Your dispensary chatbot sounds helpful. It answers questions, builds relationships, maybe even remembers customer preferences. But if it's talking to minors, you're now liable under California law. And the FTC is watching.
In September 2025, the FTC launched a formal inquiry into AI chatbots acting as "companions." In October, California Governor Gavin Newsom signed SB 243 into law, the world's first state-level regulation of AI companion chatbots. The law becomes enforceable January 1, 2026. By April 2026, updated COPPA rules add more teeth. And it's just the beginning.
For cannabis brands, this is a colliding liability. Dispensaries are deploying chatbots to handle customer service, build loyalty, even simulate friendship. But cannabis is age-restricted. If your chatbot engages a minor, even unknowingly, you're breaking state law, inviting FTC enforcement, and risking fines of 43K per violation, multiplied across states.
This isn't theoretical. The FTC has already signaled intent. In January 2026, it announced a settlement requiring a company to pay 5M for failing to disclose how its chatbot collected children's data.
Similar cases are pending. State AGs are looking too. New York, Illinois, and Colorado have passed or are considering chatbot regulations that specifically mention age verification and data handling.
The math gets worse for cannabis. Unlike tech startups, cannabis brands operate under state licensing agreements.
A single FTC enforcement action or AG investigation can trigger a compliance audit by your state regulator. Audit findings can lead to license suspension, mandatory compliance training (50K-200K), and operational shutdown during investigation (revenue loss: 150K-500K per month for a mid-size retailer).
What Changed: The Regulatory Convergence
Until 2025, chatbots lived in a gray zone. States regulated social media. The FTC regulated data collection. But no one specifically governed AI companions. That's over.
California SB 243, signed October 2025, is the template. It requires companion chatbot operators to disclose the chatbot is AI, not human, implement safeguards against parasocial relationships, prevent minors from using it without consent, limit how they use user data, and document compliance with standards.
The bill defines "companion chatbot" narrowly, systems designed to form intimate relationships, simulate emotional support, or provide personal companionship. Most dispensary chatbots fall outside this definition.
But the door is open. If your chatbot remembers preferences, greets returning customers by name, or engages in casual conversation beyond transactions, regulators will argue it's designed for relationship-building.
*The 2026 chatbot compliance stack: age verification, consent tracking, data retention limits, audit trails. Most dispensaries today have none of these.*
New York's S-3008C goes further. It requires chatbots interacting with minors to have parental consent mechanisms and to immediately cease interaction if they detect a user might be under 13. Illinois is considering similar language. Colorado passed a law requiring chatbots to clearly identify themselves and disclose data practices.
The FTC's 2026 COPPA amendments, effective April 22, 2026, layer on more. Any online service with actual knowledge that a minor is using it must obtain parental consent before collecting data. For under-13 users, data must be deleted within 30 days. For 13-17 users, deletion window is 90 days.
Enforcement has already begun. In January 2026, the FTC settled with a major AI company for failing to disclose that its chatbot was collecting children's data. The settlement included a 5M penalty, mandatory age verification going forward, third-party audits for 5 years, and public disclosure of all data breaches within 72 hours.
More settlements are coming. The FTC's inquiry into companion chatbots will spawn enforcement actions in Q2-Q3 2026.
Why Cannabis Is Uniquely Exposed
Cannabis is heavily regulated by state law. That's protection in normal times, licensing creates barriers to entry, brand loyalty, competitive moat. But it's a liability when federal regulators (FTC) and state regulators (AGs, cannabis commissions) intersect.
Here's how it cascades: FTC finds your chatbot engaged minors without proper age-gating, or finds you collected data on 100K minors over 18 months. Investigation launched. Settlement or enforcement action goes public. FTC press release names your brand, describes failures in detail.
Your state's cannabis regulator sees the press release. They're required to investigate, most state licensing agreements include "licensee must comply with all applicable federal and state law" clauses. They request documents, chatbot code, training data, user data, audit logs.
Their audit reveals age-gating failures, data retention violations, no parental consent mechanisms. They open a formal compliance investigation. Investigation findings trigger one of three outcomes: Cease and desist (30-90 day deadline to fix), Conditional license (mandatory compliance training, monthly audits), or License suspension (full operational shutdown until cleared).
A license suspension in cannabis is catastrophic. You can't sell. You can't take orders. You can't even promote. Revenue goes to zero immediately. Layoffs follow. Competitors pick up market share. Even if you get reinstated, you've lost customers, credibility, and momentum.
A single FTC enforcement action against a major cannabis brand would likely trigger copycat investigations by AGs in California, Colorado, New York, Illinois, Massachusetts, anywhere with licensed cannabis sales and state-level oversight.
