1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

On June 6, 2019, Louisiana Act No. 164 (House Bill 491) was signed into law which permits the growing, processing, handing and transportation of industrial hemp along with the sale of certain hemp-derived cannabidiol products. Specifically, La. R.S. §§ 3:1461 through 3:1471 authorize the cultivation, processing, handling and transportation of industrial hemp in Louisiana. Under La. R.S. § 3:1462(10), “[i]ndustrial hemp” is defined as “the plant Cannabis sativa L. and any part of that plant, including the seeds thereof and all derivatives, extracts, cannabinoids, isomers, acids, salts, and salts of isomers, whether growing or not, with a delta-9 tetrahydrocannabinol (THC) concentration of not more 0.3 percent on a dry weight basis.” A “[p]rocessor” is defined as any individual or business that that receives industrial hemp for storage or processing into commodities, products or industrial hemp seed. La. R.S. § 3:1462(13). The Louisiana Commissioner of Agriculture and Forestry is required to adopt rules and regulations to implement these provisions relating to the growing, processing, handling and transportation of industrial hemp and to enforce the law. See La. R.S. § 3:1464.

All industrial hemp producers, growers, processors and carriers of industrial hemp are subject to annual licensing requirements issued by the Louisiana Department of Agriculture. See La. R.S. § 3:1465. Licenses issued to processors of industrial hemp allow the licensee to handle, process (i.e. convert industrial hemp to a marketable form) and transport industrial hemp in Louisiana. See La. R.S. § 3:1461(12); see also La. R.S. § 3:1465(A)(3). Applicants for any license are subject to criminal background checks and no person is eligible to receive a license who has (1) been convicted of a felony in the last ten years or (2) been convicted of a drug-related misdemeanor in the last two years. See La. R.S. § 3:1465(D)(2). Any facility processing industrial hemp products for consumption is subject to inspection by the Louisiana Department of Health. See La. R.S. § 3:1468(C). Any person who grows, transports, processes, handles or otherwise violates the provisions of La. R.S. §§ 3:1461 through 3:1471 (or the regulations to be adopted pursuant thereto) are subject to civil fines, license suspension or revocation and/or criminal penalties, including imprisonment at hard labor for not less than one year nor more than criminal fines not to exceed $50,000. See La. R.S. §§ 3:1470-1471.

Louisiana Act No. 164 (House Bill 491) also enacted La. R.S. §§ 3:1481 through 3:1484 relating to the manufacture, distribution, importation and sale of cannabidiol products (“CBD”). Under the law, no person may process or sell: (1) any part of hemp for inhalation; (2) any alcoholic beverage containing CBD; or (3) any food product or beverage containing CBD unless the U.S. FDA approves CBD as an additive. See La. R.S. § 3:1482(A); see also La. R.S. § 40:4.9(F). Any CBD product manufactured, distributed, imported, or sold in Louisiana must be: (1) produced from hemp grown by a licensee authorized to grow hemp by the U.S. Department of Agriculture or under an approved state plan pursuant to the Farm Act or an authorized state pilot program pursuant to the Agriculture Act of 2014; (2) be registered with the Louisiana Department of Health and labeled in accordance with the Louisiana State Food, Drug, and Cosmetic Law (La. R.S. 40:601, et seq.); and (3) not be marked as a dietary supplement. See La. R.S. § 1482(B). The law only permits CBD products derived from hemp. See La. R.S. § 1482(G). Further, all labels must: (1) state “This product has not been evaluated by the Food and Drug Administration and is not intended to diagnose, treat, cure, or prevent any disease”; (2) contain no medical claims; and (3) have a scannable bar code, QR code or web address linked to a document or website that contains a certificate of analysis. See La. R.S. § 1482(C). The application for registration must include a certificate of analysis performed by an independent laboratory containing: (1) the batch identification number, date received, date of completion, and method of analysis; and (2) test results identifying the cannabinoid profile by percentage of dry weight, solvents, pesticides, microbials, and heavy metals. See La. R.S. § 1482(D)-(E).

Any person who sells or is about to sell any industrial hemp-derived CBD product must first obtain a permit from Louisiana’s Office of Alcohol and Tobacco Control for each place of business where any such product is sold. See La. R.S. § 1483(A). The annual permit fee is not to exceed $175. See La. R.S. § 1483(B). Criminal penalties for violations of La. R.S. §§ 3:1481 through 3:1484 include a fine not to exceed $300 for a first offense, $1,000 for a second offense and $5,000 for a third offense. See La. R.S. § 3:1484. Additionally, a third or subsequent offense requires imprisonment, with or without hard labor, for not more than two years. See La. R.S. § 3:1484(A)(3).

