The Legal Obstacles of Hemp and CBD Retail Sale in Texas

Texas has legalized hemp and cannabidiol oils (CBD) this year by passing House Bill 1325 (Texas Hemp Bill). However, the new legislation is not a blanket legalization of hemp products.  For example, the bill outlaws all hemp products designed for smoking.  The Texas Hemp Bill classifies CBD as a consumable hemp product, making it a food, not a drug or controlled substance.  This designation generally means no special license is required to sell products.  However, retailers of CBD products must still register with the Texas Department of State Health Services (DSHS). 

The new law provides for significant regulation of CBD, but the required regulations are still under development.  For example, the Texas Hemp Bill places extensive labeling and testing requirements on all CBD products.  All consumable hemp products that are sold in Texas must be tested for pesticides, heavy metals, harmful microorganisms, and THC concentration.  Usually, these tests will be the responsibility of the grower or manufacturer, but retailers are responsible for testing any products which are not tested prior to entering their inventory.  A URL linking to each product’s testing information must be on its container along with the name of the manufacturer, a hemp batch identification number, batch date, product name, and certification that the THC concentration is within the legal range.  Further, all this information must be located on each unit intended for individual sale.  CBD products produced out of state are allowed to be sold in Texas if they were produced legally in that state.

Several significant problems exist, however. For example, none of the policy and procedures to get the required testing or enforce the labeling requirements has been implemented by the State.  Until the regulatory framework is in place, there is no practical way for retailers to comply with the requirements or for the state to enforce them.

Among several major enforcement issues, police departments currently lack the equipment to test THC levels in the field.  The current field test deployed by most departments in Texas only report the presence of THC, not its concentration.  Therefore, in order for police to check if a product is over the legal THC level, they would need to confiscate it and send it to a lab.  This could create problems; especially for CBD products coming into Texas from states where marijuana is legal. 

In order to comply with federal law, the Texas Hemp Bill must still be approved by the U.S. Department of Agriculture (USDA).  The USDA has stated they will likely not approve any state legislation relating to hemp or CBD until 2020.  Federal law explicitly grants the Food and Drug Administration (FDA) full authority to regulate all medical claims related to hemp and CBD and the use of CBD in food and drugs.  The FDA is preventing many CBD distributors and producers from making therapeutic claims without an FDA approved study.  Further, the FDA is pressuring state health departments to crack down on the sale of CBD food and drink. 

Because it is so new, most of the necessary procedures and regulations needed to run and enforce the Texas Hemp Bill have not yet been implemented.  Significant equipment upgrades are needed because, prior to the bill, law enforcement treated CBD the same as marijuana in most cases.  DSHS is waiting until the USDA approves the Texas Hemp Bill, to start any implementation.  The reasoning is federal law requires the USDA approval before most of the bill can go into effect, and the USDA may require Texas to makes some changes.  Until the Texas Hemp Bill is approved by the USDA and the infrastructure to implement the bill is set up, CBD will occupy a grey area in the law.

Farrow-Gillespie Heath Witter provides a full range of business and corporate law services to companies from local start-ups to the Fortune 1000. These business law services include LLC formations, copyright and trademarks, corporate governance, general counsel services, and more.  


Stephen Chance is an intern at Farrow-Gillespie Heath Witter, LLP.  Mr. Chance is a law student at SMU Dedman School of Law in Dallas, Texas, where he is a Lead Articles Editor for SMU Law Review and the Treasurer of the Student Bar Association.  Prior to law school, Mr. Chance taught high school world history in Garland, Texas.  He holds a B.A. in Historical Studies from the University of Texas at Dallas.

Data Breach? Your Obligations under the Texas Identity Theft Enforcement and Protection Act

Illustration by attorney Christopher Elam

For any business – big or small – customer confidence is critical for success in today’s competitive marketplace.  But in the event your company’s security is breached and consumer information is stolen, you may have a legal obligation to notify your customers.  Admitting a data breach can be embarrassing, but failure to comply with the law can be devastating to your reputation and your bottom line. 

The Texas Identity Theft Enforcement and Protection Act

The Texas Identity Theft Enforcement and Protection Act (Tex. Bus. Com. Code §§521.001 et seq.) applies to anyone who conducts business in Texas and “owns or licenses computerized data that includes sensitive personal information.”  Texas businesses are required under the Act to protect the sensitive personal information of their staff and customers.   As used in the Act, the term “sensitive personal information” includes unencrypted identifying information, such as an individual’s name in combination with other information, such as a social security number, driver’s license number, or credit card information.  The term also includes an individual’s health care information.

The Act requires you to notify the affected individuals as soon as possible after you discover or reasonably believe that there has been a data breach.  A data breach isn’t just limited to your computer systems being hacked – the Act’s notification requirements could also be triggered if, for example, an unscrupulous employee steals a customer’s credit card information, or if a customer using your website receives another customer’s information as a result of a coding error.  If the data breach affects more than 10,000 individuals, you must also report the incident to consumer reporting agencies.

The Penalties

The penalties for not complying with the notification requirements can be steep.  For each violation, the State of Texas can impose a civil penalty of anywhere between $2,000 and $50,000.  Plus, for every person that should have received notification of the data breach but did not, there’s an additional penalty of up to $100 per person.  If you fail to react appropriately to an extensive data breach, you could be on the hook for up to $250,000 in fines alone.  Although individuals themselves cannot bring a lawsuit to enforce the law, the Texas Attorney General may bring an action to recover the penalties and may even seek an injunction.  The Attorney General is also entitled to recover reasonable expenses, including attorney’s fees, court costs, and investigatory costs.

