Cannabis Dispensary Security: What Your State License Actually Requires

Why cannabis security is regulated differently

Two facts shape every dispensary security plan. The first is the license: cannabis is one of the most heavily regulated retail categories in the country, and the state controls the surveillance spec the way it controls seed-to-sale tracking in METRC or BioTrack. The second is cash. Because cannabis remains federally illegal, most operators are shut out of conventional banking and run a cash-heavy business. That combination, a regulated product plus stacks of cash on site, is what makes a dispensary a target, and why the state insists on continuous, verifiable surveillance.

The practical effect is that your camera system is not just loss prevention. It is the evidence record a regulator audits, the documentation an insurer expects, and the footage law enforcement requests after an incident. It has to satisfy all three. This is the licensed-industry pattern we cover across sectors in security camera compliance by industry: the more heavily an industry is licensed, the more prescriptive its camera rules become.

The retention rule is the one that catches operators

Almost every operator gets the cameras up. The requirement that trips people is how long the footage has to be kept, in what format, and how securely. Retention windows vary by state, and the storage has to be tamper-resistant and time-synced, not just a recorder in a back room.

• California (DCC, 4 CCR § 15044): minimum 90-day retention, 24/7 recording, a minimum 1280x720 resolution at 15 frames per second, timestamps synced to NIST, and media secured against tampering or theft.
• New York (OCM, 9 NYCRR § 125.3): minimum 60-day retention, 24/7 coverage, surveillance and alarms that stay operational for at least eight hours during a power outage, and equipment tested at least every 30 days with test records kept for five years.
• Colorado (MED): minimum 40-day retention, 24/7 recording in limited-access and critical areas, stored offsite or in cloud-based storage and archived in a tamper-evident, authenticatable format.

These are minimums, and they are not the whole rule book. The reliable approach is to design to the longest and strictest requirement that applies to your license and location, then confirm the current text with the agency before you finalize the system. Rules change, and footage you cannot produce on demand is a violation even when nothing went wrong.

What the cameras actually have to cover

Coverage maps are prescriptive. States generally require an unobstructed, recorded view of every point where cannabis or cash moves or is stored. Across California, New York, and Colorado, that consistently includes all points of entry and exit, point-of-sale and cash-handling areas, safes, vaults, and secured product storage, and areas where product is weighed, packaged, or destroyed. New York extends coverage to the entire parking lot.

The cameras also have to produce usable images, not just blinking lights. Rules specify minimum resolution, continuous frame rates, clear low-light performance, and embedded date and time stamps so footage holds up in an audit or investigation. A camera that technically records but cannot identify a face at the register does not meet the standard.

The plan is more than cameras

State security requirements reach past video into the rest of the system. Depending on the jurisdiction, a compliant dispensary also needs commercial-grade intrusion alarms monitoring entry points and storage, access control on limited-access areas with logs of who entered restricted spaces and when, backup power so surveillance and alarms keep running through an outage, and documented testing and recordkeeping that in some states must be retained for years.

Each of these is a place an otherwise-ready dispensary fails inspection. The license treats security as one integrated program, so the components have to work together and be documented, not bought piecemeal.

The cash problem nobody designs around

Because banking access is limited, dispensaries hold and move far more cash than a comparable retailer, and that changes the threat model. Researchers at the Wharton School have estimated that a thief leaving a cannabis robbery or burglary takes roughly $20,000 to $50,000 per incident, a haul that draws organized, repeat attempts rather than opportunistic shoplifting.

Designing for that reality means cameras positioned for prosecutable identification at the register and the safe, alarmed and access-controlled cash rooms, and surveillance that someone is actually watching or that triggers a real-time response, not footage reviewed after the money is gone. Compliance is the floor here. The cash exposure is the reason to build above it.

Build it before you open, not after

Timing matters as much as the spec. A cannabis security system is something you need in place to pass inspection and open, which means the work belongs in the pre-opening buildout, alongside the lease and the license. Operators who treat surveillance as a later upgrade discover that a non-compliant system delays the opening they have already spent heavily to reach. The window to get it right is the stretch between license issuance and opening day, when the buildout is already underway and the security plan can be designed into the space rather than bolted on.

Most single-location operators do not have in-house IT or security staff to navigate this, and they should not have to. Reading the regulation, mapping coverage, specifying compliant hardware, wiring it into alarms and access control, and producing the documentation an inspector wants is exactly the kind of end-to-end work an integrator handles, so the operator can focus on opening. That is the role Tec-Tel plays for licensed dispensaries.

What compliance actually asks of the system

The same questions recur in every state's rule book. What do the cameras capture? Where do they point? How long is footage kept, and how securely? Who can access restricted areas, and is that access logged? And does the system drive a timely response? Meeting that standard is a system-design problem, not a hardware-purchase problem. The hardware is the easy part. Designing coverage, retention, access, and documentation into one program that passes inspection and holds up after an incident is the work.

A note on scope

This is general guidance, not legal advice. Cannabis security obligations vary by state, by license type, and by how your operation is structured, and the regulations change. Confirm the rules that apply to you with the relevant state agency and qualified counsel before you design or sign off on a system. When you are ready to translate those obligations into a real design, the Tec-Tel team scopes coverage, retention, access controls, and response against the standard your license is held to.