Tag Archive for: regulations

Hemp and CBD legal obstacles

The Legal Obstacles of Hemp and CBD Retail Sale in Texas

Hemp and CBD legal obstacles

Texas has legalized hemp and cannabidiol oils (CBD) this year by passing House Bill 1325 (Texas Hemp Bill). However, the new legislation is not a blanket legalization of hemp products. For example, the bill outlaws all hemp products designed for smoking. The Texas Hemp Bill classifies CBD as a consumable hemp product, making it a food, not a drug or controlled substance. This designation generally means no special license is required to sell products. However, retailers of CBD products must still register with the Texas Department of State Health Services (DSHS). 

The new law provides for significant regulation of CBD, but the required regulations are still under development. For example, the Texas Hemp Bill places extensive labeling and testing requirements on all CBD products. All consumable hemp products that are sold in Texas must be tested for pesticides, heavy metals, harmful microorganisms, and THC concentration. Usually, these tests will be the responsibility of the grower or manufacturer, but retailers are responsible for testing any products which are not tested prior to entering their inventory. A URL linking to each product’s testing information must be on its container along with the name of the manufacturer, a hemp batch identification number, batch date, product name, and certification that the THC concentration is within the legal range. Further, all this information must be located on each unit intended for individual sale. CBD products produced out of state are allowed to be sold in Texas if they were produced legally in that state.

Several significant problems exist, however. For example, none of the policy and procedures to get the required testing or enforce the labeling requirements has been implemented by the State. Until the regulatory framework is in place, there is no practical way for retailers to comply with the requirements or for the state to enforce them.

Among several major enforcement issues, police departments currently lack the equipment to test THC levels in the field. The current field test deployed by most departments in Texas only report the presence of THC, not its concentration. Therefore, in order for police to check if a product is over the legal THC level, they would need to confiscate it and send it to a lab. This could create problems; especially for CBD products coming into Texas from states where marijuana is legal. 

In order to comply with federal law, the Texas Hemp Bill must still be approved by the U.S. Department of Agriculture (USDA). The USDA has stated they will likely not approve any state legislation relating to hemp or CBD until 2020. Federal law explicitly grants the Food and Drug Administration (FDA) full authority to regulate all medical claims related to hemp and CBD and the use of CBD in food and drugs. The FDA is preventing many CBD distributors and producers from making therapeutic claims without an FDA approved study. Further, the FDA is pressuring state health departments to crack down on the sale of CBD food and drink. 

Because it is so new, most of the necessary procedures and regulations needed to run and enforce the Texas Hemp Bill have not yet been implemented. Significant equipment upgrades are needed because, prior to the bill, law enforcement treated CBD the same as marijuana in most cases. DSHS is waiting until the USDA approves the Texas Hemp Bill, to start any implementation. The reasoning is federal law requires the USDA approval before most of the bill can go into effect, and the USDA may require Texas to makes some changes. Until the Texas Hemp Bill is approved by the USDA and the infrastructure to implement the bill is set up, CBD will occupy a grey area in the law.

Farrow-Gillespie Heath Witter provides a full range of business and corporate law services to companies from local start-ups to the Fortune 1000. These business law services include LLC formations, copyright and trademarks, corporate governance, general counsel services, and more.  

Summer Intern Stephen Chance

Stephen Chance was an intern at Farrow-Gillespie Heath Witter, LLP. Mr. Chance is a law student at SMU Dedman School of Law in Dallas, Texas, where he is a Lead Articles Editor for SMU Law Review and the Treasurer of the Student Bar Association. Prior to law school, Mr. Chance taught high school world history in Garland, Texas. He holds a B.A. in Historical Studies from the University of Texas at Dallas.

Farrow-Gillespie Heath Witter

The CCPA: California’s Follow-up to the GDPR

Farrow-Gillespie Heath Witter

Illustration by legal assistant Charles Jackson

Following the enactment of the European Union’s GDPR, California has passed the California Consumer Privacy Act of 2018 (CCPA) that will go into effect January 1, 2020. The CCPA is intended to protect California residents’ personal information, which is defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes identifiers such as name or email address, commercial information, personal property records or purchase history, biometric information, search history, professional information and educational information. However, the CCPA does not apply to information already regulated under HIPAA, the Graham-Leach Bliley Act, the FCRA, or the Drivers’ Privacy Protection Act.

The CCPA applies to companies that:

  • Conduct business in California
  • Collect the personal information of California residents
  • Satisfy at least one of the following:
    • Produce annual gross revenues in excess of $25,000,000
    • Buy, receive, sell, share, or a combination thereof, the personal information of 50,000 or more consumers, households, or devices for commercial purposes
    • Obtain 50% or more of their annual revenue from selling, releasing, or renting consumer personal information to a third party for monetary consideration

Under the CCPA, California residents will know what information companies are collecting about them, why the data is being collected, and with whom they are sharing the data.  California residents will have the power to demand that their data is deleted and not stored, and that their data cannot be sold or shared with any third parties.  Further, California residents can opt out a company’s terms of service without losing access to its offerings.  The CCPA also restricts companies from selling the data of anyone under the age of 16 without explicit consent.

