Industry Solution
"Click if you're 21+" is not compliant. Regulators are cracking down on self-attestation age gates across the cannabis industry — and fines can reach tens of thousands of dollars per violation. XY Zinc provides real, privacy-first age verification using government ID with biometric face matching — confirming exact date of birth for 21+ compliance — without storing your customers' personal data.
Most cannabis websites — dispensaries, hemp THC retailers, CBD ecommerce stores — still rely on a simple pop-up modal asking visitors to confirm they're 21 or older. A checkbox. A date-of-birth dropdown. Maybe a button that says "Yes, I'm 21+." That's it.
The problem? Regulators no longer consider self-attestation to be age verification. Anyone can click "Yes." A 15-year-old can type any date of birth they want. These gates verify nothing — and state regulators, attorneys general, and payment processors increasingly treat them as evidence of non-compliance, not compliance.
The Cannabis Regulators Association (CANNRA) 2025 model policy explicitly calls for "enhanced third-party digital age verification (not self-attestation)" for cannabis ecommerce, and encourages biometric ID checks or government-database crosschecks.
Multiple states — including Florida, Texas, Virginia, Colorado, and New Jersey — have introduced or enacted legislation in 2025–2026 requiring robust, auditable age verification for online sales of cannabis and hemp-derived THC products.
Enforcement is real: Massachusetts requires double age verification at dispensaries (entry and point-of-sale), with penalties ranging from $10,000 to $100,000+. Colorado dispensaries caught skipping identity checks face fines up to $100,000 and loss of license.
The regulatory direction is clear: checkbox age gates are being replaced by real verification, and businesses that haven't upgraded are increasingly exposed — not just to fines, but to license revocation, payment processor shutdowns, and loss of platform access.
Online menus, pre-order systems, and ecommerce storefronts all need to gate access to age-restricted products. If customers can browse or order without real verification, you're exposed.
Delta-8, delta-10, THCA, and THC-infused beverages and edibles sold online are the primary targets of new state enforcement campaigns. The 2018 Farm Bill loophole is closing fast.
If you sell products containing any amount of THC, many states now require age-gated access. Even "CBD-only" stores may need verification depending on product formulations and state-specific rules.
Brand websites with product information, loyalty programs, and direct-to-consumer delivery platforms all fall under the same age-gating requirements. Delivery services face additional verification obligations at the point of drop-off.
XY Zinc replaces your checkbox age gate with real, ID-backed age verification — the kind regulators are asking for — while going further on privacy than any competitor. Because cannabis requires 21+ verification, our system uses government ID to confirm exact date of birth, with biometric liveness detection to prevent fraud — then immediately deletes all images and personal data.
Why cannabis is different: Our biometric face scan (Tier 1) estimates the probability that someone is 18 or older. For industries with an 18+ age threshold, Tier 1 alone is often sufficient. But cannabis regulations in most U.S. states require verification to 21+ — and a face scan can't reliably distinguish a 19-year-old from a 22-year-old. That's why cannabis customers use our full Tier 2 verification with government ID, which confirms exact date of birth.
Tier 1 — Biometric Face Scan (Preliminary Screen): A quick face scan using the customer's phone camera confirms they are a real person (liveness detection) and screens for obviously underage users. This step catches minors who are clearly under 18 and weeds out bots, AI-generated images, and spoofed photos — before any ID is needed.
Tier 2 — Government ID + Face Match (21+ Verification): The customer photographs a government-issued ID (driver's license, state ID, or passport). Our system extracts the date of birth, calculates the customer's exact age, and matches the face on the document to the live face scan from Tier 1. This is the step that definitively confirms 21+ status. The ID image and all extracted data are immediately discarded after verification — we never store the document.
This is where XY Zinc is fundamentally different from traditional age verification providers. We don't just promise privacy — it's architecturally enforced:
Images exist only in server memory (RAM) during the verification process and are automatically deleted within 15 minutes — or immediately upon completion. Nothing is ever written to disk. We can't sell, share, or leak data we never had.
