Hospitality & Retail - 2019 -


1. What is your state’s law on the use of CBD oil in products to be sold to the
public, i.e. cosmetics, etc.?

CBD products produced from marijuana are not to be regulated as marihuana if
the THC content is below 0.3%. Edible marijuana products containing CBD made by
licensed processors may only be produced using CBD obtained from regulated sources.
Currently, these regulated sources include the State of Michigan licensed growers or
processors under the State Medical Marijuana Facility Licensing statute. Any product
derived from industrial hemp with a THC concentration above 0.3% is classified as
marijuana and regulated under the laws that apply to those products through the
Michigan Department of Licensing and Regulatory Affairs. Products derived from
industrial hemp, including CBD oil, fall under several different categories. Any
substance that will be added to food or drink or marketed as dietary supplements must
first be approved by the U.S. Food and Drug Administration for that intended use. At
this time, the FDA has not approved CBD for use in food or drink or dietary supplements.
Therefore, the State of Michigan takes the position that it is currently illegal to add CBD
into food products or drinks or sell it as dietary supplements. GRAS (Generally
Regarded As Safe) is a list of substances that the FDA considers safe to add to food.
Hulled hemp seeds, hemp seed protein, and hemp seed oil are considered GRAS, as of
December 20, 2018. CBD is currently not considered GRAS as of March 29, 2019. In
Michigan, any food production falls under the Michigan Food Law and the licensing
requirements within the law.

2. Regarding privacy issues, has your state adopted its own version of GDPR or how

is your state dealing with GDPR requirements? What other privacy laws has your
state adopted recently in response to concerns about the lack of protection for

Michigan does not have anything akin to the GDPR. However, a couple of related statutes should be noted: 1) Identity Theft Protection Act – general data breach notification statute (M.C.L. § 445.63, et seq.) / Third-Party Custodians are also covered by this act (see, M.C.L. § 445.72(2)); and 2) The legislature recently passed House Bill 6491 (to be implemented at MCL § 500.550, et seq.) regarding data security, but this act will not take effect until January 20, 2021. This act imposes higher standards on insurance companies that handle private consumer information, increases consumer protection requirements, and establishes new reporting requirements if a breach of consumer data occurs. Licensees are required to implement Section 555 by January 20, 2022 and Section 555(6) by January 20, 2023.