: POS, surveillance, IoT sensors (climate control), guest WiFi, and corporate systems. Each needs isolation.

  • Network segmentation (minimum 4 VLANs)
  • Enterprise-grade firewall (not consumer router)
  • DNS filtering and content inspection
  • VPN for all remote access and multi-site connectivity
  • Wireless intrusion detection

Incident Response

When (not if) a breach occurs, cannabis businesses face compressed timelines: state breach notification deadlines, regulatory reporting requirements, and potential license jeopardy.

  • Written incident response plan (state-specific)
  • Breach notification procedures (30–72 hours depending on state)
  • Regulatory notification (cannabis commission + AG)
  • Forensic investigation capability or retainer
  • Crisis communication plan for patients/customers

State-by-State Compliance Guide

Detailed compliance profiles for the 20 most significant cannabis markets. Each profile covers privacy laws, cybersecurity requirements, biometric rules, and cannabis-specific regulations.

Adult-Use (Recreational) (17)Medical Only (3)
CA

California

Adult-Use

Strictest US consumer privacy law. Private right of action for data breaches. Cannabis businesses must comply with CCPA if $25M+ revenue or 100K+ consumers. Biometric data requires opt-in consent.

Key Laws & Regulations:

  • CCPA/CPRA (consumer privacy)
  • BIPA-style biometric rules (AB 1281)
  • CalOPPA
  • MAUCRSA (cannabis regs)
CO

Colorado

Adult-Use

CPA effective July 2023 — universal opt-out, data minimization. Cannabis operators must retain Metrc records 4 years. Patient data under state medical privacy rules. Biometric identifiers protected under CPA sensitive data provisions.

Key Laws & Regulations:

  • CPA (Colorado Privacy Act)
  • HB 1130 biometric data
  • Metrc seed-to-sale
  • CDOR cannabis rules
IL

Illinois

Adult-Use

BIPA is the gold standard for biometric privacy — $1,000-$5,000 per violation, private right of action. Dispensaries using fingerprint scanners, facial recognition for age verification, or employee biometrics face massive liability. Over $5B in BIPA settlements to date.

Key Laws & Regulations:

  • BIPA (Biometric Information Privacy Act)
  • PICA (Personal Information Protection Act)
  • Cannabis Regulation & Tax Act
NY

New York

Adult-Use

SHIELD Act mandates reasonable security safeguards for private information. NYC biometric law requires notice and prohibits sale of biometric data. Medical cannabis patient data protected under HIPAA and state extensions. OCM requires security plans for all licensees.

Key Laws & Regulations:

  • SHIELD Act
  • NYC biometric privacy law (Local Law 3)
  • MRTA (cannabis legalization)
  • NY HIPAA extensions
TX

Texas

Medical

CUBI covers biometric identifiers with consent requirements. TDPSA (2024) adds consumer rights and data protection obligations. Limited medical cannabis (Compassionate Use) but strict patient privacy protections. AG enforcement — no private right of action for TDPSA.

Key Laws & Regulations:

  • CUBI (Capture or Use of Biometric Identifier Act)
  • TDPSA (Texas Data Privacy & Security Act)
  • Compassionate Use Act
FL

Florida

Medical

FIPA requires breach notification within 30 days. Medical marijuana patient registry data is confidential under state law. No comprehensive privacy act yet but strong breach notification requirements. Patient qualifying condition data is PHI under HIPAA.

Key Laws & Regulations:

  • FIPA (Florida Information Protection Act)
  • Medical marijuana patient registry
  • Amendment 3 (2024 recreational ballot)
MI

Michigan

Adult-Use

CRA requires detailed security plans including cybersecurity. Metrc integration mandatory. Patient data protected under HIPAA. No state-level biometric privacy law but pending legislation. Video surveillance retention requirements (72 hours minimum).

