Laws relating to the sale of cannabinoids are generally made at state level, rather than by the European authorities.
This page currently only applies to online retailers of cannabinoids serving customers located in the United Kingdom.
There is currently no legal age-restriction on the sale of cannabinoids.
However, as this nascent market emerges, there are discussions amongst those representing the sector about the potential benefits of imposing age restrictions voluntarily.
To enforce such policies, age verification is going to be required. (It should be noted that even insisting on a credit card being used does not guarantee that the customer making the purchase is over 18.)
Age Appropriate Design Code (in force today, but grace period in operation in the UK until 2 September 2021)
This requires sites to consider if they could risk the moral, physical or mental well-being of children under 18. And if so, to put in proportional measures to safeguard children and young people.
There is potentially a physical – and potentially mental – risk arising from providing cannabinoids to children – if only because they may ingest them at dosage levels that exceed safe recommendations. So in effect, the code may create an age-restriction for online sales by limiting access to the websites of the retailers.
Our opinion is that online cannabinoids retailers require age verification to be in place to keep children from acquiring cannabinoids. The rigor required is a matter for the judgement of the sites concerned – giving consideration to the nature of the content on the site, the number of users under 18 found to be using it, etc. But given the reputational risk if a child is harmed by cannabinoids acquired from your online store, we recommend at least a standard level of assurance. See our page on levels of assurance for an explanation of the methods of age verification that achieve this degree of confidence in an age check.
GDPR (in force today)
If your customers open accounts on your website, you should be sure that your users are at least old enough to give consent for their personal data to be processed, if you rely on consent under Article 8 of GDPR, as a basis for processing some or all personal data you obtain from your users. (Remember, personal data even includes just an IP address.) In the UK, this “age of digital consent” is 13 but it varies between EU member states so if you have users in the EU, you will need to also determine their location and apply the relevant age as part of this check.
Online Safety Bill (only draft legislation, not yet passed by Parliament)
Online retailers do not generally allow users to interact and share content such as photographs, so they are not likely to be in scope for the Online Safety legislation. But if you do allow for online communities to discuss their conditions etc., then the site may fall within scope.
Online cannabinoids retailers’ sites may be “likely to be used by Children” so if they are in scope because they offer user-to-user services then further duties applicable. (But remember, children are defined as under 18-years-old.) It is recommended that sites monitor the age of their customers to check they have not become a site where:
- there are a significant number of children who are users of the service or of that part of it, or
- the service, or that part of it, is of a kind likely to attract a significant number of users who are children – where a “significant” number includes a reference to a number which is significant in proportion to the total number of UK users of a service or (as the case may be) a part of a service. (This test is based on evidence about who actually uses a service, rather than who the intended users of the service are.)
Please read our briefing on the Online Safety Bill for further explanation of these new duties.