Wondering how to keep your CBD brand on the right side of the law? This cbd compliance guide breaks down the federal basics, state-by-state traps, labeling, testing, and claims so you can launch and scale with confidence.

Important: This article provides general information for educational purposes only and is not legal advice. Always consult a qualified attorney or compliance professional for your specific facts and state requirements.

What “CBD Compliance” Means in the U.S.

“CBD” typically refers to hemp-derived cannabidiol. In the U.S., hemp is federally legal if it contains no more than 0.3% delta‑9 THC on a dry weight basis under the 2018 Farm Bill.

But federal legality is only the starting point. The FDA, FTC, USDA, state agriculture departments, and local regulators each play a role. Success means aligning your products, labels, testing, and marketing with all applicable rules—not just one agency’s guidance.

Federal vs. State: Who Regulates What?

Federal snapshot

  • USDA: Oversees hemp cultivation plans and sampling for farmers.
  • FDA: Regulates product categories. CBD cannot be added to foods or sold as a dietary supplement in interstate commerce. Disease claims can trigger “drug” status.
  • FTC: Requires that advertising claims are truthful, not misleading, and substantiated.
  • DEA: Controls marijuana and non‑compliant THC levels; monitors synthetic conversion of cannabinoids.

State snapshot

  • States often require registrations or notifications for “hemp extract” products.
  • Many states use a total THC approach and impose extra rules (age limits, child-resistant packaging, QR codes).
  • Several states restrict intoxicating hemp derivatives (e.g., delta‑8/THC‑O).
  • Label and testing rules vary widely and change often.

The Regulatory Checklist for CBD Brands

Use this regulatory checklist to build a defensible program from day one.

  1. Map your product types. Topical/cosmetic, ingestible (food/beverage), pet, vape/inhalable. Rules differ by category and state.
  2. Verify hemp source and THC status. Get farm and extractor COAs; confirm delta‑9 THC ≤ 0.3% by dry weight, and check whether your target states use total THC formulas.
  3. Choose lawful markets. Avoid states that prohibit your format (e.g., ingestibles or vapes). Don’t ship restricted products into those states.
  4. Engage a qualified lab. Use ISO/IEC 17025–accredited labs for potency and contaminants; vet detection limits and methods.
  5. Implement cGMP and HACCP. Match the standard to your category (e.g., 21 CFR 117 for foods, ISO 22716 for cosmetics). Document SOPs and training.
  6. Design compliant labels. Include identity, net quantity, ingredient list, manufacturer/distributor info, lot/batch, and QR code to the COA when required.
  7. Review all claims. Remove disease or drug-like claims (pain, anxiety, insomnia). Keep claims conservative and substantiated.
  8. Set up age-gating and shipping controls. Verify age for restricted items; follow PACT Act rules for vape/ENDS if applicable.
  9. Adverse event and recall readiness. Create procedures, maintain records, and test your mock recall annually.
  10. Monitor and log changes. Track state updates, label revisions, COAs, and training in a centralized register.

Labeling Laws Every Brand Should Know

Label rules depend on product type and state. Many states require a scannable QR code linking to a batch-specific COA, plus lot number and manufacture date.

  • Identity statement: What the product is (e.g., “Hemp-derived CBD topical cream”).
  • Net quantity of contents: Fluid ounces or grams on the principal display panel.
  • Ingredient listing: In descending order by weight; use INCI names for cosmetics.
  • Company name and address: Responsible party for consumer contact.
  • Batch/lot number: Traceability for recalls and COA linkage.
  • Warnings: “Keep out of reach of children,” pregnancy and medical-use cautions, and state-specific statements.

Avoid medical claims. If you claim to diagnose, treat, or cure disease, your product may be a drug under the FD&C Act. Disclaimers don’t fix unlawful claims.

Testing and Quality Standards

Consistent third-party testing is table stakes. Most states expect potency, residual solvents, heavy metals, pesticides, mycotoxins, and microbials as part of quality standards.

  • Potency: CBD, delta‑9 THC, and often total THC. Check state tolerance limits on label vs. COA.
  • Contaminants: State-driven panels vary. Match your test menu to each market’s rules.
  • Stability: Run shelf-life studies to support expiration dates and storage instructions.
  • Vendor qualification: Audit suppliers; use quality agreements that define testing and specs.

Keep complete COA records and link them to every lot shipped. Many states require a QR code that resolves to a public COA page.

