1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

Under Hawaii law, the use of CBD oil is legal – as long as it is hemp-derived and is comprised of less than 0.3% of tetrahydrocannabinol (THC). Subsequent to the passing of the 2014 Senate Bill 2175 which approved the use of hemp-derived CBD oil and a two-year pilot research program on such, in 2016, Governor David Ige signed Act 228. Noting the 2014 Farm Bill President Obama signed and the pattern of support for industrial hemp farming at a national level, Act 228 was passed to “establish an industrial hemp pilot program to allow the cultivation of industrial hemp and distribution of its seed in Hawaii . . .” Act 228, Section 1. Thus, while the use of hemp-derived CBD oil is legal in Hawaii and at the federal level, CBD oil containing over 0.3% of THC is designated as cannabis or marijuana in which recreational usage is prohibited by both state and federal law.

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

Hawaii Revised Statute (“HRS”) §487N, specifically HRS §487N-2 addresses the obligations of certain businesses and government agencies to inform consumers (or owners of personal information) that have been affected by a security breach that they have either discovered or have notice of.

Such notice shall include: the incident in general terms; the type of personal information that was subject to the unauthorized access and acquisition; the general acts of the business or government agency to protect the personal information from further unauthorized access; a telephone number that the person may call for further information and assistance, if one exists; and advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
HRS §487N-2 also provides a variety of methods in which notice can be provided in compliance with the statute. HRS §487N-2 also includes language that prevents any waiver of its notice requirements. Penalties for non-compliance typically include monetary fines and damages.

During the 2019 Legislative Session, a bill (“SB 418”) was also introduced to address the specific issues covered by the General Data Protection Regulation (“GDPR”). However, SB 418 never made it out of the committees that it was referred to. SB 418 was modeled after both the GDPR and the California Consumer Privacy Act (“CCPA”).

Specific highlights of SB 418’s provisions included: disclosure of the categories and specific pieces of identifying information collected about a consumer; disclose the identity of third parties to which a business has sold or transferred identifying information; to publicly disclose the categories of identifying information that businesses collect from consumers and the purposes for collection; and to delete identifying information collected from a consumer upon verifiable request from the consumer.

SB 418 did not include a private right of action or penalties for violation. Another concern about SB 418, the bill did not include a definition for the term ‘business’ which could have resulted in an unintended expansion of applicability.