Hospitality & Retail - 2019 -

South Carolina

1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

In South Carolina, a recent bill reclassified cannabis as an industrial crop rather than a controlled substance, as long as the substance contains less than 0.3% THC. The South Carolina Department of Agriculture (SCDA) is responsible for promulgating rules and regulations to oversee the authorized production of this substance.

On February 20, 2019, the SCDA released a statement confirming that it follows the FDA guidelines as it relates to the food products containing CBD. The FDA has concluded that under the Federal Food and Cosmetic Act, CBD cannot legally be added to any human or animal food products for public sale. Accordingly, it is prohibited to introduce or deliver for introduction into interstate commerce any food or feeds to which CBD has been added. There is currently no such similar prohibition for other commercial products (including cosmetics, personal care products, cloth, paper, paint, etc.) in South Carolina.

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

South Carolina has not specifically adopted its own version of GDPR but has recently introduced and passed legislation and/or other requirements to expand data breach notification rules. The South Carolina Insurance Data Security Act, which went into effect on January 1, 2019, imposes breach notification and information security requirements on insurers, agents, and other licensed entities authorized to operate under the state’s insurance laws (i.e., “licensees”). Licensees are required to notify the director of the Department of Insurance within 72 hours of determining that a cybersecurity event has taken place if (1) the licensee is domiciled in South Carolina, or (2) the nonpublic information of more than 250 South Carolina residents is involved and notice is required to any other governmental or supervisory body, or the event has a reasonable likelihood of materially harming either a South Carolina consumer or a material part of the licensee’s normal operations. Licensees are also required to develop and/or update their organizational incident response plan and written information security program by July 1, 2019. Finally, Licensees are also required to have established policies and procedures for monitoring the activities of third-party service providers no later than July 1, 2020.