Note: This is the first in a series of cannabis security features highlighting state regulations and licensing security requirements throughout the United States.
Conflicting standards coming from California’s three regulatory bodies make it confusing for cannabis operators eager to comply with licensing security requirements. Worse yet, the situation will not improve as expected in 2020.
In January, California Gov. Gavin Newsom announced plans to merge the state’s three cannabis regulatory agencies. Just five months later, the governor stepped away from plans to establish a single agency—the Department of Cannabis Control—to regulate cannabis operations.
While Gov. Newsom plans to forge ahead eventually, he states the COVID-19 pandemic requires delaying consolidation until 2021.
In the meantime, cannabis operators must navigate the Golden State’s complex rules and regulations about growing, distributing, and selling cannabis. Those seeking licensing must understand the regulations of the state’s three governing bodies and know when each body’s regulations come into play.
Each regulatory body carries its own area of purview:
- The California Department of Food and Agriculture (CDFA) oversees cultivators and does not require operators to submit a security plan to get a state license.
- The California Department of Health (CDPH) Manufactured Cannabis Safety Branch, however, sets security requirements for cannabis manufacturers. The California Code of Regulations outlines CDPH requirements, starting with §40200 Security (page 44).
- The Bureau of Cannabis Control (BCC), meanwhile, regulates commercial cannabis licenses for medical and adult-use cannabis. This organization licenses retailers, distributors, testing labs, micro-businesses, and temporary cannabis events.
Things get confusing when applicants apply for a BCC micro-business license to conduct three or more licensed activities in the same facility. An owner might manage a cultivation operation, a manufacturing operation, and a distribution operation under one roof. Though this business falls under BCC regulation, it also must follow CDPH and CDFA regulations because it is cultivating, manufacturing, and distributing cannabis.
Know the Rules
Most cannabis companies want to follow the rules. But too often applicants receive conflicting messages from regulatory bodies that interpret regulations differently. Though far from comprehensive, here is a summary of what each body requires:
CDPH: Requires cannabis manufacturers to develop and implement a written security plan addressing, at a minimum:
- Preventing access by unauthorized persons
- Protecting physical safety of employees
- Preventing theft or loss of cannabis products
- Securing and backing up electronic records
- Installing and operating a video surveillance system
BCC: To get a BCC license, applicants must submit a detailed facility diagram that shows boundaries, dimensions, entrances and exits, interior partitions, walls, rooms, windows, and doorways. The diagram must show the location of security cameras. The BCC also requires a description of activities carried out on-site.
CDFA: CalCannabis Cultivation Licensing, a division of the CDFA, licenses cultivators of medicinal and recreational cannabis and manages a track-and-trace system that records cannabis as it moves through the distribution chain.
Local Regs Matter Too When it Comes to Security
State regulatory agencies establish a limited security framework, then allow local jurisdictions to draft additional regulations. Letting locals regulate security further complicates compliance. The security required for cannabis operations varies from county to county and municipality to municipality.
The varied security regulations surrounding just surveillance cameras illustrates how complicated things can get. The state requires 1-megapixel cameras while some local regulations set the bar at 8 megapixels. Though the state requires less sophisticated (and less expensive) technology, businesses must meet local regulations.
Cities also require conditional use permits for properties used by cannabis operations. Some cities require operators to prove they own or have a competitive lease on the property. Other areas, like Contra Costa County, do not require the RFP to identify the location. These cities evaluate operators first, then approve a conditional use permit and a set timeframe to find a location.
Local task forces that regulate cannabis growers get little guidance from CDFA on security and are forced to adopt their own regulations. Since an agricultural environment is inherently complicated due to a lack of power and the internet, growers tend to have the lowest level of security amongst the different license types. Since agricultural environments are difficult to protect with extensive security, they become an easy target for thieves. Operators and security industry people are waiting to see what happens when this new entity (Department of Cannabis Control) that will regulate all license types takes over. Will the new regulatory body require a level of security necessary for cannabis farms?
