1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

In Washington, CBD products are not regulated by the state Liquor and Cannabis Board (LCB) unless they are added to an already-regulated marijuana product, which state law defines as any product containing more than 0.3 percent tetrahydrocannabinol (“THC”), the compound in marijuana responsible for psychoactive effects (CBD, on the other hand, is non-psychoactive). Washington law specifically defines “marijuana” to exclude industrial hemp.

There are some additional requirements and restrictions with regards to CBD derived from sources outside of Washington’s framework. The addition of CBD to useable marijuana flower is prohibited. That means CBD additives are limited to edibles, oils, tinctures, and other products that are derived from marijuana. Licensees will have to enter CBD products into the LCB’s traceability system, keep the records up-to-date, and the additives labeled. And licensees must also keep CBD additives quarantined from other marijuana until the CBD additives have gone through lab testing.

Note however that state-level enforcement of the 2018 Farm Bill in practice is dictated by the Washington Department of Health and county health officials. Some counties (including King County), previously issued cease and desist letters regarding the sale of CBD-infused food and beverage.

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

Sharing of Information Relevant to Identity Theft: If a business has information relating to identity theft and may have done business with the thief, the business must provide, upon the request of the victim, copies of all relevant information. Before providing the requested information, businesses may require the victim to verify his or her identity. Businesses may require proof of identity and charge reasonable fees for providing the information. A business that shares information with others for the purpose of aiding identity theft victims or assisting law enforcement will not be subject to civil or criminal liability if done in good faith.
A business may decline to provide the information when, in good faith and reasonable judgment, it determines that the law does not require the disclosure of the information.
A business that fails to disclose information may be in violation of the Consumer Protection Act. A consumer harmed by such a violation may be awarded actual damages, or, in the case of willful violations, punitive damages of up to $1,000, costs and reasonable attorney’s fees.
Reporting Data Breaches: Washington has a data breach notification laws applicable to individuals and businesses: RCW 19.255.010. The law requires individuals and businesses to notify Washington residents who are at risk of harm because of a security breach that includes personal information. In general, notification must be made “in the most expedient time possible” and not more than 45 days after the breach was discovered. If a security breach affects more than 500 Washington residents, notification must also be provided to the Attorney General’s Office.
Future Enhanced Protections: Note: In the Spring of 2019, Washington attempted to pass the Washington Privacy Act (WPA), a European style consumer-data privacy law which would allow citizens to know information data companies are gathering on them. The bill passed the Senate, but failed in the House. Similar proposals are expected to be presented in the future.