If your business collects or maintains the sensitive personal information of its customers such as credit card information or healthcare information, you need to take extra precautions to collect, store, and secure that data properly.  If you have experienced a data breach, or even if you suspect one has occurred, we strongly recommend seeking the advice of an experienced attorney to help you avoid the perils of an inadequate response.


Christopher Elam | Farrow-Gillespie & Heath LLP | Dallas, TX

Christopher Elam is a senior associate attorney at Farrow-Gillespie Heath Witter LLP. Mr. Elam has experience in business transactions, corporate governance, trademarks and real estate transactions, as well as mergers and acquisitions. He graduated from SMU Dedman School of Law in 2010.

The IRS’s Trust Fund Recovery Penalty: A Perilous Trap for the Unwary

Under the Internal Revenue Code (the “IRC”), employers must withhold certain taxes from employee pay.  These monies are referred to as “trust fund taxes” because they are held in trust on behalf of the government, and employers must turn these withheld amounts over to the government on a regular basis.

For various reasons, employers sometimes fail to remit these trust fund taxes to the government when they are supposed to.  For example, struggling businesses facing challenging financial decisions as to which creditors will be paid to keep the business afloat, may fail to pay withheld taxes and instead “borrow” from the government to pay other creditors first.  This may be a perilous path not only for the employer but also for individuals within the organization who have decision-making authority. While other creditors may have to rely on veil-piercing concepts to collect the company’s liability from anyone other than the company, the federal government does not.

To allow the IRS to collect, Congress authorized § 6672 of the IRC which allows IRS to collect directly from the personal assets of certain control individuals.  As was stated in Wright v. United States, “[t]he statute is harsh, but the danger against which it is directed—that of failing to pay over money withheld from employees until it is too late, because the company has gone broke—is an acute one against which, perhaps, only harsh remedies are availing.”  809 F.2d 425, 428 (7th Cir. 1987).

In a nutshell, § 6672 provides that any person required to collect, account for, and pay any tax imposed under the IRC who willfully fails to do is liable for a penalty equal to the total amount of the unpaid tax.  Thus, liability under § 6672 attaches if an individual both (i) qualifies as a “responsible person”; and (ii) “willfully” fails to pay over the amount due.

Section 6672 has been interpreted by the courts quite broadly to encourage individuals to stay abreast of their companies’ withholding and employment taxes.  As such, the penalty has ensnared many an unsuspecting charitable board member, officer, bookkeeper, accountant, investor, or other person associated with a taxpaying organization.  Thus, it is important for anyone in such a position to bear in mind that their title carries significant risk.  Even where such a person is completely non-complicit in the discouraged activity, they may still bear the burden of mounting a legal defense against IRS claims.

It is also important to understand that each such responsible person is liable for 100% of the trust fund recovery penalty.  Perhaps the only significant limitation on the IRS’s latitude is that, while it may assess any and all responsible persons until the amount due has been paid, it can collect the tax due only once. Also, IRS claims preempt state law, rendering for example, creditor protections for homestead real property inapplicable.

While the government bears the burden of proving that the taxpayer is a responsible person, taxpayers bear the burden of proving a failure was not willful.  Willfulness has been defined as the “voluntary, conscious, and intentional decision to prefer other creditors over the United States.”  Ruscitto v. United States, 629 Fed. Appx. 429, 430 (3d Cir. 2015).

Illustration by legal assistant Charles Jackson

The willfulness requirement is satisfied when the responsible person makes the deliberate choice to pay the withheld taxes to other creditors, instead of paying the government.  Where the responsible person does not segregate the trust fund taxes but uses them to cover operating expenses (such as employees’ wages and claims of other creditors), each payment may be a voluntary, conscious, and intentional decision to prefer other creditors over the government.  This requirement is satisfied with something as simple as making payroll. Thus, in most business scenarios, negating willfulness can present a significant challenge.  Importantly, § 6672 is a civil, and not a criminal, statute.  Its criminal analogue, § 7202, requires the additional concept of “known legal duty” to comply with due process of law requirements under the Constitution.  However, no such requirement is associated with § 6672, so it is much easier for the government to meet its burden of proof.

To sum up, it is absolutely critical for all control persons within any taxpaying organization (including nonprofits and government entities, which are nonetheless subject to withholding requirements and employment taxes) make themselves aware of applicable deadlines and other procedural requirements.  Failure to do so can result in life-altering penalties being assessed against personal assets including homesteads and other property which is generally considered exempt from creditor claims. Could you write a personal check for 100% of your organization’s employment taxes?

If you have questions regarding the Trust Fund Recovery Penalty or are facing other IRS issues, please reach out to FGHW for a consultation.


Christian Kelso | Farrow-Gillespie & Heath LLP

Christian S. Kelso, Esq. is a Senior Associate at Farrow-Gillespie Heath Witter, LLP.  He draws on both personal and professional experience when counseling clients on issues related to estate planning, wealth preservation and transfer, probate, tax, and transactional corporate law.  He earned a J.D. and LL.M. in taxation from SMU Dedman School of Law.