rocket domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/leftri6/public_html/wpexplore/wp-includes/functions.php on line 6131megamenu-pro domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/leftri6/public_html/wpexplore/wp-includes/functions.php on line 6131acf domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/leftri6/public_html/wpexplore/wp-includes/functions.php on line 6131To provide some clarity on this new fee for cannabis retailers located in Colorado, we answer some of your commonly asked questions.
As we stated, this new charge impacts tangible property, including cannabis products, that are delivered to a location within the state of Colorado by a vehicle. It is $0.27 per sale (regardless of the number or value of the items delivered).
It does. CDOR defines tangible personal property as “all goods, wares, merchandise, products and commodities, and all tangible or corporeal things and substances that are dealt in and capable of being possessed and exchanged.” While several things are exempt from sales tax, cannabis products are not included — thus, this delivery fee applies to cannabis too.
Whether you use a company-owned vehicle or a third-party organization, every seller must collect this 27-cent fee from its customers. The company facilitating the transport of cannabis products bears no responsibility for the fee.
Yes, wholesale transactions (or other tax-exempt purchases) don’t have to collect the retail delivery fee. This includes wholesale cannabis deliveries, making them exempt from the delivery fee. Sales of exempt tangible personal property (i.e., items for resale) will be exempt from the fee unless one item of tangible personal property subject to sales or use tax is included in the delivery. In that case, the delivery fee would apply.
Both the buyer and the seller, in a way — as the seller of the item(s) being delivered, you must collect the fee. But the customer is responsible for paying the fee once you have charged them — and it must be listed on your invoice as a separate item (shown on the receipt as “retail delivery fees”), so there is full transparency.
Businesses that have a sales tax collection obligation are required to also collect the delivery fee in addition to sales tax. If your business has already registered for sales and use tax, then you will automatically be registered for this additional retail delivery fee (with a Retail Delivery Fee Account). As mentioned above, third party delivery companies that would not otherwise charge sales tax, are not subject to this new fee.
The fee must be reported on its own return called the Retail Delivery Fee Return (DR 1786), which is separate from the state-wide Colorado Sales and Use Tax System (SUTS) return or other local Colorado returns. However, both are due on the same date, or by the 20th day of the month after the reporting period. There are plans to incorporate the return into SUTS, but the feature will not be available until later this year.
No. CDOR has generously decided to provide some leniency, as it received feedback that listing and collecting the fee by the July 1 start date would prove challenging. Informal guidance says if you fail to separately state the fee, you will not incur penalties or interest — given you do the best you can to implement the separate statement requirement.
The buyer will still be required to pay the fee whether you collect it from them or not, and you, the retailer, will still be responsible for remitting the fee for any transactions made on or before July 1, 2022, even if you did not charge it to the buyer.
There is no question this fee, imposed while the country is experiencing record-setting inflation and sky-high fuel prices, has caught consumers and businesses alike by surprise. While you, the seller, do not have to pay the fee, your potential customers do — and this impacts everything they buy that gets delivered (including restaurant delivery). These add-ons will stack up, and with Colorado’s cost of living already rising, consumers may have to start budgeting, indicating this could affect your bottom line in the future.
If you have any questions about the new fee, such as how to file this separate tax return or collect the tax from your customers, contact MGO’s team of Tax professionals.
MGO is positioned as a national leader in both tax advisory and cannabis accounting and financial best practices.
Ilias Savakis is a State & Local Tax Manager at MGO. He has over five years of experience in Sales and Use Tax compliance and consulting. Contact Ilias at ISavakis@mgocpa.com.
]]>It is most likely you have not heard of AMCA. However, if you have had any form of medical test in the past few years, there is a very good chance you know some of their largest clients: LabCorp and Quest Diagnostics, two of the largest medical laboratories in the United States.