To hold companies accountable for consumer data, California residents will be able to sue companies subject to the CCPA for up to $750 for each data breach violation. In addition, the California attorney general can sue for $7,500 for each intentional violation of privacy.

The CCPA also requires the expansion of privacy disclosures that companies provide when collecting or using consumers’ personal information.  The disclosures must include a description of the rights California residents have about their personal information, how they can exercise such rights, as well as information on how the companies will collect, use, and share their data.  In addition, the company must provide a link to a “Do Not Sell My Personal Information” page that allow consumers to opt-out and is accessible on all relevant platforms.

For companies that are subject to CCPA, more requirements may be coming, as the law gives the California Attorney General the authority to implement new regulations.  If you believe you are subject to the CCPA, consult an attorney familiar with data privacy to ensure compliance.

For full documentation of the CCPA, please visit the website of the California legislature.


Tahlia Grassie | Farrow-Gillespie & Heath LLP | Dallas, TXTahlia Clement is a clerk at FGHW. Ms. Clement is a 2019 candidate for a Juris Doctor at SMU Dedman School of Law, where she is the Editor-in-Chief for SMU’s Science and Technology Law Review. She holds a B.A. in journalism and mass communications from Arizona State University.

How the EU’s New Privacy Law Affects You

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the European Union’s (EU) new privacy law set to go into effect on May 25, 2018. For the EU’s single market countries, the GDPR establishes protection for the privacy and security of an individuals’ personal data. However, because of extraterritorial jurisdiction, United States (US) organizations accessing and using EU citizen information could be subjected to the GDPR.

Controller vs. Processor

The GDPR has direct extraterritorial reach of a “controller” or “processor” organization located outside the European Union if the organization offers goods or services, even for free, to individuals in the EU. As defined by the GDPR, a “controller” is an organization that determines the purpose and means of processing information. A “processor” organization processes personal data on behalf of the controller under the controller’s instruction. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogs all the information produced by the bank.

GDPR Website Regulations

An organization using a website to offer goods and services to EU individuals also falls under GDPR regulations. These websites can be identified by their use of language, the ability to order goods and services in the currency of one or more EU member states, and the acknowledgment of consumers who live in the EU. Therefore, an English-language website marketed to US consumers or US business-to-business transactions in terms of American dollars only would not be subjected to the GDPR.

A website can circumvent the GDPR by avoiding the collection of “identifiable” personal information of EU citizens. Identifiable information is information that can be used to identify any individual, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or two one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Therefore, a website needs to have access to more than an individual’s email address. Websites often collect identifiable information through the use of cookies and/or sign-up forms. If an organization’s website uses cookies to collect information from an EU citizen, even if the organization is not doing anything with the information, the organization will be subject to the GDPR.

There are still many questions on how the EU will enforce actions against US organizations that do not follow the GDPR requirements, but it is important that you review by May 25th all aspects of your organization’s physical and digital data processing if you are accessing EU citizen information.

Scott Chase | Farrow-Gillespie & Heath LLP | Health LawAuthor Scott Chase is a health law and corporate attorney at Farrow-Gillespie & Heath.  Scott has been named to the lists of Best Lawyers in America, Texas Super Lawyers, and Best Lawyers in Dallas in every year for more than a decade.


Tahlia Grassie | Farrow-Gillespie & Heath LLP | Dallas, TXCo-author Tahlia Clement is an intern at Farrow-Gillespie & Heath LLP.  A second-year law student, she currently serves as Editor in Chief of the SMU Dedman School of Law’s Science and Technology Law Review.

Zoning Law | Farrow-Gillespie & Heath LLP | Dallas, TX

Dallas Zoning 101

What is zoning?  Zoning is the division of land into districts. These districts have zoning regulations and limitations on land use, building height, setbacks, lot size, population density, coverage, and floor-area ratio.  The purpose of zoning is to facilitate the organization of the city and its neighborhoods, and to promote good urban planning.

Before a person or company may build on land, the intended use must not contradict the zoning that land currently has.  If the lot is not properly zoned for the type of proposed development, the builder must obtain the proper zoning by filing an application for a zoning change. The process takes approximately 12 weeks and includes two public hearings.  If the re-zoning is opposed, the process may take longer, or the re-zoning may be denied.

There are three types of zoning changes: a general zoning change, a planned development district (PDD), and a specific use permit (SUP). Each has a different process and requirements.