Set Security SOPs
Licensing a cultivating, manufacturing, or distributing operation requires a security Standard Operating Procedure. The SOP covers how operators will build out a facility to keep employees, products, and the community safe. Every security SOP should consider:
- The alarms, access control, surveillance cameras, lighting, and perimeter security
- Record-keeping security processes
- Security personnel or armed guards
- Ingress and egress security
- Employee background screening processes and employee identification
- Securing limited access areas
Security Technology Considerations
Cannabis regulations will eventually come under the same regulatory umbrella. In the meantime, savvy cannabis operators will make sure their security technology meets the most stringent state and local requirements. A viable cannabis security program includes cameras, access control systems, and burglar alarms. Each technology is important.
Cameras: The State of California requires video surveillance wherever operations weigh, pack, store, load/unload, prepare or move cannabis goods, and in limited-access areas, security rooms, and areas housing a video storage device. The state also requires that cameras record access points, entrances, and exits, from both indoor and outdoor vantage points.
California also requires retailers to record point-of-sale areas and sales displays. Here, cameras must clearly record an individual’s facial features to help authorities determine identity after a crime.
In addition, security cameras must have a minimum camera resolution of 1280 x 720 pixels and be transmission control protocol (TCP) capable to access them via the Internet. Regulations require operators to permanently mount cameras in fixed locations and clearly record activity 24 hours a day and at a minimum of 15 frames per second (FPS).
California law mandates storing video footage for at least 90 days. The state also requires securing the video storage device to protect recordings from tampering or theft.
Access Control: California’s Code of Regulations mentions surveillance cameras, burglar alarms, and security guards, but says little about access control systems. The state requires walls separating limited access areas from common/exterior areas, commercial-grade locking doors, and access control policies.
Even if California regulations overlook access control technology, these systems play a critical role in a cannabis security plan. Access control systems manage access to sensitive areas; and protect the safety and compliance of cannabis products, intellectual property, confidential business information, and business assets. These systems keep intruders out and maintain an audit trail of all comings and goings.
While many access control technologies are available, biometric access control is increasingly popular and achievable. Using fingerprint and retina scans to gain access eliminates physical credential accounting and the potential for the loss, theft, or misappropriation of physical access credentials.
Burglar alarms: The law requires securing and protecting cannabis facilities with intrusion (burglar) alarms at entrances, exits, and around the perimeter. California also mandates that these systems include door and window contacts for break-ins, glass-break detectors to detect smashed windows, and motion detectors in case an intruder gets inside.
The BCC asks cannabis business applicants to provide the name, license number, address, phone number, and contact person for their chosen alarm company. The BCC also requires applicants to detail how often the alarm company will check and maintain the system. Applicants must describe the alarm system’s features, including whether it has motion detection sensors inside the premises. And, they must detail how they will respond to an alarm, and whether the system will notify law enforcement personnel.
Cracking the code on California cannabis law is complex and won’t get easier any time soon. Seeking the help of a regulatory expert helps operators navigate the conflicting standards coming from regulatory bodies and puts them on a path to compliance.
About the author: Patrick Chown is the owner and president of security system integrator, Safe and Sound Security which offers security system installation, cannabis security plans, and cannabis security consulting to cannabis companies nation-wide. For more information go to www.getsafeandsound.com/cannabis-security.
SECURACANN Note: In conjunction with SecurityInfoWatch.com and Security Technology Executive magazine, we invite you to participate in the SecuraCann Conference, the industry’s only security exclusive event. Designed to inform commercial growers, dispensary retailers, investors and integrators of innovative technology and solutions to mitigate risk and secure their cannabis operations. This virtual event will take place on October 14-15 will offer a focused look at security and risk issues and solutions, providing an opportunity for an educated decision-making process related to technology, policy and procedure, operations and more.