Every verification generates a timestamped, anonymized record proving that real age verification took place. When a regulator asks "how do you verify age on your website?", you have a clear answer backed by documented audit trails — not "we have a pop-up that asks people to click a button."
Cannabis occupies a unique position: it's legal at the state level in many jurisdictions but remains a Schedule I substance under federal law. Your customers have legitimate reasons to be cautious about handing over personal information to buy legal products.
Many traditional age verification providers collect and store names, addresses, ID numbers, and photos indefinitely. For cannabis customers, this creates a documented record of purchasing a federally illegal substance — stored on someone else's servers, potentially subject to subpoena, data breaches, or sale to third parties.
We verify that your customer is old enough. We return a pass/fail result to your site. Then we delete everything — the images, the ID data, all of it. Your customer's privacy is protected by architecture, not policy.
The result: your customers get real verification that protects them from invasive data collection, and you get a defensible compliance record without becoming a custodian of sensitive personal data. Colorado, California, and New Jersey privacy laws all emphasize data minimization — our system is built for exactly that.
XY Zinc is designed to drop into your existing website with minimal development effort. Cannabis dispensaries and retailers typically operate one of two models, and we support both.
Most dispensary websites run on WordPress, often with WooCommerce for online ordering. Our WordPress plugin lets you protect your entire site — or specific pages and product categories — with a single settings page. No code changes required. Customers are redirected to verify, then returned to your site with a verified cookie.
For custom-built sites, headless ecommerce platforms, or mobile apps, our REST API and JavaScript embed provide full control over the verification flow. Create a session, redirect the user, and check the result — all with a few API calls.
For dispensaries with a fixed physical location, integration is even simpler. Since the operator's location determines which law applies (not the visitor's), you hardcode your jurisdiction and skip the geo-detection complexity entirely. A dispensary in Maine always applies Maine's rules — no Cloudflare setup needed.
No opaque enterprise pricing. No annual contracts. You pay per verification attempt. For cannabis (21+ threshold), most verifications will use Tier 2 to confirm exact age via government ID.
Tier 1
$0.05
per verification
Biometric face scan & liveness check. Confirms 18+ and screens out obvious minors. Preliminary step for 21+ workflows.
Tier 2 — Recommended for Cannabis
$0.15
per verification
Government ID scan + face match. Confirms exact date of birth for definitive 21+ verification. Full document verification with immediate data deletion.
Pricing shown is for sites processing approximately 100 verifications per day. No hidden fees. No minimums. Discounts available for higher-volume sites — contact us to discuss your needs.
Cannabis age verification requirements are evolving rapidly across the country. Here's a snapshot of where things stand — and where they're heading.
| State / Body | What's Happening |
|---|---|
| CANNRA (National) | 2025 model policy requires third-party digital age verification (not self-attestation) for ecommerce, with biometric checks encouraged. |
| Massachusetts | Requires double age verification at dispensaries — at entry and again at point of sale. Penalties: $10,000–$100,000+. |
| Colorado | Dispensaries must verify ID on camera. Skipping checks: fines up to $100,000 and license loss. New teen privacy law adds data minimization requirements. |
| Texas | App Store Accountability Act (SB 2420) requires robust age verification for cannabis retail apps by Jan 1, 2026. Multiple bills target online hemp THC sales. |
| New Jersey | Data Privacy Act (NJDPA) effective Jan 2025 adds penalties up to $10,000/violation for cannabis ecommerce. Requires privacy-first age gating. |
| California | AB 8 bans intoxicating hemp from mainstream retail, synchronizing with cannabis compliance. CCPA/CPRA requires data minimization in verification. |
| FL, VA, NY, MD, MN | All have introduced or enacted bills in 2025–2026 requiring online age checks for hemp THC, with language echoing the CANNRA model policy. |
This table is provided for general awareness and does not constitute legal advice. Consult with a cannabis compliance attorney for requirements specific to your jurisdiction.
Get compliant with real age verification — the kind regulators are asking for — without collecting or storing your customers' personal data.