Maryland Law requires that licensed cannabis growers, processors, and dispensaries develop a plan for inventorying, safekeeping, and tracking all medical cannabis from “seed to sale.” All licensed cannabis-touching businesses must participate in a unified security tracking system designed to uniquely identify each cannabis plant from germination of the seed to harvest and then to sale to the end consumer. The tracking system is designed to ensure the quality and purity of the final products, to track the chain of custody throughout the production process, and to avoid the criminal diversion of the legal production of cannabis from the medical market to the black market and vice versa.
Forty-seven states, including the District of Columbia and Puerto Rico, have passed laws either legalizing cannabis for adult and/or medical use, or have simply decriminalized it. The majority of the states that have passed laws to regulate cannabis mandate that any state-licensed cannabis-touching businesses must incorporate product inventory management and tracing. The available track-and-trace systems, often referred to as seed-to-sale tracking systems, have been developed and marketed by third-party companies who license their software and technology to the various states, the District of Columbia, and the U.S. Territories.
So far, the majority of the third-party seed-to-sale software tracking contracts have been awarded to one of five companies: Franwell (based in Florida/Tennessee) markets its track-and-trace system known as METRC (Marijuana Tracking Enforcement Compliance) which operates in thirteen states including Maryland and the District of Columbia; BioTrackTHC (based in Florida) which operates in eight states and Puerto Rico; MJ Freeway (based in Colorado) which operates in three states; Microsoft has partnered with Kind Agrisoft (based in California) operates in one state; and finally BioMauris (based in OR) operates in one state.
These third-party track-and-trace systems record the travels of a cannabis seedling through the growing and harvest process, until it ends in a sale of a product to the final consumer. This security combines a mixture of manually tagging each seedling with a scannable radio-frequency identification tag bearing a barcode, as well as scanning the movement of each plant as it moves through the growing, processing, and dispensing facilities. While this creates valuable data as to the location of the plants, it is easily manipulated because the RFID must be physically placed on each seedling.
After the flowers and any leaves are harvested, they are packaged for transport and again entered into the database. The nicest buds will go to a distributor, from which a testing lab will select samples to check for contaminants such as mold or pesticide residue. Assuming the samples pass, the grower may then sell the remaining product to a processor, where it will be packaged, sent back to a distributor, and transported to a dispensary for sale. Information about each of these transfers, including ID numbers, business names, package weights and quantities, pick-up and delivery times, each get entered into METRC every step of the way. The same thing is true of less-attractive buds and other cannabis parts, such as trimmed leaves, destined to be turned into cannabis oil and ultimately used to infuse edibles, vape cartridges, or other products.
Even crop failures must be documented. If a plant dies at any point in the growing process, it must be destroyed, and the action recorded in the system. Testing companies must destroy all of what remains of their samples. Slight differences in quantity received during a transfer must be documented in METRC. If the difference is too large, the recipient of the cannabis is expected to refuse the transfer.
Each state has its own, unique legal and regulatory regime that guides the growing, processing, and reporting of the data created by the process. Against the backdrop of those mandated reporting requirements, cannabis is still prohibited federally. Consequently, each third-party seed-to-sale software provider must develop and tailor its software to meet the reporting and compliance demands specific to that state where it operates.
The level of regulatory oversight provided by this seed-to-sale technology is impressive by any measure. For example, Franwell’s software solution known as METRC, the track-and-trace system chosen by Maryland, integrates all the functions of the business which includes data collection, communications, record-keeping, inventory control, and every other function needed to run both the front-end and back-end of the business. METRC also reports all that data to the State on time and in the proper form. Failure in the data gathering or reporting features of the software can expose the business or its agents to a simple fine, to a license revocation, to criminal liability.
While seed-to-sale tracking has been adopted by most states as the means for reducing the risks associated with growing, producing, and dispensing cannabis, it has not been all smooth sailing for the industry. For example, in 2018 in Maryland, a software error in the State’s version of METRC began rejecting patients and preventing new sales at dispensaries. In February 2018, the MJ Freeway’s track-and-trace software known as the Leaf Data Systems experienced a security breach yet again. Reports indicate that an “intruder” downloaded a copy of the traceability database associated with four days of marijuana deliveries, as well as other information.
But for the time being, seed-to-sale software is providing the security that the burgeoning cannabis industry needs to expand its reach to new consumers, to provide security to the states that the product is not being illegally diverted or resold, and to track how and when the various products are consumed. Given the broader acceptance of cannabis in the various states, it is safe to assume that seed-to-sale software will continue to dominate any questions regarding security.