1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

In Idaho, CBD oil is legal only in narrow circumstances. Idaho law does not distinguish between marijuana-derived or hemp-derived CBD oil. Counsel for the State: CBD and Hemp in Idaho, IDAHO OFFICE FOR THE ATTORNEY GENERAL (June 11, 2019), https://www.ag.idaho.gov/office-resources/counsel-for-the-state/. There is expanded access to pharmaceutical grade CBD for children with a certain medical condition.

There is a two-part test to determine whether CBD oil is legal under Idaho law. Id. The CBD oil must (1) contain zero THC, and (2) be manufactured from one of the five parts of the plant that is not considered “marijuana” under Idaho criminal law. Cannabidiol (CBD), IDAHO OFFICE OF DRUG POLICY (last visited June 25, 2019), https://odp.idaho.gov/cannibidiol/. Generally, the five non-marijuana parts of the plant all consist of the mature stalks of the plant, id., which are mainly used to make hemp, Counsel for the State: CBD and Hemp in Idaho.

There is one very narrow exception for medical purposes. The Expanded Access Program (EAP) is an Executive Order enacted by Idaho Governor C.L. Otter in April 2015. Id. The EAP grants access to FDA-approved pharmaceutical grade CBD, Epidiolex, for children with treatment-resistant epilepsy. Id. Epidiolex is covered by most insurance and is also available for prescription. Id.

Idaho has not enacted special protections for hemp-based CBD. Although the 2018 Federal Farm Bill removed hemp products with less than 0.3% THC concentration from the Schedule One list of controlled substances, the bill did not legalize CBD oil generally. Cannabidiol (CBD), IDAHO OFFICE OF DRUG POLICY; 7 U.S.C. § 5940(a)(2). Instead, states are responsible for regulating the use of hemp covered under the bill, and Idaho has not enacted legislation in response to the Federal Farm Bill. Cannabidiol (CBD), IDAHO OFFICE OF DRUG POLICY

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

Idaho has not adopted any data privacy laws following the General Data Protection Regulation (GDPR). Idaho’s privacy laws have not been amended since enactment in 2006. See IDAHO CODE §§ 28-51-104-107 (2006). And currently, there is no pending data breach legislation in Idaho. The Definitive Guide to U.S. State Data Breach Laws, DIGITAL GUARDIAN (last accessed June 26, 2019); see 2019 Security Breach Legislation, NATIONAL CONFERENCE OF STATE LEGISLATURES (June 13, 2019).

Idaho’s current data breach notification laws apply to Idaho agencies, individuals, and commercial entities. IDAHO CODE § 28-51-105. A “commercial entity” is a “corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, and any other legal entity, whether for profit or not-for-profit.” IDAHO CODE 28-51-104(3). To be covered by the law, the entity must conduct business in Idaho and own, license, or maintain computerized data that includes an Idaho resident’s personal information. IDAHO CODE § 28-51-105. “Personal information” is an Idaho resident’s first name or first initial and last name, along with a social security number, a state identification number, or information that allows access to the resident’s financial accounts. IDAHO CODE § 28-51-104(5)(a)-(c). The statute only applies to unencrypted personal information. IDAHO CODE § 28-51-104(2).

A “data breach” occurs when (1) computerized data has been illegally acquired, and (2) “materially compromises the security, confidentiality, or integrity” of an Idaho resident’s personal information. Id. Once a breach occurs, and if it is determined that the personal information has been or is reasonably likely to be misused, the agency or commercial entity that owns or licenses the data must provide the affected resident with notice. IDAHO CODE § 28-51-105(1). Notice may be given by written notice, telephonic notice, electronic notice, or substitute notice. IDAHO CODE § 28-51-104(4). Substitute notice is allowed only if the cost of notice exceeds $25,000, more than 50,000 Idaho residents are affected, or if the owner of the personal information “does not have sufficient contact information to provide notice.” IDAHO CODE § 28-51-104(d). Substitute notice includes email notice, a conspicuous notice posted on the entities website, or notice through major statewide media. IDAHO CODE § 28-51-104(4)(d)(i)-(iii).

Idaho law does not enumerate a specific deadline for when notice must be provided. See id. Rather, notice must be given “in the most expedient time possible and without reasonable delay.” Id. Additionally, if a state agency becomes aware of a breach, the agency must also notify the Idaho Attorney General within twenty-four hours of discovering the breach. Id. Notice to affected residents may be delayed if the notice could “impede a criminal investigation.” IDAHO CODE § 28-51-105(3). An agency, individual, or commercial entity that “intentionally fails to give notice” to an affected Idaho resident is subject to a maximum fine of $25,000 per breach. IDAHO CODE § 28-51-107.