Cannabis IT compliance
requirements by state.
Every legal state mandates specific IT infrastructure for cannabis businesses — surveillance systems, access control, tracking integrations, and data retention. Here's what you need to know. This guide is for informational purposes only and does not constitute legal advice. Requirements change frequently — always verify with your state regulatory agency and legal counsel before making compliance decisions.
Surveillance & Video Storage
Every legal cannabis state requires video surveillance. The differences are in resolution, coverage, and — critically — how long you must retain the footage. This directly determines your NVRNetwork Video Recorder — server storing surveillance footage. storage sizing, backup strategy, and infrastructure costs.
| State | Retention | Resolution | Tracking System |
|---|---|---|---|
| California | 90 days | Clearly identify individuals | METRCMarijuana Enforcement Tracking Reporting Compliance — state-mandated seed-to-sale tracking used in 28+ U.S. states. |
| Colorado | 40 days | Identify activity on premises | METRC |
| Michigan | 30 days | 720p minimum | METRC |
| Illinois | 90 days | 1080p recommended | BioTrack (transitioning to Metrc) |
| Massachusetts | 90 days | Identify individuals | METRC |
| Pennsylvania | 4 years | 1080p | MJ Freeway (legacy — now under Alleaves) |
| Washington | 45 days | Identify individuals | CCRS |
| New York | 60 days | Clearly identify activity | METRC |
| New York | 60 days | Clearly identify activity | METRC (transitioning from BioTrack) |
| Oregon | 90 days | Clearly identify individuals | METRC |
| Nevada | 30 days | Identify individuals | METRC |
| Arizona | 72 hours (medical) / varies | Clearly identify | No state-mandated system |
| New Jersey | 30 days | Identify individuals | METRC |
| Maryland | 30 days | Identify individuals | METRC |
| Missouri | 60 days | Identify individuals | METRC |
| Ohio | 30 days | 720p minimum | METRC |
| Connecticut | 30 days | Identify individuals | BioTrack (transitioning to Metrc) |
| Minnesota | 90 days | Clearly identify | METRC |
| Virginia | 30 days | Identify individuals | METRC |
| Florida | 45 days | Identify individuals clearly | BioTrack (transitioning to Metrc) |
This covers the major adult-use and medical markets. Requirements vary by license type and municipality. Contact us for a complete assessment of your state's specific mandates.
Access Control Requirements
Nearly all states require electronic access control for limited-access areas where cannabis is stored, processed, or handled. Common requirements include employee badge systems with photo ID, visitor management with sign-in/sign-out logging, immediate badge deactivation upon employee termination, and access logs maintained for 3+ years. Some states (California, Illinois) mandate or strongly recommend biometric access for vault and storage areas.
Seed-to-Sale Tracking
METRC operates in 29 states and territories, serving over 300,000 users and 39,000+ licensed operators. BioTrack covers approximately 9 additional states. Your IT infrastructure must support reliable API connectivity to your state's tracking system, backup internet (cellular failover) for continuous reporting, offline data capture capability during system outages, and RFIDRadio-Frequency Identification — wireless tags on cannabis packages for automatic supply chain tracking./barcode scanning hardware for package tag management. METRC outages are a documented operational risk — California has experienced outages lasting up to 9 hours, and Maryland outages forced emergency sales exceptions five times in two weeks.
Data Protection & Privacy
Illinois leads in explicit cybersecurity mandates, requiring HIPAA compliance (45 CFR 164) for medical cannabis dispensaries, encryption at rest and in transit, multi-factor authentication, separated networks, and industry-standard firewalls. Violations carry $10,000 per citation penalties. California applies CCPA/CPRA to cannabis customer data, with statutory damages of $100–$750 per consumer per incident for data breaches. Massachusetts requires annual third-party security audits for cannabis licensees.
Need help with compliance?
Book a free assessment. We'll audit your operation against your state's specific requirements and identify every gap — before an inspector does.
Book Free Assessment →