Key Laws & Regulations:

  • Michigan Consumer Protection Act
  • Marihuana Regulatory Agency rules
  • HIPAA (patient data)
  • Metrc tracking
MA

Massachusetts

Adult-Use

One of the strongest state data security laws — 201 CMR 17.00 mandates comprehensive written information security programs (WISP). Cannabis Control Commission requires detailed security plans, 90-day video retention, seed-to-sale tracking.

Key Laws & Regulations:

  • 201 CMR 17.00 (data security regulation)
  • CCC security requirements
  • HIPAA
  • MA right to privacy (Art. 14)
OR

Oregon

Adult-Use

OCPA effective July 2024 — consent requirements for sensitive data including health data. Cannabis businesses must maintain security systems per OLCC. PHI from medical program subject to both state and federal protections. CTS (Cannabis Tracking System) records must be maintained.

Key Laws & Regulations:

  • Oregon Consumer Privacy Act (OCPA)
  • Oregon Identity Theft Protection Act
  • OLCC/ODA cannabis rules
  • Metrc
WA

Washington

Adult-Use

My Health My Data Act (2024) is the broadest US health data privacy law — covers ALL health data, not just HIPAA-covered entities. Private right of action. Cannabis businesses handling any health-related customer data are directly in scope. Biometric consent required under HB 1493.

Key Laws & Regulations:

  • My Health My Data Act
  • WA biometric identifiers (HB 1493)
  • WSLCB cannabis rules
  • Leaf Data Systems
AZ

Arizona

Adult-Use

Breach notification within 45 days. Medical cannabis patient data is confidential. ADHS requires security plans for dispensaries. Metrc integration mandatory since 2021. No comprehensive privacy act but AG enforcement for unfair data practices.

Key Laws & Regulations:

  • AZ data breach notification law
  • ADHS medical marijuana rules
  • Metrc tracking
NJ

New Jersey

Adult-Use

CRC requires extensive security measures including video surveillance, alarm systems, and cybersecurity protocols. Patient data under medical program protected by HIPAA. Breach notification required. Pending comprehensive privacy legislation.

Key Laws & Regulations:

  • NJ Consumer Fraud Act
  • NJ Identity Theft Protection Act
  • CREAMMA (cannabis regulation)
  • HIPAA
MD

Maryland

Adult-Use

Maryland Online Data Privacy Act (2025) adds consumer rights and data protection. MMCC requires security plans and incident reporting. Metrc tracking mandatory. Patient data HIPAA-protected. 45-day breach notification.

Key Laws & Regulations:

  • PIPA (Personal Information Protection Act)
  • Maryland Online Data Privacy Act
  • Metrc
  • MMCC rules
MT

Montana

Adult-Use

One of few states with constitutional privacy right. Consumer Data Privacy Act (2024) covers sensitive data including health. Cannabis businesses must maintain security plans. Seed-to-sale tracking required.

Key Laws & Regulations:

  • Montana Consumer Data Privacy Act
  • Constitutional right to privacy
  • MT DPHHS cannabis rules
CT

Connecticut

Adult-Use

CTDPA effective July 2023 — consent for sensitive data processing, data protection assessments required. Cannabis businesses processing health/biometric data must conduct assessments. 60-day breach notification.

Key Laws & Regulations:

  • CTDPA (Connecticut Data Privacy Act)
  • CT breach notification
  • DCP cannabis rules
VA

Virginia

Adult-Use

VCDPA was the second comprehensive US privacy law. Sensitive data (including health data) requires consent. Cannabis businesses must implement reasonable security practices. AG enforcement only.

Key Laws & Regulations:

  • VCDPA (Virginia Consumer Data Protection Act)
  • VA breach notification
  • CCA cannabis rules
OH

Ohio

Adult-Use

Ohio Data Protection Act provides affirmative defense to data breach claims if you maintain a cybersecurity program aligned with NIST or similar frameworks. Metrc tracking mandatory. Medical patient data HIPAA-protected.

