1. What is your state’s law on the use of CBD oil in products to be sold to the public, i.e. cosmetics, etc.?

I. What is CBD Oil?

Cannabidiol (CBD) oil is an extract of cannabis taken from both hemp and marijuana plants. Although it can be derived from marijuana plants, CBD oil generally contains trace amounts of tetrahydrocannabinol (THC), the psychoactive component of cannabis, and thus does not produce a “high” or intoxication. Rather, it is used primarily for pain treatment through cosmetic products such as lotions and soaps, or edible products such as cookies, brownies and gummies.

II. Legality in Massachusetts

A. Overview

Regulation of CBD oil on a national scale has become increasingly difficult given the vast differences in marijuana’s legality from state to state. Under Massachusetts law, both variants of CBD oil are legal, given the state’s 2016 legalization of recreational marijuana for people 21 years of age and older, and can be used in products commercially sold to consumers within the state.
Given that CBD can be produced through both marijuana and hemp plants, regulation in Massachusetts differs between these two types. If a product made from CBD oil contains more than 0.3 percent THC, it would be considered “cannabis” and the product would be regulated by the state’s Cannabis Control Commission (CCC). If the CBD product contains less than 0.3% THC, while it would subject to the Interim Policy for Industrial Hemp under M.G.L. c. 128, Sections 116 – 123 (discussed below in Section C), the products are not regulated.
In practice, however, regulation of CBD oil products is increasingly difficult, leading to a number of issues for the consumers. The regulation of hemp products in Massachusetts (discussed further below) can be a lengthy process given the need to apply for and obtain a license at each step of the process (growing, extracting, and manufacturing hemp). This has led to a large portion of CBD oil products being sold in Massachusetts from out of state sources online. While legal in Massachusetts, this has become difficult for the state to regulate the CBD concentration and overall cannabinoid profile within the products. Not only have these products not been tested, approved or regulated by the Massachusetts Department of Agricultural Resource (MDAR), there is an increased risk of discrepancies in the product’s label and its actual cannabinoid profile. A 2017 study, “Labeling Accuracy of Cannabidiol Extracts Sold Online”, led by Marcel O. Bonn-Miller, found that close to 7 out of 10 CBD products did not contain the amount of marijuana extract stated on the label. While approximately 43 percent of the products contained too little CBD, around 26 percent contained too much. Notably, about 1 in 5 CBD products contained THC, which is the intoxicating component of marijuana. Currently, Massachusetts does not have any laws in place to regulate CBD products sold online.
Hemp was legalized nationwide and in Massachusetts in 2016; however, Massachusetts’ agricultural law regarding Industrial Hemp (below) was not introduced as quickly as others. According to Massachusetts farmer Ted Dobson, the CBD market in Massachusetts “has been largely monopolized by out-of-state businesses with products from out-of-state farms.” Despite the difficulties in regulating CBD products between state lines, however, Massachusetts has taken steps to regulate both hemp-based and marijuana-based CBD products within the Commonwealth.

B. Hemp-Based CBD Oil Products

Massachusetts General Laws (M.G.L.) c. 128, Sections 116 – 123, an Interim Policy entitled “Commercial Industrial Hemp Program”, was created after Massachusetts Governor Charlie Baker signed H. 3818, An Act to Ensure Safe Access to Marijuana. This Act clarified the legal distinction between marijuana and hemp, and provided regulations for growing, extracting, and manufacturing hemp. Although “manufacturer,” for purposes of this Act, means the processor that creates the end product for consumers, and would most closely relate to regulation of CBD oil products, growers, extractors and manufacturers are all intricately related and regulated under the Act, and play a role in how CBD oil products are sold to the public under Massachusetts law.