AMCA was a third party debt collector for LabCorp, Quest Diagnostics, and several other medical companies. As a result AMCA had a deep data sharing relationship with these firms, which included the exchange of patient health and financial information. At the time of this posting, the initial cause of the breach at AMCA is unknown. Early indicators point to an intrusion on their payments website, but it is unclear how that intrusion actually took place. We’re sure the investigation will turn up more details on the nature of the attack, but it’s already too late for AMCA. The company has filed for Chapter 11 bankruptcy protection due to the astronomical costs of notifying their clients’ patients of the breach, and the termination of client relationships with AMCA. This result doesn’t even begin to cover the costs that LabCorp and Quest could incur due to possible HIPAA violations.
No matter what industry you work in, it is likely that your company uses a third party vendor, even in a limited capacity, for day to day operations. Are you sharing critical, sensitive or proprietary information with your vendor? If so, do you know the nature of the data sharing relationship between your company and theirs? If the answer is along the lines of ‘probably not’ then you have some work to do.
Though the rules of every industry are different, on the whole, you are still responsible for your customer data no matter who you may turn it over to. If there is a breach, it doesn’t matter if it was caused by something that was out of your company’s control, your customers are going to come to you first for explanations and redress. As such, you need to work to mitigate as much outside risk as possible and short of cutting off all third party vendor contact and taking all operations internal, the best way to do this is with a standardized and transparent Third Party Risk Management Program (TPRMP).
TPRMPs are going to look different for every company across every industry, but on the whole they should include these three parts:
An introspective review – Before signing on the dotted line with your potential vendor, you need to have discussions with your business owners and IT and cybersecurity experts to assess your company and determine what information and data needs protecting and why. It’s too easy to say ‘everything’ so your company really needs to dive down and understand what assets, intangible or otherwise, are most important.
Once you make that determination, when you share this data with your trusted vendors, you will be in a position to explain what is important and why. It is incumbent on you to inform your vendor about the criticality of the data you are sharing and ensure they have the proper level of protection. Once you complete the internal assessment and determine what information and data is critical to your company, you need to create and embrace a third party risk management program. One tool within this program is a questionnaire that you can share with your vendor so they can perform a self-assessment on their cyber and IT controls to ensure your data remains secure.
Risk Assessment – With the questionnaire in hand, your company needs to explain to the vendor that the information you are sharing is critical and why. You will ask them to complete the questionnaire so you can gain an understanding of their control environment. In some circumstances, you may go beyond the self-assessment questionnaire and perform an onsite assessment to validate that what they have in place is accurate. Once you have gathered the information on the vendor you will need to have a qualified professional, either internal to your company or a trusted partner, review the responses and determine if the control environment at the vendor is adequate to protect your data.
One major area to consider will be to evaluate how your own company will be exchanging information and resources with the vendor. Remember that not all data is shared via email or electronically and people sometimes forget that physical items such as prototypes are sensitive and critical. You also must remember that the kind of data you share may change over time, along with the mechanisms for sharing. Your relationship with the vendor is ongoing and the risk assessments that you perform on your vendor should evolve and align over time. Once you have a qualified person make a final determination of your risk by engaging with a vendor you are then able to make an informed business decision.
Continuous Updating – TPRMPs are not one and done once you sign on the dotted line. Threats evolve every day and your TPRMP needs to evolve with it. Before you engage with your vendor you should have asked them not only what their plans are to continuously improve their security, but how will they inform you about it. Beyond the initial questionnaire or assessment, a carefully written contract with your vendor regarding the responsibilities of each party in maintaining the confidentiality, integrity, and availability of the entrusted data is critical to a successful and secure relationship and partnership. Clear communication to the vendor and continuous attention to the control environment will help ensure that the data entrusted will remain secure and private and that the “B” word, bankrupt, does not happen to your company.
It is possible, and likely, that Quest and LabCorp had a TPRMP in place with AMCA when they engaged them as a vendor. However something went wrong, and now a large corporation is going under and millions of people are exposed to fraud. The cause of this major security and data breach will come out over time and lessons learned will hopefully strengthen other TPRMPs to help ensure similar breaches are not experienced. All good Cyber Security programs, including TPRMPs, must evolve and get stronger with time and the lessons learned from various breaches.
]]>