LineNow logoLineNow
Login
Book a Demo
Regulated RetailOperator playbook

Cannabis State Reporting in 2026: Metrc, CCRS, BioTrack, and the Procurement Layer

Cannabis traceability systems track packages, transfers, lab tests, and compliance reporting. This guide explains where Metrc, CCRS, BioTrack-style systems, and procurement workflows differ.

Line Now LLC/Published /Updated /12 min read

For operators

Use this playbook to tighten the buying loop.

LineNow helps teams move from manual ordering and supplier follow-up to a connected workflow for POs, receiving, inventory, and accounting handoff.

View Compliance ProcurementSee How LineNow Works

Cannabis operators do not buy inside one national system. In 2026, Metrc is the most common state traceability platform, but operators still deal with state-specific rules, legacy systems, transitional reporting programs, and private seed-to-sale tools layered around the state record. The operator's problem is that traceability software was designed first for regulators. It was not designed to be the buyer's procurement system.

This guide is for the multi-state dispensary operator (or the single-state owner thinking about a second license) trying to understand: which state runs which system, what the procurement gap looks like in each, and how a procurement-and-compliance layer sits cleanly on top without replacing checkout or filing.

If your team currently jumps between three tabs every time a delivery arrives — POS, state seed-to-sale, spreadsheet — and the spreadsheet always wins because the other two don’t talk to each other, this is for you.

If the buyer question is "what software fills this gap?", the commercial hub is LineNow's compliance procurement software. This guide is the supporting state-system map.

Quick answer

Cannabis traceability systems track packages, transfers, lab tests, and compliance reporting. They are necessary, but they do not usually answer the procurement questions a buyer, receiver, or AP team needs answered: what should we order, which supplier license is current, which COA belongs to this lot, what changed on the manifest, what actually arrived, and which invoice lines are safe to pay. A procurement-and-compliance layer should sit above the state system. It should preserve the regulator's source of truth while giving operators one receive workflow, lot-level documents, supplier license alerts, FEFO support, variance notes, and upstream reconciliation before accounting sees the payable.

What the state system actually does

Every cannabis seed-to-sale system is built around three primitives:

  1. Packages. Every unit of cannabis in your state exists as a package with a unique tag, an item type, a quantity, and a chain of custody.
  2. Transfers. Movements of packages between licensed entities (cultivator → distributor → dispensary) are filed as manifests with shipped quantities, source license, destination license, vehicle, driver, and route.
  3. Lab tests. Each package is associated with one or more lab test results that determine whether it’s legal to sell.

The state system holds the source of truth for all three. Your job as an operator is to push your physical reality back into that system — when you receive, when you adjust, when you destroy, when you sell. The system is not your buying system, your inventory system, or your POS. It is the regulator’s ledger.

The procurement gap is everything that lives in between: choosing what to reorder, capturing vendor licenses with expiry, storing the COA against the specific lot you sold, picking which lot to deplete first under FEFO, and answering “which units of this recalled batch are still on a shelf and which sold” at audit time.

State-by-state at a glance

Metrc states and markets

Metrc lists 30 regulatory contracts or markets, including Alabama, Alaska, California, Colorado, District of Columbia, Illinois, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Jersey, New York, Ohio, Oklahoma, Oregon, Rhode Island, South Dakota, U.S. Virgin Islands, Virginia, and West Virginia.

The Metrc API is now on v2 endpoints for transfers, packages, and lab tests. The wire-level conventions that matter for any vendor integration:

  • Every v2 endpoint returns a {Data: [...]} envelope.
  • Transfer and delivery endpoints require licenseNumber as a query param.
  • Lab test results are looked up by packageId on /labtests/v2/results, not by package label.
  • The User Key is per-operator and market. The Vendor Key is per-software-vendor and market, with sandbox and production handled separately.

A procurement-compliance layer wired to Metrc should: persist your license number on the connection at connect time, separate sandbox and production vendor keys, pull incoming transfers, package rows, lab tests, and pricing into one receive workflow, and POST per-package decisions before any local inventory write.

BioTrack, CCRS, and transitional states

BioTrack still matters in operator histories and some private seed-to-sale environments, but state systems move. Washington LCB now describes its Cannabis Central Reporting System (CCRS) as an in-house data-reporting platform used after the state moved off Leaf Data Systems. Illinois published a 2025 transition from BioTrack to Metrc, with Metrc becoming the official inventory tracking system on July 1, 2025. New York OCM also moved licensees into Metrc, with credentialing and inventory-entry deadlines spanning December 2025 and January 2026.

The receive shape is similar in spirit across these systems — packages, manifests, lab tests, adjustments, and audit history — but API conventions and filing rules differ. The operator default should stay the same: reconcile the receive event against the state record before local inventory and accounting drift.

Legacy and transitional systems

A handful of older medical programs still run state-built or vendor-built systems that pre-date the Metrc consolidation. Operators in those states tend to do the most spreadsheet work because the integration ecosystem is thin.

The procurement gap is similar across regulated states

Different APIs, same operator pain:

1. Licenses live in inboxes. Traceability systems are not usually where operators manage supplier license expiry, jurisdiction, and renewal follow-up. Two months after the manager who owned the supplier file leaves, the renewal trail can disappear.

