Hospitality & Retail - 2019 -


What is your state’s law on the use of CBD oil in products to be sold to the public, i.e., cosmetics, etc.?

CBD oil use is legal, subject to the requirements of The Arizona Medical Marijuana Act (“AMMA”) A.R.S. § 36-2801 et. seq. An individual permitted to use medical marijuana in Arizona may possess up to 2 ½ ounces of marijuana, in multiple forms including extracts, such as CBD. See State v. Jones, 245 Arizona 46 (App. 2018).

The Act provides for the qualification of individuals, or “patients”, to use medical marijuana. The Act also specifies requirements for operation and oversight of nonprofit medical marijuana dispensaries. The Act further permits use of medical marijuana by qualified patients in nursing, hospitals, assisted living, or other residential care facilities, though the facility itself shall not store or maintain the substance.

The “allowable amount of marijuana” a qualifying individual may possess is 2 ½ ounces of usable marijuana. A.R.S. § 36 -2801 (1). “Marijuana” is defined as all parts of the marijuana plant. A.R.S. § 36-2801 (8). “Usable marijuana” means the dried flowers of the plant, and any mixture or preparation thereof, but it does not include seeds, stocks, and roots, or the weight of any non-marijuana ingredients combined with marijuana and prepared for consumption as food or drink. A.R.S. § 36-2801(15). The only restriction on form of consumption of medical marijuana is prohibiting smoking in residential care facilities. A.R.S. § 36-2805 (a)(3).

In addition, as of August 4, 2019, Arizona allows the production of “industrial hemp”, from which CBD oil may be manufactured. A.R.S. § 3-311 et. seq.

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

Arizona has not specifically addressed the GDPR requirements though, perhaps in acknowledgment but likely in response to large domestic data breaches, it has updated privacy laws and has enacted additional consumer protection laws.

Arizona’s privacy law was updated in 2018 to expand its definition of personal information and to tighten notification timelines in the event of a data breach. A.R.S.§ § 18-551 and 552 provide that any “person”, loosely defined to include individuals, corporations or practically any non-corporate organizational entity, and government agencies, report any “breach” within 45 days of discovery, to affected individuals.

“Breach” is defined as “an unauthorized acquisition of an unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals”. However, a good faith acquisition of personal information by an employee or agent for purposes unrelated to the person is not considered a “breach”. A.R.S. § 18-551 (1).

“Personal information” is defined to include an individual’s first name or initial and last name, combined with ‘specified data elements’, and an individual’s username or email address, combined with password or security question. A.R.S. §18-551(7).

The “specified data elements” in addition to an individual’s first name or initial, and last name, include a Social Security number, driver’s license number, private key to authenticate or sign an electric record, financial account or credit account or card number in combination with security code or password, health insurance identification number, personal healthcare information, passport number, taxpayer identification number, or unique biometric data. A.R.S. §18-551(11).

A.R.S. §18-552 requires that upon discovery of a security incident, an investigation shall be conducted to promptly determine whether a breach has occurred. If a breach is discovered, within 45 days after the determination, the individuals affected shall be notified with the approximate date of the breach, a brief description of personal information included, toll-free numbers and addresses for the three largest nationwide consumer reporting agencies, and similar information for the Federal Trade Commission or any other federal agency assisting consumers with identity theft matters. Alternate means of notification are delineated in the statute, as well as exceptions where they apply.

Other consumer-focused privacy laws in Arizona include A.R.S. §§18-501-504, which prohibit deceptive or manipulative transmittal of software which interferes with computer default settings, bookmarks, or which otherwise takes control of a computer. A.R.S. §§18-541-544 prohibits a person to use email or the internet to solicit, with intent to commit fraud or theft, personal information by representation that a person is an online business without the authority or approval of the online business.