1. Manufacturer of CBD Oil Products

Under this Act, a “processor” of hemp-based products includes both the initial extractor and the manufacturer. All activities related to growing and processing hemp will need to apply for and obtain a license in order to comply with this law. This application requires the applicant to provide their intended end use of the hemp, which includes, among other products, CBD oil. If, however, the product is found to contain 0.3% THC or higher, it will be subject to destruction, as this would be considered a cannabis product.
All stages leading up to the manufactured end product, including CBD oil, are regulated under this Act. For instance, a Grower can only obtain hemp seeds from an MDAR approved distributor. All Growers are subject to routine sampling, testing and inspections of the hemp. An Extractor, the person or entity that produces the oil extract from the hemp plant, a component of CBD oil, can only receive hemp crops from a Massachusetts licensed Grower. Likewise, a Manufacturer can only receive the extracted product from a Massachusetts licensed Extractor.
A manufacturer of an end product containing CBD oil must maintain records of both the extracted product received and the end product produced. They must also follow labeling requirements if the end product is to be used for human consumption or absorption.
Records for extracted products must be kept for a minimum of three years and contain the following information:
• Date received;
• Amount received;
• Extractor or Grower’s information (name, license number, contact information);
• Lab results indicating cannabinoid profile, solvents, pesticides, metals; and
• Extractor assigned batch and lot number.
Records for end products must be kept for a minimum of three years and contain the following information:
• Date produced;
• Batch number (including lot number);
• Amount produced; and
• Name of product.
Labeling requirements for an end product intended for human consumption or absorption must include, in clear, legible wording no less than 1/16 inch size on each container:
• Manufacturer name, license number and address;
• Cannabinoid profile (including THC and CBD concentrations);
• Batch number;
• Statement: “This product is derived from Industrial Hemp.”
• Statement: “This product has not been analyzed or approved by the FDA.”
• Statement: “This product derived from Industrial Hemp has not been tested or approved by the Massachusetts Department of Agricultural Resources.”
The MDAR enforces the above requirements by issuing fines, and/or revoking or denying licenses to those Growers, Extractors or Manufacturers found to be in violation of this Act.

C. Marijuana-Based CBD Oil Products
1. M.G.L. c. 94G: Regulation of the Use and Distribution of Marijuana Not Medically Prescribed
According to Section 9, the following people involved in the distribution of marijuana as authorized by this chapter shall not be arrested, prosecuted, penalized, sanctioned or disqualified and shall not be subject to seizure or forfeiture of assets for activities specified for: . . . a marijuana product manufacturer packaging, processing, manufacturing, storing, testing or possessing marijuana or marijuana products, or delivering, selling or otherwise transferring and purchasing marijuana or marijuana products to or from a marijuana establishment.
Section 1 defines “marijuana product” as “products that have been manufactured and contain marijuana or an extract from marijuana, including concentrated forms of marijuana and products composed of marijuana and other ingredients that are intended for use or consumption, including edible products, beverages, topical products, ointments, oils and tinctures.” This would include products with CBD oil containing a THC concentration of 0.3% or higher.
III. Regulation in Massachusetts
Although products containing CBD oil are legal, in either hemp-based or marijuana-based form, regulation continues to be a major issue throughout the state. This poses issues for consumers as many of these products are not tested or approved by the MDAR or CCC, and could contain a different cannabinoid profile than that which is listed on the label. This could mean that a product could contain a higher THC concentration, which is the psychoactive component of marijuana, in a product marketed as hemp-based CBD oil, generally used as a non-intoxicating pain relief product.

2. Regarding privacy issues, has your state adopted its own version of GDPR or how is your state dealing with GDPR requirements? What other privacy laws has your state adopted recently in response to concerns about the lack of protections for consumers?

I. What is the GDPR?

A. Overview

The General Data Protection Regulation (GDPR) took effect within the European Union on May 25, 2018 as a way to help protect the personal data of EU citizens. Despite protections offered under this regulation being limited to EU citizens, compliance extends to any organization doing business within the EU (despite physical presence outside of the EU), which in any way handles the personal data of EU citizens.

Given the global presence of large U.S.-based companies such as FaceBook, Apple, and Google, the GDPR has gained traction in a number of U.S. states to protect the data of their own citizens. This is not only due to it being efficient for global U.S.-based companies to comply with the GDPR by restructuring their policies overall, whether the personal data belongs to an EU citizen or not, but also because of an increased awareness of the danger of massive data breaches and a focus on protecting personal data online.

B. Key Components of the GDPR

1. Consent

Consent to the terms and conditions must be more accessible to the user. Specifically, the consumer must be able to identify and understand what is being asked of them in an intelligible way, with “clear and plain language.” Importantly, if the company is asking the user to consent to using sensitive personal data, the user’s consent must be explicit, meaning the user has to “opt in” and must be made fully aware of the intended use.

Under the GDPR, a user also has the right to withdraw their consent to the use of their personal data, known as “Data Erasure.” Through this process, provided certain conditions are met, the user can have the controller “erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”

2. Data Breaches

A company is obligated to inform users of a data breach “likely to result in a risk for the rights and freedoms of individuals” with 72 hours of first becoming aware.