Key Laws & Regulations:

  • Ohio breach notification
  • DWC cannabis rules
  • Metrc
  • Ohio Data Protection Act safe harbor
PA

Pennsylvania

Medical

Medical only. DOH requires detailed security plans including cybersecurity measures. Patient data is HIPAA-protected PHI. Seed-to-sale tracking via state system. Video surveillance 4-year retention. Pending recreational legislation.

Key Laws & Regulations:

  • PA Breach of Personal Information Notification Act
  • DOH medical marijuana rules
  • MJ Freeway/BioTrack
MN

Minnesota

Adult-Use

Comprehensive privacy law (2024) with strong biometric and health data protections. Cannabis businesses must comply with data minimization and purpose limitation. Newly regulated recreational market with evolving compliance requirements.

Key Laws & Regulations:

  • Minnesota Consumer Data Privacy Act
  • MN Government Data Practices Act
  • Cannabis Management Office rules
MO

Missouri

Adult-Use

Constitutional privacy protections. Metrc tracking mandatory. DHSS requires comprehensive security plans. Breach notification required. Medical patient data HIPAA-protected. No comprehensive privacy act but strong constitutional foundation.

Key Laws & Regulations:

  • MO breach notification
  • DHSS cannabis rules
  • Metrc
  • MO right to privacy (Constitution)

Schedule III Rescheduling: The Compliance Tsunami Coming

Federal rescheduling from Schedule I to Schedule III doesn't simplify compliance — it dramatically complicates it. Cannabis businesses will face the full weight of federal regulatory frameworks they've never dealt with before.

HIPAA Becomes Mandatory

Schedule III drugs are covered under federal pharmacy and healthcare regulations. Cannabis businesses handling patient data will become HIPAA-covered entities or business associates, triggering the full HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

What to do now: Begin HIPAA gap assessment. Map all patient data flows. Identify business associate relationships.

FDA Oversight & GMP

FDA regulation means Current Good Manufacturing Practice (cGMP) requirements including data integrity controls (21 CFR Part 11), electronic records authentication, and audit trail requirements for all production data.

What to do now: Inventory all electronic records systems. Implement audit trails. Prepare for FDA inspection readiness.

DEA & CSA Compliance

DEA registration requirements for manufacturers, distributors, and dispensers of Schedule III substances. Includes strict recordkeeping, inventory controls, and security requirements under 21 CFR Parts 1301–1321.

What to do now: Review DEA registration requirements. Assess physical security against DEA standards.

Banking & Financial Compliance

Federal banking access means BSA/AML compliance, SAR filing requirements shift, and FinCEN guidance changes. Your financial data systems must meet banking-grade security standards.

What to do now: Prepare financial systems for banking integration. Review BSA/AML compliance requirements.

Interstate Commerce Data

Legal interstate commerce means cross-state data flows, multi-jurisdiction privacy compliance, and the need to reconcile conflicting state privacy laws across your operational footprint.

What to do now: Map data flows across state lines. Identify conflicting state requirements. Build a multi-state compliance matrix.

Federal Cybersecurity Standards

Access to federal contracting (VA, DoD medical) requires NIST 800-171 compliance. FTC enforcement becomes more direct. Federal breach reporting under CIRCIA may apply to critical infrastructure-adjacent operations.

What to do now: Baseline against NIST CSF 2.0. Document your current security posture.

Recommended Compliance Frameworks

No single framework covers all cannabis compliance needs. We recommend a layered approach combining industry-standard cybersecurity frameworks with cannabis-specific requirements.

NIST

NIST Cybersecurity Framework 2.0

The gold standard for cybersecurity risk management. Covers Identify, Protect, Detect, Respond, Recover, and the new Govern function. Ohio's Data Protection Act provides safe harbor for NIST-aligned programs.

HIPAA

HIPAA Security Rule

Required for medical cannabis operations. 45 CFR Parts 160 and 164. Administrative, physical, and technical safeguards. Risk analysis, access controls, audit controls, transmission security, and integrity controls.