Marketing, Claims, and E‑Commerce

  • Claims: No disease claims (e.g., arthritis, anxiety, insomnia). Avoid drug-like wording (pain relief, anti-inflammatory). “Calm” or “recovery” must still be supported and non‑disease.
  • Substantiation: Have competent and reliable scientific evidence for each express or implied claim.
  • Endorsements: Clearly disclose material connections with influencers per FTC rules.
  • Platforms: Ad policies vary and change. Confirm current allowances before launching paid campaigns.
  • Email/SMS: Follow CAN-SPAM and TCPA; obtain consent and offer opt‑outs.

Product Category Nuances

  • Ingestibles: FDA maintains that CBD cannot be added to conventional foods or marketed as a dietary supplement in interstate commerce. Some states allow intrastate sales under strict rules.
  • Topicals/Cosmetics: Must be safe for intended use and properly labeled. Therapeutic claims can reclassify the product as a drug.
  • Vapes/ENDS: Subject to the PACT Act and carrier restrictions. Expect age verification and shipping limits.
  • Pets: States vary widely; veterinary claims can trigger additional scrutiny.

Real-Life Example: A Brand’s Fast Fix

A midwestern gummy brand (let’s call them “Riverfield”) launched fast and grew online sales. A state inspector flagged them for two issues: labels lacked a batch-specific QR code, and potency varied more than allowed.

Riverfield responded within 30 days. They switched to an ISO 17025 lab with validated methods, tightened blending controls, and added on-label lot numbers and QR codes linking to public COA pages. They also retrained their social team to remove posts implying pain relief.

Result: no recall, reopened retail accounts, and lower customer support tickets thanks to transparent testing links. Their story shows how clear SOPs and documentation can turn a setback into trust.

Build a Repeatable CBD Compliance Program

Core SOPs to implement

  • Supplier qualification and incoming material testing
  • Manufacturing cGMP and sanitation
  • Label control and artwork approval workflow
  • COA management and QR link publishing
  • Ad/claims review checklist and approvals
  • Complaint handling and adverse event reporting
  • Recall/withdrawal and mock recall testing
  • Training and competency records

Documentation that proves diligence

  • Master manufacturing records and batch records
  • Change control logs for labels and formulas
  • COA archive mapped to lot numbers and ship-to states
  • Training logs for marketing and customer service teams

Common Pitfalls (and Quick Fixes)

  • Pitfall: Health claims in blogs and captions. Fix: Pre‑clear all content with a claims checklist.
  • Pitfall: Using one label for all states. Fix: Maintain state variants and a label matrix.
  • Pitfall: Outdated COAs. Fix: Automate COA collection and site updates per lot.
  • Pitfall: No age gating for restricted items. Fix: Add verification at PDP and checkout.
  • Pitfall: Unvetted labs. Fix: Qualify labs annually and compare results across labs when needed.
Pro tip: Keep a single “Regulatory Register” spreadsheet listing every product, target state, applicable rules, required warnings, and label/COA links. It simplifies audits and new market launches.

Conclusion

Tight operations, honest labels, and conservative claims build trust and reduce risk. Treat cbd compliance as an ongoing process—plan your labels and testing by state, document everything, and train your team to stay on message.

Ready to stress-test your program? Download our free 20-point CBD Compliance Audit Checklist or book a 30‑minute consult. We’ll help you confirm labeling laws, testing, and quality standards before your next launch.

CBD Compliance FAQs

Is hemp-derived CBD legal in all 50 states?

Hemp with ≤ 0.3% delta‑9 THC is federally legal, but states control product formats and retail rules. Some restrict ingestibles or vapes, require registrations, or impose age limits. Always verify the rules in each state you sell or ship to.

Can I market CBD as a dietary supplement or add it to food?

The FDA’s current position is no. CBD cannot lawfully be marketed as a dietary supplement or added to conventional foods in interstate commerce. Some states permit intrastate sales with strict conditions. Get legal counsel before pursuing these categories.

What must be on a compliant CBD label?

Include product identity, net contents, ingredient list, responsible party name/address, lot or batch number, and required warnings. Many states also require a QR code linking to a batch-specific COA. Avoid disease or drug-like claims.

Which tests are required for CBD products?

Expect potency (CBD and THC), residual solvents, heavy metals, pesticides, microbials, and mycotoxins. Use an ISO/IEC 17025–accredited third-party lab and match your test panel to each state’s rules and product type.

What marketing claims are allowed?

Claims must be truthful, not misleading, and supported by evidence. Avoid disease claims (e.g., anxiety, arthritis, insomnia) and drug-like promises (pain relief). Disclose influencer relationships. Keep a claims approval process and substantiation files.