1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

The use and sale of cannabidiol (CBD) products that can be smoked,
vaped, worn as a patch or applied as a lotion is legal in Maine, subject to certain labeling and packaging requirements. See, 28-B M.R.S.A. §701.
However, the sale of CBD “edibles” (including all foods, tinctures and capsules) is presently not permitted due to the fact that hemp-derived products are not FDA approved to be used as food additives.

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

Maine has not adopted its own version of the GDPR. However, the following relevant laws are in effect.

On June 6, 2019, Maine Governor Janet Mills signed into law new data privacy protections for Maine residents. The law, entitled “An Act To Protect the Privacy of Online Customer Information,” places new restrictions on Internet service providers (ISPs), effective July 1, 2020. The law prohibits the use or sale of customer information without those customers opting in to having their data shared. Under the law, ISPs may not use, sell, or disclose “customer personal information,” including web browsing history, application usage history, precise geolocation information, financial information, and health information, without customer consent. In addition, an ISP is prohibited from refusing to serve a customer based on their refusal to consent to the data usage terms. Finally, ISPs will also be required to take “reasonable measures” to protect customer personal information from “unauthorized use, disclosure, sale or access”. The law applies to ISPs operating in Maine that provide Internet access to customers physically located and billed for services received in Maine.
See, 35-A M.R.S.A. §9301, et seq.

Maine law on electronic data breaches requires people who maintain computerized personal data (such as social security numbers, driver’s license or state ID numbers, account, credit and debit card numbers, and account passwords) who become aware of a security breach to “conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused.” Maine law also imposes certain notification requirements:

A. Any business maintaining personal info must notify residents whose personal data has been misused or it is reasonably possible that it may be misused;

B. If a breach requires notice to more than 1,000 people, the business has an obligation to notify the credit bureaus;

C. If the business whose data was breached is regulated by an agency within Maine’s Department of Professional and Financial Regulation (DPFR), then the responsible regulatory agency must be notified;

D. If the business whose data was breached is not regulated by an agency in the DPRF, then you must notify the Maine Attorney General.
Notifications must be made “as expediently as possible and without unreasonable delay.”

See, Maine Notice of Risk to Personal Data Act, 10 M.R.S.A. §1346, et seq.

Maine law also recognizes the tort of invasion of privacy. There are four types interests, the invasion of which may give rise to a claim for invasion of a person’s right to privacy:

A. Unreasonable intrusion upon the seclusion of another;

B. Public disclosure of private facts;

C. Publicity that unreasonably places one in a false light in the public eye; and

D. Appropriation of one’s name or likeness.

See, e.g., Nelson v. Maine Times, 373 A.2d 1221 (Me. 1977)