Hospitality & Retail - 2019 -

New Mexico

1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

Cannabis-Derived CBD Oil Products:

The Lynn and Erin Compassionate Use Act (“the Act”) allows the beneficial use of medical cannabis to alleviate symptoms caused by debilitating medical conditions and their medical treatments. Lynn and Erin Compassionate Use Act, N.M. Stat. Ann. § 26-2B-1 (2007). The New Mexico Department of Health established the New Mexico Medical Cannabis Program (“NMMCP”) pursuant to the Act to issue licenses to cannabis and cannabis-derived product manufacturers, distributors and dispensers. The program also issues medical marijuana cards to approved New Mexican residents for the purpose of buying and using cannabis for medical purposes only. While there is no mention of Cannabidiol (CBD) products in the Act, the MCP has interpreted the definition of “adequate supply” to include cannabis-derived CBD products. Department of Health, Letter dated June 7, 2018. On June 7, 2018, the MCP issued a letter instructing approved producers and businesses that selling and distributing CBD or hemp products from out of state sources is a violation of the Act and therefore an illegal practice. Id. The NMMCP directed that all cannabis and cannabis derived products that do not originate from a plant that has been approved and grown in New Mexico by the program must be pulled from inventory. Id. Thus currently in New Mexico, the use of cannabis-derived CBD oil containing THC in products is restricted to medical uses and in-state producers and plants approved by the Medical Cannabis Program.

In April 2019, the House considered legislation to legalize funding and development of recreational cannabis and cannabis-derived products. H.B. 356, 54th Leg., Reg. Sess. (N.M. 2019). However, the bill died before the House or Senate could vote on such legislation. Id. Thus, use of cannabis-derived CBD oil products remains restricted to medical purposes and approval by the Medical Cannabis Program.

Industrial Hemp-Derived CBD Oil Products:

There is no current law in place restricting the sale or use of industrial hemp-derived CBD oil products in New Mexico. The Lynn and Erin Compassionate Use Act applies specifically to cannabis-derived CBD or hemp products that contain THC. There seems to be no restriction on the sale and purchase of CBD oil products not containing THC. In 2017, the state legislature amended the Controlled Substances Act to clarify that industrial hemp was not considered a Schedule 1 Substance unlike marijuana, THC and their chemical derivatives (i.e. CBD). N.M. Stat. Ann. § 30-31-6 (2018). Additionally, the Agricultural Improvement Act of 2018 (“Farm Bill”) further changed federal policy regarding industrial hemp, also exempting industrial hemp from Schedule 1 of the Controlled Substances Act and classifying hemp has as an agricultural product. See 7 U.S.C.A. § 5940 (West). The Farm Bill explicitly allows the transport of hemp-derived products across state lines for commercial and other purposes, and puts no restrictions on the sale or possession of hemp-derived products. Id. Since its passage, consumers have been able to buy hemp-derived CBD oil products online freely. While the bill does provided that States may have more restrictive legislation, New Mexico has yet to pass a law addressing the sale of industrial hemp products via online distributors.

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

New Mexico has yet to enact a law that mirrors or adheres to European Union’s General Data Protection Regulation (“GDPR”) requirements. In 2019, Senator Michael Padilla introduced Senate Bill 176, the Consumer Information Privacy Act, which placed restrictions on the use and sale of personal information, prohibited businesses from discriminating against a consumer for exercising any of the consumer’s rights, and required businesses to train their employees on privacy practices. S.B. 176, 54th Leg., Reg. Sess. (N.M. 2019). However, the bill did not make it to committee and died at the end of the 2019 legislative session.

New Mexico has recently passed the following laws that address data protection and privacy:

Data Breach Notification Act (2017)
The Data Breach Notification Act requires notification of persons affected by a security breach involving personal identifying information. Data Breach Notification Act, N.M. Stat. Ann. § 57-12C-1-12. It also requires notification to consumer reporting agencies, Office of the Attorney General and the card possessors. Id. The law provides civil penalties for security breaches for failure to notify person within 45 calendar days following discovery of the breach. In contrast, the GDPR requires notification of breach to be within 72 hours of discovery. The law has a narrower description of “security breach” than other states’ breach notification laws. It defines “security breach” as the acquisition of computerized data. Id. In contrast, other U.S. states have defined “breach” in similar laws broadly to include the access and acquisition of computerized and physical (i.e. paper) data or records.

Additionally, the law requires any individuals and entities that own or license Personal Identifying Information (“PII”) of a New Mexico resident to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the PII from unauthorized access, destruction, use, medication or disclosure.” Id. However, the law does not define what constitutes reasonable security practices and procedures. Id. The law further requires entities to properly dispose of records containing PII. The GDPR has similar requirements of implementation of security procedures; however unlike the New Mexico law, the EU regulation further requires entities to designate a data protection officer to ensure compliance with the GDPR. General Data Protection Regulation 2016/679, art. 37, 2016 O.J. (L 119) 1, (EU). Failure to comply will result in penalties, such as block an entity’s website, or fines. The New Mexico law incorporates civil penalties as well for the failure to notify, including injunctions and damages. See N.M. Stat. Ann. § 57-12C-1-12.

Electronic Communications Privacy Act (passed in 2019)
The Election Communications Privacy Act limits the warrantless use of the cell site simulators (“Stingrays”) that allow law enforcement to gather communications and locate or track a person via their phone or other electronic device. 2019 N.M. Laws Ch. 39, § 3. Police must obtain a warrant or order prior to using such a device, unless given permission by authorized possessor of the device, or if the device is stolen or lost. Id. Police must destroy any information received outside a warrant or order within 3 days of obtaining such information. Id. The law bars law enforcement from compelling service providers or any other person other than the owner without a warrant or order to provide personal communications, including phone conversations, text messages, email, location information, and other metadata (i.e. IP addresses). Id. The law limits the sharing of legally obtained data as well. Id.