3. Right to Access

The user also has a right to access their own personal data, which must be provided to them upon request.

4. Violating the GDPR

The GDPR also imposes significant fines for violations of the regulation. If an organization infringes on the user’s privacy rights by not complying with the GDPR, it can be fined up to 4% of its annual global turnover or up to 20 million Euros (whichever is greater). Fines are allocated on a “tiered approach”, however, given the severity of the infringement.

II. Prior Privacy Laws in Massachusetts

Prior to the implementation of the GDPR, Massachusetts had already enacted legislation designed to protect consumers’ data privacy rights which were applicable to all businesses. As of November 13, 2009, under 201 Code of Massachusetts Regulations (CMR) 17: Standards for the Protection of Personal Information of Residents of the Commonwealth, Massachusetts has required every person or business that handles a consumer’s personal information to “develop, implement and maintain a comprehensive security program.” This included, among other requirements, that business set up a system to detect and prevent security failures and data breaches, encrypt and safely maintain personal information of consumers, and impose disciplinary action for any violations of these requirements.

III. Massachusetts’ Response to the GDPR

In response to the GDPR, Massachusetts has introduced legislation with requirements mirroring many of those in the GDPR.

A. An Act Relative to Consumer Data Privacy

1. Overview

On January 22, 2019, the Massachusetts State Senate introduced “An Act Relative to Consumer Data Privacy”, with which the House concurred. It is modeled after many of the portions of the GDPR outlined above, but is not set to be in effect until January 1, 2023.

Similarly to the GDPR, the Massachusetts Act requires that the consumer must be made fully aware of the use of their personal information, the consumer can withdraw their consent to the use of their information, and the consumer has a right to access their own personal data.

Unlike the GDPR, however, the new Massachusetts legislation outlined below does not seem to impose the liability aspects for businesses that violate these regulations as severely. Specifically, there does not seem to be an equivalent for notifying consumers of data breaches, and the fines imposed are minimal compared to the GDPR (see below). In practice, this may not act as as much of a deterrent as the GDPR’s 4% of global revenue or $20 Million Euros. Further, the GDPR emphasizes the need for “clear and plain language” so that the consumer understands exactly what they are consenting to, while the Massachusetts Act does not seem to provide any similar guidelines.

In response to concerns about the lack of protections for consumers, this Act introduces the following regulations:

2. Notice to Consumers

A business collecting personal information must inform the consumer, at or before collection, of the type of information it is collecting and for what purposes, the third parties with whom the information will be shared and why it will be shared with third parties, and of the consumer’s rights to receive their own information, have their information deleted, and opt-out of third party disclosure.

3. Verifiable Consumer Reports

A consumer may request that the business provide them with information on what information was gathered and from which sources, any third parties provided with this information and the reasons for disclosing it.

4. Right to Delete

A consumer may request that the business delete the personal information collected, unless it is necessary for the business to carry out its obligations to the customer, detect or prevent a security incident, or otherwise comply with a legal obligation.

5. Right to Opt-out of Third Party Disclosure

A consumer may request that their information not be disclosed to any third parties. The Act further specifies that in order to comply a business must include a “clear and conspicuous” link titled “Do Not Share My Personal Information.”

6. Private Right of Action

A consumer may bring a lawsuit against a business that violates this Act. Damages for successful consumer’s shall be in an amount “not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater” or any relief deemed proper by the court.

7. Attorney General Enforcement

The attorney general may seek, in an action in the name of the commonwealth, penalties of not more than $2,500 for each violation or $7,500 for each intentional violation.

B. An Act Relative to Consumer Protection from Security Breaches

In addition to the above Act, Massachusetts has also responded to increased concerns about the lack of consumer protection by introducing other data privacy laws. On January 10, 2019, Governor Charlie Baker enacted legislation to take effect on April 11, 2019 that would provide amendments to existing data breach laws under the “Act relative to consumer protection from security breaches”.

1. Notice

This Act required that notice of a breach must be provided to consumers, including the nature of the breach, the number of residents affected, who was breached, the person responsible for the breach, the information affected by the breach, and any steps taken to handle the breach. Notice must be given “as soon as practicable and without unreasonable delay.”

2. Data Breach

Any business that suffers a breach through which a consumer’s personal information involving their Social Security number, were compromised, must offer “complimentary credit monitoring for a period of not less than 18 months” to the affected consumer.