Cannabis Compliance: The Complete Operator's Guide
Last reviewed · By Chad Griffith
Cannabis compliance in the United States operates entirely at the state level — there is no federal regulator because cannabis remains a Schedule I controlled substance under federal law (21 USC 812). Each state operates its own Cannabis Regulatory Authority with its own rule set covering licensing, METRC track-and-trace reporting, lab testing, transport manifests, employee badging, security, and disposal. Multi-state operators must layer separate rule packs per state. This guide covers the operational compliance framework for state-legal cannabis businesses, with state-by-state references for the largest US markets.
📥 Free: METRC Reconciliation Worksheet + State-by-State Filing Calendar
Daily/weekly/monthly reconciliation routine, 12-state filing deadlines, COA retention by state, transport manifest template, recall plan template.
16-page PDF · Plus 7-email cannabis compliance refresher series · Unsubscribe anytime
Why Cannabis Compliance Is State-Only
Cannabis remains a Schedule I controlled substance under the Controlled Substances Act (21 USC 812). The DEA classifies Schedule I substances as having no currently accepted medical use and a high potential for abuse. As a result, there is no federal cannabis regulator and federal CFR rules do not apply to cannabis operations. State-legal cannabis programs operate entirely under state authority. The DEA proposed rescheduling cannabis to Schedule III in May 2024; the rule is in administrative review as of 2026. If finalized, rescheduling would not federalize cannabis regulation but would end 280E tax burdens on cannabis businesses.
State-by-State Cannabis Regulators
Every cannabis-legal state operates its own Cannabis Regulatory Authority (CRA) with its own rule set. Below are state-specific compliance pages with regulatory framework summaries.
| State | Regulator | Track-and-trace | Record retention |
|---|---|---|---|
| California | California Department of Cannabis Control (DCC) | METRC | 7 years (CCR Title 4 Section 15049) |
| Colorado | Colorado Marijuana Enforcement Division (MED) | METRC | 3 years (1 CCR 212-3) |
| Michigan | Michigan Cannabis Regulatory Agency (CRA) | METRC | 5 years minimum (R 420.501) |
| Massachusetts | Massachusetts Cannabis Control Commission (CCC) | METRC | 3+ years (CMR 935 500.105) |
| Nevada | Nevada Cannabis Compliance Board (CCB) | METRC | 5 years |
| New Jersey | New Jersey Cannabis Regulatory Commission (CRC) | METRC | 5+ years |
Cannabis Compliance Topics
- METRC Cannabis Tracking: Reporting Requirements, Deadlines, and Common Violations
- Cannabis Lab Testing & COA Requirements: State-by-State Panels and Action Limits
- Cannabis Transport Manifest Rules: Required Information, Common Violations, and Multi-State Considerations
- Cannabis Employee Badging: State Requirements, Background Checks, and Renewal Schedules
- Cannabis Security Camera Retention: 90-Day Storage Rules, Coverage Requirements, and Common Violations
- Cannabis Recall Procedures: Recall Plan Requirements, Classifications, and Notification Rules
The Cannabis Operational Compliance Stack
A licensed cannabis operator's compliance program must cover the following functional areas. Each state CRA publishes its own rule set per area; multi-state operators apply the most-stringent rule across the corpus.
- Licensing. State-issued business license, employee badges, owner disclosures, financial responsibility filings.
- Track-and-trace. METRC or state-equivalent system reporting every plant, package, transfer, conversion, and sale.
- Lab testing. ISO 17025-accredited labs running state-required panels (potency, microbials, pesticides, heavy metals, residual solvents).
- Transport. Manifests, vehicle securement, transport personnel badging, route documentation.
- Security. Vault storage, video surveillance with state-specified retention, alarm systems, access logs.
- Recall plan. Written plan covering classification, notification, recovery, disposal, and post-recall review.
- Tax compliance. State excise tax returns, 280E-compliant federal accounting, sales tax, local jurisdiction taxes.
- Recordkeeping. Document retention per state schedule (3-7 years typical), audit-ready packet for state CRA inspection.
Common Cannabis Compliance Violations
Across most state CRAs, the most-frequently cited violations include:
- Physical inventory discrepancies vs METRC records (most common across all states)
- Late or missed METRC event reporting
- Missing or incomplete transport manifest information
- Employee badging lapses (expired badges or unbadged employees)
- Video coverage gaps or retention failures
- Missing or stale recall plans
- Lab COA documentation gaps (failed retests not properly documented)
- Improper waste/destruction documentation
- Packaging or labeling non-conformance
- Advertising violations (state-specific restrictions)
Frequently Asked Questions
Is there a federal cannabis compliance regulator?
No. Cannabis remains a Schedule I controlled substance under the Controlled Substances Act (21 USC 812), making it federally illegal. There is no federal regulator analogous to FMCSA or OSHA for cannabis. Every state operates its own Cannabis Regulatory Authority (CRA) with its own rule set. Multi-state cannabis operators must layer separate compliance programs per state.
What states use METRC for cannabis tracking?
Approximately 20 US states and territories use METRC including California, Colorado, Maine, Maryland, Massachusetts, Michigan, Missouri, Montana, Nevada, Ohio, Oregon, plus several territories. Other states use BioTrack THC, custom state systems, or hybrid approaches. Always verify the current system on the state CRA's website.
What lab tests are required for cannabis?
Common required panels: cannabinoid potency, microbial contamination (E. coli, salmonella, total yeast/mold), pesticide residue (60+ pesticides with parts-per-billion action limits), heavy metals (lead, arsenic, cadmium, mercury), residual solvents (for extracts), water activity, and homogeneity (for edibles). Tests must be performed by ISO/IEC 17025-accredited labs licensed by the state.
How long must cannabis records be retained?
Retention varies by state. California requires 7-year retention of all cannabis transaction records (CCR Title 4 Section 15049). Colorado MED requires 3 years (1 CCR 212-3). Michigan CRA requires 5 years minimum (R 420.501). Multi-state operators typically retain to the longest-state retention to simplify operations.
Can cannabis cross state lines?
No. Federal law prohibits the interstate transport of cannabis under the Controlled Substances Act, regardless of whether both states have legal cannabis programs. Cannabis transport is strictly intrastate within each state's regulated market — even between two legal cannabis states.
Why does 280E matter for cannabis businesses?
Section 280E of the Internal Revenue Code disallows ordinary business deductions for businesses trafficking in Schedule I or II controlled substances. Because cannabis remains Schedule I, state-legal cannabis businesses cannot deduct ordinary expenses (rent, utilities, marketing, salaries beyond direct production). Only Cost of Goods Sold (COGS) is deductible. This produces effective federal tax rates of 60-80% on net income. The proposed DEA rescheduling to Schedule III would, if finalized, end 280E's application to cannabis.
What is the most-cited cannabis compliance violation?
Across most states, the most frequent citations are: physical inventory discrepancies vs METRC records, late event reporting, missing transport manifest information, employee badging lapses (expired badges or unbadged employees), video retention or coverage failures, and missing or incomplete recall plans. State CRAs publish enforcement summaries that show specific violation patterns by state.
What software supports cannabis compliance?
Cannabis compliance tooling includes: METRC integration platforms (Distru, Trym, Cova, Flowhub), inventory and POS systems with METRC sync, lab COA management, training and badging trackers, and document management with regulator-specific rule packs (FileFlo). Most multi-state operators use multiple specialized tools rather than a single platform.
Authoritative sources