1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

Nevada law allows for the sale of edible marijuana products and marijuana-infused products with certain restrictions. See NRS 453A et. seq. and 453D et. seq. Products containing CBD oil qualify as either edible marijuana products or marijuana-infused products depending on whether they are intended for oral ingestion or use other than inhalation or oral ingestion. See NRS 453A.112 and NRS 453A.101. These products containing CBD oil are subject to various restrictions and requirements imposed by statute.

Labeling Requirements

All marijuana products, including those with CBD oil, must be clearly labeled with the words “THIS IS A MARIJUANA PRODUCT.” NRS 453D.310(1)(a)(1). Products containing CBD oil must have a label that includes the following information:

• The name and registration number of the facility that produced the products
• Identification of the lot number for all marijuana used to extract the CBD oil
• The name of the dispensary
• The date the product was manufactured
• The date the product was packaged
• If the product is perishable, a suggested use-by date
• A cannabinoid and terpenoid profile of the product
• A list of all ingredients and major food allergens
• The net weight of the product
• The following warning: “Caution: When eaten or swallowed, the intoxicating effects of this drug may be delayed by 2 or more hours.”
• The extraction process, and any solvent, gas, or other chemical used to extract the CBD oil
• The following warning: “This product may have intoxicating effects and may be habit forming.”
• The following statement: “This product may be unlawful outside of the State of Nevada.”

See NRS 453A.512(1). A sample label for such products is provided in NRS 453A.512(2). Additionally, material disclosing any pesticides that were used on the marijuana plants must also be disclosed, along with further warnings. NRS 453A.512(3).

Packaging Requirements

Products containing CBD oil must be packaged in a way to allow for tracking by some kind of inventory control system. NRS 453D.310(1)(d). Additionally, products with CBD oil must be sold in single packages, and a single package is restricted by the amount of THC present in the product. See NRS 453D.310(2).

Limitations on Production

Any facility that produces edible CBD products or CBD-infused products is subject to the following restrictions regarding the production of those products. The product cannot be, or appear to be, a lollipop. NRS 453A.360(2)(a). The product cannot bear the likeness or characteristics, including cartoon or artistic renderings, of any real or fictional person, animal, or fruit. NRS 453A.360(2)(b). Additionally, the product cannot be modeled after any brand of products that is primarily marketed to, or consumed by, children. NRS 453A.360(2)(c). Finally, the product cannot be made by applying CBD oil to a commercially available candy or snack, other than dried fruit, nuts, or granola. NRS 453A.360(2)(d). The CBD oil in products offered to the public may also be derived from industrial hemp. See NRS 453A.352(12).

Additional Regulations

All products containing CBD oil that are to be sold in the state of Nevada must also undergo independent testing. See NRS 453A.368. Such testing facilities are required to determine the concentration of both THC and CBD in products that will be sold to the public. See NRS 453A.368(2)(a)(1). Finally, the Department of Taxation is authorized to adopt further regulations related to edible CBD products and CBD-infused products. See NRS 453A.370; NRS 453A.075.

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

Chapter 603A of the Nevada Revised Statutes outlines Nevada’s primary laws regarding the security and privacy of personal information. See NRS 603A.010 et. seq. These privacy statutes were originally passed in 2005, and were subsequently amended in 2017. See id. On May 29, 2019, Nevada’s governor signed Senate Bill 220 into law, amending and updating Nevada’s privacy laws in the wake of growing privacy concerns and actions by other states and countries to provide greater protection for personal information. See 2019 Nevada Laws Ch. 211 (S.B.220). The new amendments will go into effect on October 1, 2019. Id.

Perhaps the most interesting requirement of the new amendments to Nevada’s privacy laws is the right for consumers to “opt out” of the sale of their personal information. See id. at § 2. Under the new amendments, the operators of Internet websites that are subject to the statute are required to establish a dedicated request address through which consumers may request that their personal information not be sold. Id. While this is an important step in protecting consumers’ personal information, the scope of the law is actually limited by the way the legislature defined operators and sale.

An operator is anyone who owns or operates a website for commercial purposes, collects and maintains personal information from Nevada residents, and purposefully directs activities toward Nevada. NRS 603A.330. However, the notice provisions of Nevada’s privacy laws do not apply to websites that have fewer than 20,000 unique visitors per year, are located in Nevada, and whose primary revenue source is not obtained through the goods and services offered on their website. NRS 630A.340(3). Additionally, there are several exceptions that limit what constitutes a “sale” in the context of the “sale” of personal information by an operator. See S.B. 220, at § 1.6(2).

Nevada law also contains certain notice requirements that covered operators must adhere to. See NRS 603A.340. This section requires operators to notify consumers of what personal information is being collected, whether third parties have access to that information, and describes how a consumer can review and change any of their personal information that is collected by the website. NRS 603A.340(1).

If an operator violates any of these provisions, the Nevada Attorney General is authorized by bring an action to enforce these privacy laws. NRS 603A.360. Specifically, the Attorney General is authorized to issue injunctions and impose a civil penalty of up to $5,000 for each violation of these provisions. Id. While the Attorney General is authorized to enforce these provisions, the statute expressly states that these provisions do not create a private right of action against any operators. Id.

Nevada’s privacy laws also mandate that a business that collects personal information must take reasonable measures to destroy that data when it decides it will no longer maintain those records. NRS 603A.200. Moreover, anytime a business accepts any type of payment card in connection with their goods or services, they must ensure that they do not transmit that information unless they have adequately encrypted the data. NRS 603A.215. Finally, any business that collects or owns personal information stored on computers is required to disclose to any resident of Nevada any breach of security in which that person’s unencrypted personal information is, or is reasonably believed to have been, acquired by an unauthorized person. NRS 603A.220.