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

La. R.S. §§ 51:3071 through 51:3077 are known as Louisiana’s “Database Security Breach Notification Law.” The law aims to protect “personal information” of Louisiana residents defined as follows:

“Personal information” means the first name or first initial and last name of an individual resident of this state in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted:

(i) Social security number.
(ii) Driver’s license number or state identification card number.
(iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(iv) Passport number.
(v) Biometric data. “Biometric data” means data generated by automatic measurements of an individual’s biological characteristics, such as fingerprints, voice print, eye retina or iris, or other unique biological characteristic that is used by the owner or licensee to uniquely authenticate an individual’s identity when the individual accesses a system or account.

La. R.S. § 51:3073(4)(a). However, “personal information” does not include “publicly available information that is lawfully made available to the general public from federal, state, or local government records.” La. R.S. § 51:3073(4)(b).

La. R.S. § 51:3073(2).

Under the law, any person or business entity that conducts business in Louisiana or that owns or licenses computerized data that includes personal information (including any government agency of the state or political subdivision thereof including any officer, agency, board, commission, department or similar body) must “maintain reasonable security procedures and practices appropriate to the nature of the information to protect personal information from unauthorized access, destruction, use, modification, or disclosure.” La. R.S. § 51:3074(A); see also La. R.S. § 51:3073(A). Furthermore, those same persons and entities, including agencies, must take “all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.” La. R.S. § 51:3074(B).

“Breach of the security system” is defined as:

“Breach of the security of the system” means the compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable likelihood to result in, the unauthorized acquisition of and access to personal information maintained by an agency or person. Good faith acquisition of personal information by an employee or agent of an agency or person for the purposes of the agency or person is not a breach of the security of the system, provided that the personal information is not used for, or is subject to, unauthorized disclosure.

Following discovery of a breach of a security system, any person, entity or agency that owns or licenses computerized data that includes personal information must notify any resident of the state whose personal information was or reasonably believed to have been acquired by an unauthorized person. See La. R.S. § 51:3074(C). In the event a person, business or agency maintains computerized data that includes personal information, but does not own such data, it must notify the owner or licensee of any similar breach which it knows of or reasonably believes has occurred. La. R.S. § 51:3074(D). The notification required under the preceding subsections must be made “in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach” consistent with the legitimate needs of law enforcement as outlined in the law or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. See La. R.S. § 51:3074(E)-(F). However, the Louisiana Attorney General is required to grant a reasonable extension of time for providing notice if the notifying party submits a written request within 60 days outlining the need for additional time based on the notifying party’s determination that measures are necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system. See La. R.S. § 51:3074(E).

The required notification must be provided in (1) writing or (2) electronically consistent with the provisions regarding electronic records and signatures pursuant to 15 U.S.C. 7001. See La. R.S. § 51:3074(G)(1)-(2). Substitute notification may be provided via email, website posting, or to major statewide media if (1) the cost of providing notice would exceed $100,000; (2) the class of persons to be notified exceeds 100,000; or (3) the notifying party does not have sufficient contact information. See La. R.S. § 51:3074(G)(3). However, a notifying party that maintains a notification procedure as part of its security policy for protection of personal information which is consistent with the timing requirements of the law may issue notification to necessary persons consistent with its policy and procedure in the event of a breach. See La. R.S. 51:3074(H). Furthermore, notification is not required if the person, business or agency determines there is no “reasonable likelihood of harm” to Louisiana residents after “reasonable investigation.” La. R.S. § 51:3074(I). Written notice of a breach must also be provided to the Louisiana Attorney General so that it is received within 10 days of distribution of notice to Louisiana residents. See La. Admin. Code, tit. 16, pt. III, § 701.

Lastly, violations of the Database Security Breach Notification Law constitute unfair trade practices under Louisiana law. See La. R.S. § 51:3074(J). Failure to provide timely notice as required under the law can result in fines not to exceed $5,000 per violation, and each day notice is not received by the Louisiana Attorney General constitutes a separate violation. See id. Additionally, a private right of action is granted under La. R.S. § 51:3075 to recover actual damages for failure to provide timely notice in the event of a breach of a person’s personal information as required under the law.