The Chatbot Compliance Gap
Most dispensary chatbots today aren't ready for this environment. A typical deployment: Off-the-shelf chatbot platform (Shopify Messenger, Facebook Messenger, custom Dialogflow), trained on FAQ data plus product catalog, integrates with POS to check inventory, remembers user across sessions, no age verification, no data retention limits, collects user data for personalization (name, purchase history, preferences), no parental consent mechanism, no audit trail of who interacted with it.
Under SB 243 and COPPA 2026, this setup violates at least 6 separate requirements.
Testing it out: A typical scenario is a high schooler in California finding a cannabis brand's website, starting a chat with the chatbot, and engaging in conversation. The chatbot doesn't verify age. It remembers the user's name on repeat visits.
It collects data about product interests. Under SB 243, the brand is now liable for operating a companion chatbot without age verification (violation), collecting data on a minor without consent (violation), failing to disclose the chatbot is AI (violation), and lacking safeguards against parasocial relationships (violation).
FTC fine: 43K minimum per violation. That's 172K right there. If the minor engaged 10 times, FTC could argue 10 separate violations (430K). Add state AG enforcement, license investigation, legal fees (50K-200K), and you're looking at 500K-700K in liability.
The Regulatory Playbook
Compliance isn't optional. But it's doable. Here's the roadmap.
First, audit what you're running today. Does your chatbot verify user age before engaging? If so, what method (birthday field, ID check, third-party service)? Does it remember users across sessions?
What data does it collect (name, purchase history, preferences, location)? Do you have parental consent for minors? What's your data retention policy? Do you have audit logs proving age-gating worked?
If you can't answer these with confidence, you're non-compliant.
Second, implement hard age verification. A birthday field doesn't cut it.
Regulators and enforcement actions make clear: you need real verification. Options include SMS OTP (user receives code, confirms they can receive SMS at that number, proxy for age since minors often lack SMS plans), Government ID verification (Socure, IDology, Jumio, real-time verification against state DMV/ID databases), Third-party age verification services (Verifid, Prove, AgeCheck), or Persistent login (age verified once, stored securely, never asked again).
Minimum: SMS OTP or third-party service. Ideal: Government ID match. Cost: 1-10 per verification for volume services.
Third, rebuild the chatbot with compliance at the center. No relationship-building language (no "I remember you," no personalized greetings to unverified users). Clear disclosure: "This is an automated chatbot operated by [brand]. For questions, contact support.
" No data collection on unverified users (only transaction data on verified 18+). Hard data retention limits (under-13, delete after 30 days, 13-17, delete after 90 days, 18+, standard). Escalation to human immediately if age verification fails. Audit trail of every verification attempt (logs prove good-faith effort).
*Real user moment: The age verification checkpoint is your liability firewall. Missing it costs more than building it.*
Fourth, get parent/guardian consent right. If you detect a user might be under 13, chatbot stops and requests parent email. Send parent a message explaining what the chatbot does, what data you collect, and get explicit consent.
For 13-17 minors, same process unless they have parental consent on file already. Document consent in your system (timestamp, email, signature if possible).
Fifth, document everything. When FTC comes calling (and they will), you need policy documents (how age-gating works, data retention procedures), implementation docs (code, architecture, third-party vendor agreements), audit logs (verification attempts, successes, failures, data deletions), and training materials (how staff should handle compliance edge cases).
This evidence can cut an FTC fine by 50-75% if enforcement action occurs. Instead of "you ignored kids," it's "you made good-faith effort, here's how we're fixing it."
The Timeline Is Tight
You have roughly 3 months (until August 2026) before FTC enforcement actions based on 2025 complaints start landing. California's SB 243 is already enforceable. New York's law follows in Q3. COPPA amendments go live April 22, 2026.
A realistic compliance rebuild takes: Audit (1-2 weeks), Design/planning (1 week), Implementation (2-4 weeks), Testing (1 week), Deployment (1 week), Documentation/training (1 week).
Total: 6-10 weeks, depending on chatbot complexity. Cost: 30K-70K for development, 1-3 per verification if using third-party services.
If you wait until Q3 2026 to start, you're likely already investigating. Speed matters.
Move Now or Investigate Later
Chatbots are useful for cannabis brands. They answer basic questions, reduce support burden, build engagement. But they're now regulated the way social media platforms are. That's a different category entirely.
You can keep your chatbot. But you need to rebuild it for compliance. That's time, money, and engineering effort you didn't budget for. The brands that act now, before FTC enforcement accelerates, will save the most. The ones that wait will be investigating the violations of brands that moved too slow.
Start the audit this week. Brief your state regulator next month. Deploy a compliant version by July. You'll be ahead of 90% of the cannabis industry.