2. COAs are not always tied cleanly to the operator's lot workflow. State systems may hold lab-test references at the package level, but many POS and inventory workflows still store documents against a vendor record, an item record, or a shared folder. That loses the lot specificity recall response actually needs.

3. Receiving accepts what you tell it to. Standard POS receive screens are “enter quantity, click save.” They don’t enforce that a regulated item requires a COA, a vendor license, and a manifest before the receive can complete.

4. Variance reconciliation runs weekly, not at receipt. Most operators receive in their POS first, file with the state later, and reconcile drift in a weekly review. By the time drift is found, the reason for it is lost.

5. Lot-level expiry often fails to become an operating workflow. Traceability data alone does not make a receiver pick FEFO, alert on expiring lots, or stop a stale package from being received into saleable stock. Without expiry on the inventory layer, write-offs accumulate week after week.

A procurement-and-compliance layer can address all five at the receive screen, before they become end-of-cycle reconciliation work.

What the procurement layer should do (state-system-agnostic)

The right shape, regardless of which state system you file with:

  1. One receive form. Lot rows on the form, with Shipped + Adjustment + Net received per row. Variance note attaches to the lot. Per-package Accept / Accept + Adjust / Reject. The state-pull for the manifest pre-fills the lot rows.

  2. Vendor license capture and expiry alerts. Every supplier’s license number, type, jurisdiction, issue date, and expiry date. Renewal alerts fire 30 days before lapse so you can chase the new copy before a receipt is blocked.

  3. COA on the lot, not the vendor. When the lab test is pulled from the state system, it saves against the package label (the lot). Future “show me the COA for what we sold on date X” queries become one click.

  4. Per-item document requirements. Catalog setting per SKU — COA required, manifest required, vendor license required. Receive is blocked until the documents are attached and verified by a manager.

  5. Strict ack against the state system. Per-package decisions POST to the state before the local inventory write commits. If the state rejects, the local receive aborts.

  6. Audit trail in the compliance document. Every state outcome, every reject reason, every adjust note appends to the manifest doc’s structured fields. The inventory_layers row stays clean; the audit lives in the doc.

That shape should work above Metrc, CCRS, BioTrack-style systems, MJ Platform-style systems, or future state-built systems. The state-specific code is the API client; the operator UX should stay consistent.

What this looks like in LineNow

LineNow's compliance procurement software currently ships native Metrc integration (v2). The pieces:

  • Compliance Reporting card on the buyer home page — connect with your User Key + state, license number persisted on the connection at connect time, sandbox / production environments wired separately.
  • One-paste manifest State Pull in the Compliance dialog. Packages, shipped quantities, vendor licenses, COA references, and pricing pulled in one call.
  • Symmetric Shipped + Adjustment + Net received UX on every regulated lot — buyer-managed and state-pulled lots both render the same shape.
  • Per-package decisions (Accept / Accept + Adjust / Reject) POSTed to Metrc before the local commit. The IL_IB_0003 Transfers Best Practices bulletin baked into the UI — no partial-receive shortcut.
  • COA State Pull by package ID on Metrc’s /labtests/v2/results endpoint. Lab test results saved against the package label.
  • Compliance document audit. Manifest outcomes append to extractedFields; non-Metrc regulated receipts write standalone other documents with variance notes.

For non-Metrc states (BioTrack, MJ Platform, legacy systems), the same Receive UX runs minus the state POST. Vendor license tracking, COA-on-the-lot, FEFO picking, document-blocked receive, and audit history all work without a state connection. Operators in those states get the procurement-and-compliance loop today and pick up state filing automation when the integration ships for their system.

Multi-state operator math

If you run dispensaries across two or three states, you’re running two or three state systems (often Metrc + Metrc + BioTrack, or Metrc + MJ Platform). The procurement layer should normalize the operator experience above the state-system difference: the buyer in Oregon and the buyer in Washington should see the same Receive screen, the same vendor license expiry dashboard, the same FEFO picking, the same audit-ready receipt history. State-system specifics live below the line where the operator doesn’t care.

That normalization is one of the multi-state operator's biggest levers for training, audit consistency, and SOPs. A single Receive flow across states is easier to train and audit than five disconnected state-specific workflows.

A 60-second state-reporting diagnostic

Three questions:

  1. When the state inspector asks for “every package received from supplier X with a failed heavy-metal test in the last 12 months,” can your team answer in one query — or does it require pulling the report from the state system, the COA folder from Drive, and matching by lot? Multi-source = your compliance archive is open.
  2. When you Adjust a package quantity, does the variance reason flow from the receive form into the state Adjust call through the integration — or does someone retype it in the state portal? Retype = the reason will drift.
  3. When a supplier’s license is 30 days from expiry, does someone get an alert — or do you discover it at the next receive that gets blocked? Discover at block = your renewal queue is open.

If any of those is wrong, the state-reporting loop is open. The work you do in those gaps is the work the procurement-and-compliance layer eliminates.

Sources checked

Related