Security Researcher, Engineer, Tech Columnist | https://hey.ax/
With recreational and medical marijuana legalisation efforts comes great business opportunity, and unsolved problems. As of today, recreational and medical marijuana legalisation efforts have succeeded in multiple jurisdictions across the world, and counting. On the list is Luxembourg to become the first European country to join the ranks of Canada and U.S. in relaxing weed laws.
In the UK, despite weed being 'illegal' for ages, police forces turn a 'blind eye' to enforcing the law, in the favour of community, in my opinion. Any warnings issued by the police to a personal user of marijuana would not show up on their criminal background or DBS checks.
While this creates diverse income streams and new markets, here are key challenges your tech startup needs to be aware of, before you can start selling weed, legally.
With a heavily regulated industry like cannabis, it’s always your fault.
There is a lot of cash to be held upfront for licensing and regulatory fees — sometimes exceeding six figures for some jurisdictions; though Canada has a "minimum security deposit" requirement of a mere $5,000. Also, be prepared to account for any unprecedented events arising, such as lawsuits should your startup inadvertently fail to adhere to the strictest standards.
It must be ensured there's enough "cushion" in your capital funding to implement changes that may arise on the fly. Until it has become "mainstream" and established, weed legalisation is likely to be implemented in steps, and constantly evolve through different iterations and public 'pilots'. All of this means, you better have a solid legal counsel who are proactively monitoring evolving weed laws in your area.
For a tech startup leveraging e-commerce, strong cybersecurity efforts are an inevitable prerequisite given the potential liability that may arise from the trade.
While multiple stakeholders exist in the online identity verification game, not a single one can reliably verify identity online. If that sounds like a far-fetched claim, look at what happened to the £212 million GOV.UK Verify system. Despite being backed by the British government and having multiple, reliable identity provider partners, it failed massively.
Online identity verification products, as they exist today, provide enough "indication" of whether a person behind the computer are likely to be who they say they are, but do not absolutely guarantee it. This applies to both Knowledge Based Authentication (KBA) workflows used by major credit bureaus, as well as AI-powered ID document verification products. The latter can indicate when an ID appears to be 'forged' but can't ever, fully rule out that it isn't, unless a public-facing authoritative database exists to verify the document by its issuer.
For an e-commerce startup planning to distribute marijuana completely online, stringent checks need to be in place to reliably verify your customer's age and identity to ensure that the person receiving the order is legally entitled to it.
The process of ID verification is further complicated in jurisdictions where only medical use for cannabis is legal for the time being, and recreational isn't. That's when an additional step is imposed on your startup to handle and verify prescriptions.
Will prescriptions be electronically dispatched from a patient's doctor to your pharmacy? Are the doctor's registered in your system? Or would you rather 'partner' with an existing pharmacy and merely act as a provider?
There is a lot of medical terminology and policies here to be aware of. What about the electronic platform that will handle this workflow? Will it comply with patient confidentiality and privacy laws, such as HIPAA (in the U.S.) and GDPR?
Internet as we know is a giant virtual bubble. A person in a particular area can easily pretend to be based in a completely different country, hiding behind a VPN. Granted, technologies exist today, as used by video streaming websites, to detect and 'blacklist' VPNs, they do not always work. VPN IPs can be 'dynamic' and the providers frequently update their global server lists, thereby introducing fresh IPs in the pool.
For your marijuana business this means, a person or an ID thief based in a U.S. state which forbids marijuana at every level, could instead order from a state or a jurisdiction where recreational use and online sales are widely permissible, while, if applicable, using forged identity document 'scans' and somebody else's information to pass the security checks.
Even if your online pharmacy only delivers in certain areas, the loopholes around the postal delivery system could be exploited to bypass the geographical restrictions altogether.
I'm not talking about merely dispatching certified, signed and tracked deliveries, but having enough verification in your workflow so that somebody does not take advantage of a "forwarding address" or post office redirection policies. This one is intuitively harder to implement.
Building on the previous point, a person could provide their "shipping address" as that of a mail forwarding company based in an area where ordering marijuana online is legal. The forwarding company then 'blindly' redirects the package further to the person in another state. Alternatively, post office based 'redirection' can be used to bypass any secure delivery workflows your company may be relying on. If all else fails, there is always the good ol' pal receiving packages on one's behalf.
In conclusion, the idea behind starting an online marijuana startup is a thrilling one which brings in great traction from different communities and a tremendous business opportunity. But to step into this relatively untested territory without addressing some of these challenges wouldn't be a smart idea.
Previously published at https://medium.com/@AkshaySharmaUS/5-challenges-your-cannabis-tech-startup-needs-to-solve-in-2020-dd9616998175