Hospitality & Retail - 2019 -

North Carolina

1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

On February 8, 2019, the North Carolina Department of Agriculture and Consumer Services announced that “North Carolina state laws mirror federal laws” when it comes to the sale of “products containing CBD oil.” Regulators notify industry regarding CBD products in the marketplace, Press Release, N.C. Dep’. Agric. & Consumer Servs. (Feb. 8, 2019), available at Accordingly, in North Carolina, “CBD cannot legally be added to any human food or animal feed that is for sale.”

However, per a February 15, 2019, Charlotte Observer article, Joe Reardon, Assistant Commissioner for the North Carolina Department of Agriculture and Consumer Services, clarified that “CBD oils, tinctures and topical products are allowed . . . as long as they’re sold without health claims. The idea is that you can let oils and tinctures dissolve under your tongue instead of swallowing them—so they aren’t official considered food.” That trendy CBD product in your smoothie? Adding it is illegal, NC officials say, Charlotte Observer (Feb. 15, 2019, 11:56 a.m.), available at

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

In 2005, North Carolina enacted the Identity Theft Protection Act. See generally N.C. Gen. Stat. § 75-60 et seq. For more information regarding this act’s consumer protections, see Security Breach Information, N.C. Dep’t of Justice, available at (last visited June 12, 2019).

On April 16, 2019, House Bill 904 was introduced to significantly amend North Carolina’s Identity Theft Protection Act. “If adopted, their proposed amendments would substantially increase the data security and breach notification obligations for NC businesses holding any personal information and for other businesses holding the personal information of NC residents.” Bill Introduced to Expand NC’s Data Protection Laws, Creating New Cybersecurity Obligations and Liability Risk for NC Businesses, Nat’l Law Review (April 26, 2019), available at

Outside of the healthcare and financial services sectors, many businesses in NC have never had to comply with affirmative legal obligations related to cybersecurity. However, consistent with a growing trend nationwide, HB 904 would fill that gap by creating an affirmative obligation for businesses to have reasonable data security. Specifically, HB 904 would require that businesses “[i]mplement and maintain reasonable security procedures and practices, appropriate to the nature of the personal information and the size, complexity, and capabilities of the business, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” If adopted, this could become a significant new area of compliance and liability risk for any company doing business in NC or holding the personal information of NC residents.