Hospitality & Retail - 2019 -


1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

Effective as of November 2019, for any product containing cannabidiol (CBD) it must include a label which at a minimum has: (1) The country of origin of the CBD; and (2) Whether the CBD is synthetic or natural. 63 Okl. St. § 1-1431
The addition of derivatives of hemp, including hemp-derived cannabidiol, to cosmetics, personal care products and products intended for human or animal consumption shall be permitted without a license and shall not be considered an adulteration of such products. Nothing in this section shall exempt any individual or entity from compliance with food safety and licensure laws, rules and regulations as set forth under the Oklahoma Public Health Code. 63 Okl. St. § 1-1431
The provision of this section shall not apply to any pharmaceutical product approved by the Food and Drug Administration. 63 Okl. St. § 1-1431

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

No information is available on Oklahoma adopting its own version of a GDPR, however Oklahoma has enacted:
1. Oklahoma Consumer Protection Act, 15 O.S. (OCPA)
2. Security Breach Notification Act, 24 O.S. §§ (SBNA)
3. Unlawful Trade Practices Act, ORS 646.605 (UTPA)

The SBNA took effect in 2008.
The Attorney General (AG) is responsible for enforcing the Acts, and in September 2018 the Oklahoma AG, (along with the AGs from a large number of other states) enforced the OCPA against Uber. State ex rel. Hunter v. Uber Techs., Inc., 2018 Okla. Dist. LEXIS 639, *1-2
In this the AG was able to get injunctive relief from Uber and make sure they are in strict compliance with the OCPA and SBNA, dealing with everything from specific data security safeguards to their incident response and data breach notification plan.
In addition, Uber settled with all states involved in the suit for $148,000,000 and upon compliance with the amount due to Oklahoma, the AG is to release them from any civil claims that could have been brought. State ex rel. Hunter v. Uber Techs., Inc., 2018 Okla. Dist. LEXIS 639, *15-16
Although this is not a recently adopted law, it is an example of Oklahoma law in action bringing protection to consumers from large company data breaches.