SOC2

SOC 2 Type II

Demonstrate trust to partners, investors, and regulators. Cannabis tech vendors and MSOs increasingly require SOC 2 reports. Covers security, availability, processing integrity, confidentiality, and privacy.

CIS

CIS Controls v8

Practical, prioritized cybersecurity actions. Implementation Group 1 (IG1) is achievable for single-location dispensaries. IG2 for multi-state operators. Maps to NIST CSF for comprehensive coverage.

Frequently Asked Questions

Does HIPAA apply to my recreational dispensary?

Currently, HIPAA only applies if you're a covered entity (healthcare provider, health plan, clearinghouse) or business associate. Most recreational-only dispensaries are NOT covered entities under current law. However, if you also hold a medical license, your medical operations are likely covered. And post-Schedule III rescheduling, all cannabis businesses handling patient data will likely become covered. Start preparing now.

What's the difference between BIPA and other biometric laws?

Illinois BIPA is unique because it provides a private right of action (individuals can sue you directly) and doesn't require proof of harm. Most other state biometric laws (TX CUBI, WA HB 1493) only allow AG enforcement. This makes BIPA exponentially more dangerous — class action attorneys actively target businesses with biometric collection. If you operate in Illinois, BIPA compliance is your #1 biometric priority.

Do I need a WISP (Written Information Security Program)?

Massachusetts (201 CMR 17.00) legally requires a WISP for any business holding personal information of MA residents. Several other states effectively require one through their comprehensive privacy laws. Even where not legally mandated, a WISP is strongly recommended — Ohio's Data Protection Act provides an affirmative defense to data breach claims for businesses with documented cybersecurity programs.

How does Schedule III rescheduling affect my compliance obligations?

Schedule III rescheduling triggers federal oversight including HIPAA (for patient data), FDA cGMP requirements (for production), DEA registration (for handling), and potentially NIST compliance (for federal contracts). It does NOT preempt state cannabis laws or state privacy laws — you'll need to comply with both. Begin your HIPAA gap assessment now.

What's the fastest state breach notification deadline?

Colorado requires notification "in the most expedient time possible and without unreasonable delay" but no later than 30 days. Florida requires 30 days. Most states require 45–60 days. Federal HIPAA requires 60 days for breaches affecting 500+ individuals. Always follow the shortest deadline applicable to your situation — if you operate in multiple states, your notification timeline is your most aggressive state's deadline.

My POS vendor says they're "HIPAA compliant" — am I covered?

No. Your vendor's compliance doesn't transfer to you. You need a Business Associate Agreement (BAA) with every vendor that touches PHI/ePHI. You also need your own HIPAA policies, risk assessments, and training. Verify vendor claims — ask for their SOC 2 report, penetration test results, and HIPAA attestation. Many cannabis POS vendors claim compliance without independent verification.

Do ID scanners at my dispensary collect biometric data?

It depends on the scanner. Simple barcode/magnetic stripe readers that only capture text data (name, DOB, address) do NOT collect biometric data. However, scanners with facial recognition, retina scanning, or fingerprint verification DO collect biometric data and are subject to BIPA/biometric laws. Some "advanced age verification" systems use facial geometry — check your vendor's technical specifications carefully.

I operate in multiple states. Which privacy law controls?

All of them. Unlike federal preemption in many industries, state privacy laws generally apply based on the consumer's/patient's location, not yours. If you have customers in California, Illinois, and Colorado, you must comply with CCPA, BIPA, and CPA respectively. Multi-state operators (MSOs) need a compliance matrix mapping each state's requirements and should default to the strictest standard across their footprint.

Don't Wait for a Breach to Get Compliant

Join cannabis operators across 24 states who are building compliance-first security programs. Get state-specific guidance, breach notification templates, and expert analysis delivered to your inbox.

Subscribe to Cannabis Cyber Intel Browse Security Articles