Hospitality & Retail - 2019 -


1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

Texas law concerning hemp and CBD oil is in its infancy. On June 10, 2019, Governor Greg Abbott signed House Bill 1325 into law, to allow for the production, manufacture, retail sale, and inspection of industrial hemp crops and products in Texas. This includes products for human consumption that may contain cannabidiol, also known as CBD, as well as certain other parts of the hemp plant. HB 1325 requires the Texas Department of Agriculture (TDA) to first file a state plan to monitor and regulate the production of hemp in Texas, and have that plan approved by the United States Department of Agriculture (USDA) before an agency can create the rules necessary to implement the rest of HB 1325. The approved bill states that a person may not sell, offer for sale, possess, distribute, or transport a cannabinoid oil, including cannabidiol oil, in Texas if the oil contains any material extracted or derived from the plant Cannabis sativa L., other than from hemp produced in compliance with 7 U.S.C. Chapter 38, Subchapter VII and unless a sample representing the oil has been tested by a laboratory that is accredited by an independent accreditation body in accordance with International Organization for Standardization ISO/IEC 17025 or a comparable or successor standard and found to have a delta-9 tetrahydrocannabinol (THC) concentration of not more than 0.3 percent. Growers and retailers selling consumables will be required to register with the Texas Department of State Health Services (DSHS) and be subject to random testing.

Though the law does not go into effect until September 1, 2019, Section 11 of HB 1325 allows for existing retailers to possess, transport or sell consumable hemp products that become part of the retailers’ inventory prior to the effective date of DSHS rules resulting from HB 1325. Per the DSHS, the retailer must be licensed as currently required by law. Retailers selling consumable hemp products must ensure the product is safe for consumption by being free of heavy metals, pesticides, harmful microorganisms or residual solvents.

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

On Friday, March 8, 2019, two bills addressing consumer privacy were referred to the House Business & Industry Committee, HB 4518 (the Texas Consumer Privacy Act or TCPA) and HB 4390 (the Texas Privacy Protection Act or TPPA). The TCPA would grant a set of rights to consumers over their personal information, including: (1) the right to disclosure of personal information collected by a business; (2) the right to deletion of certain personal information collected by a business; (3) the right to disclosure of certain personal information sold or disclosed by a business; and (4) the right to opt out of the sale of the consumer’s information — inclusive of the requirement that businesses include a “do not sell my information” link on their website. The TCPA would also require businesses subject to the Act to: (1) provide notification to the consumer of each category of personal information collected and how the information would be used; (2) provide online privacy policy/notice; (3) provide methods for submitting verified consumer requests; and (4) disclose certain information in response to a verifiable consumer request. The TCPA would include new definitions on terms including, but not limited to, the following: aggregate consumer information; biometric information; business, business purpose; collect; commercial purpose; consumer; de-identified information; personal information; processing information; service provider; third party; and verifiable consumer request. The TPPA was not as detailed as the TCPA, though it did contain certain definitions. Unlike the TCPA, which regulates “personal information,” the TPPA regulates “personal identifying information,” which the bill defines as “a category of information relating to an identified or identifiable individual.”

Texas did not enact either the TCPA or TPPA in 2019; instead, it took a “wait and see approach” to determine the efficacy of the California legislation and others and instead passed HB 4390, which creates a Texas Privacy Protection Advisory Council to study privacy laws in Texas, other states, and relevant foreign jurisdictions. Composed of members of the Texas House of Representatives, Texas Senate, and relevant industry members appointed by the Governor, the Council will be charged with recommending statutory changes regarding privacy and protection of information to the Legislature. The Council will expire on December 31, 2020. HB 4390 amended the Texas data breach notification statute (which is contained in the Texas Identity Theft Enforcement and Protection Act) to require disclosure of a breach of computerized material “not later than the 60th day after the date on which the person determines the breach occurred.” HB 4390 defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.” It also requires the affected person or entity that owns/licenses the data to notify the Texas Attorney General if the breach involved 250 or more state residents. The Texas Attorney General is vested with the authority to seek monetary sanctions. As of the drafting of this Compendium, Governor Greg Abbott has not yet signed HB4390. If it is signed, it would go into effect September 1, 2020.