Back to your Dashboard

COMMERCIAL CANNABIS HANDBOOK

Age Verification

According to the Center for Disease Control (CDC), cannabis use by minors increases the risk of mental health issues, impaired driving, and potential for addiction.

Where cannabis is legal, most jurisdictions require a minimum age for recreational use. Commercial cannabis businesses providing adult-use sales must have a written procedure to age-verify customers. The age verification procedures should be integrated into the risk management program, subject to approval by the commercial cannabis business’s board of directors or executive management. 

To increase the safety of the licensed cannabis market, the company must have an effective system of control to manage the sale of cannabis products to eligible customers. This system should include risk-based procedures for verifying the age of each customer to the extent reasonable and practicable. The procedures must enable the commercial cannabis business to form a reasonable belief that it knows the true age of each customer. At a minimum, the commercial cannabis business should require the: 

  1. Customer to present an unexpired government-issued identification evidencing the customer’s age.
  2. Authentication of the identification 
  3. Employee to match the customer to the identification

Risk Factor 

Failure to identify the proper age tends to stem from inadequate risk assessment, improper training of employees, or acceptance of identifications that the company cannot authenticate. For the company to identify and mitigate systemic failures, management should track and analyze failures to identify customers. The inability to consistently authenticate the presented ID and reject underage customers can lead to fines, penalties, and potential license revocation. 

Given the availability of counterfeit and fraudulently obtained documents, commercial cannabis businesses are encouraged to use multiple methods to form a reasonable belief that it knows the true age of the customer. The risk-based authentication of a government-issued identification should include an evaluation of mitigation techniques that use security features, document format, or digitized information.

Red Flags 

  • Assumption that the company is low risk without risk assessment analysis  
  • The company’s risk assessment analysis did not rate the authentication process by the channel (e.g. retail, online, delivery). 
  • Weak formal age verification training, procedures, and tools to authenticate identifications 
  • Age verification procedures do not require:
    • the customer to present an unexpired government-issued identification evidencing the customer’s age. 
    • authentication of the identification 
    • employees to match the customer to the identification 
    • The company cannot determine the Employees’ understanding of company Age Verification procedures.  
    • Lack of formal assurance on the age verification processes 

    Age Verification Risk Management 

    Risk mitigation for age verification falls into three key control activities: Risk Assessment, Control Activities, Training, Information and Communication, and Assurance. The following are a sample of risk mitigations that should be considered: 

    • Enhance the company’s risk assessment to consider age verification
      • by the types of channels services and products are offered
        • Online sales 
        • Delivery 
        • On-premise 
            • Types of identification accepted 
              • Federal 
              • States 
              • Foreign 
            • The operator’s size, location, and customer base 
            • Tools and technology that support your process 
                • Formalize age verification procedures to require the 
                  • Customer to present an unexpired government-issued identification evidencing the customer’s age 
                  • Authentication of the identification 
                  • Employee to match the customer to the identification 
                  • Train affected employees at onboarding and periodically on 
                    • The Age Verification procedure 
                    • Escalation expectations 
                    • Tools and technologies used to support the Age Verification procedure 
                  • Track process and report to affected managers the status of Age Verification process 
                    • Keep a record of the verifications that have occurred on a daily basis 
                    • Ensure the company assessed its responsibility to protect data when retaining information to prove compliance 
                    • Provide results that indicate the root cause of the issue 
                  • Conduct periodic monitoring and testing 
                    • Spot testing to determine that the team is following the process effectively 
                    • Ensure that process is appropriately resourced and is effective across channels and locations 
                                [getPrevNext]
                                Resources
                                Body of Knowledge
                                All Resources