1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

Arkansas has recently descheduled CBD (cannabidiol) products that contain less than .3% THC and are not approved by the FDA for marketing as a medication. 2019 Ark. Acts 504. The act removes CBD products that fit within those parameters from the definition of marijuana and from classification as a Schedule VI drug. Id. Therefore, as long as the CBD oil contains less than .3% THC it is legal for sale in Arkansas. Notably, the state has not updated the Food, Drug and Cosmetics Act to specifically address CBD as a food and cosmetic additive, but it has legalized the cultivation, processing and sale of CBD under the state’s industrial hemp pilot program.

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

Arkansas has recently amended the Personal Information Protection Act to include additional information in the definition of personal information. 2019 Ark. Acts 1030. The definition of personal information was expanded by the legislation to include biometric data such as fingerprints, DNA, and retinal scans. Id. The additions to the act also require that should a security breach occur to a, “person or business that maintains computerized data that includes personal information,” not owned by the business, then the breached entity must notify the owner of the information if the breached entity reasonably believes personal information was obtained by an unauthorized party. Id. The act goes on to require the breached entity to inform the Attorney General at the time of disclosure to the affected individuals or within 45 days if the breach may harm more than 1,000 individuals. Id. Finally, the act requires that the breaching entity maintain records of the written determination of the security breach and any documents that support the determination of breach for five years following the conclusion that a breach has occurred. Id.