Tennessee is the eighth state to enact a comprehensive consumer data privacy law
The Tennessee Information Protection Act (TIPA) passed unanimously through both houses of the Tennessee legislature and was signed by Governor Bill Lee on May 11, 2023. Tennessee joins seven states in enacting a comprehensive consumer data privacy law: California, Virginia, Colorado, Connecticut, Utah, Iowa, and Indiana. TIPA is similar to the Virginia, Utah, and Iowa state privacy laws in that it takes a more "business-friendly" approach by, for instance, narrowly defining the kinds of disclosures of personal data ("sales") requiring opt-in consent and providing a mandatory right to cure. Businesses that have implemented procedures to comply with existing state privacy laws will be well positioned to comply with TIPA.
Although signed this month, TIPA does not go into effect until July 1, 2025. We highlight key provisions of the new law below.
TIPA applies to companies that conduct business in Tennessee or produce products or services that target Tennessee residents and that:
- Exceed $25 million in annual revenue, and
- Either (1) control or process personal information of at least 25,000 consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information or (2) during a calendar year, control or process personal information of at least 175,000 consumers.
- TIPA defines "consumer" as a natural person who resides in Tennessee "acting only in a personal context." Like all state privacy laws other than California, TIPA does not apply to the personal data of individuals acting in a commercial or employment context.
The application thresholds described above are significantly narrower than those in most other state privacy laws. The Virginia law, for example, applies to businesses that control or process personal data of 25,000 Virginia residents and derive over 50 percent of gross annual revenue from the sale of personal data, or that control or process the personal data of 100,000 Virginia residents in a calendar year. TIPA increases the second threshold to 175,000 residents and, following the Utah privacy law, adds that a business must have at least $25 million in annual revenue to be covered.
Privacy Program: Compliance with the NIST Privacy Framework
TIPA provides a first-of-its-kind safe harbor by allowing controllers and processors to assert an affirmative defense to claims for violations if they create, maintain, and comply with a written privacy program that "reasonably conforms" to the current and updated National Institute of Standards and Practices ("NIST") privacy framework ("NIST Privacy Framework") or "other documented policies, standards, and procedures designed to safeguard consumer privacy." The NIST Privacy Framework provides a guidance on how to improve risk management for data processing focusing on the following principles:
- Identify – understanding and managing privacy risk.
- Govern – developing and implementing organizational governance with respect to privacy risk.
- Control – developing and implementing policies, processes, and procedures to manage data and privacy risk.
- Communicate – conveying policies, processes, and procedures to ensure awareness of proper data-processing practices and privacy risks.
- Protect – implementing appropriate data-processing safeguards.
Consistent with most other state data privacy laws, TIPA contains both entity-level exemptions and data-specific exemptions. TIPA's entity-level exemptions include:
- Government entities, which includes any authority, board, body, bureau, commission, district, or agency of the state or of a political subdivision of the state;
- Insurance companies licensed under state law (TIPA is unique among state privacy laws in exempting licensed insurance companies entirely);
- Nonprofit organizations;
- Financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA);
- Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH); and
- Institutions of higher education.
TIPA's data-specific exemptions include:
- Information governed by the Fair Credit Reporting Act (FCRA);
- Information subject to Title V of the GLBA;
- Protected health information under HIPAA;
- Information and documents created for purposes of the Health Care Quality Improvement Act (HCQIA);
- Patient safety work product for purposes of the Patient Safety and Quality Improvement Act (PSQIA);
- Controllers and processors in compliance with provisions of the Children's Online Privacy Protection Act (COPPA);
- Information governed by the Family Educational Rights and Privacy Act (FERPA);
- Personal information collected, processed, sold or disclosed in compliance with the Driver's Privacy Protection Act;
- Personal information collected, processed, sold, or disclosed in compliance with the Farm Credit Act;
- Personal information maintained or used for purposes of compliance with the regulation of listed chemicals under the Controlled Substances Act;
- Information collected as part of public- or peer-reviewed scientific or statistical research in the public interest;
- Information relating to applicants and employees "to the extent that the data is collected and used within the context of that role," including emergency contact information and benefits.
Like most of the other state privacy laws, TIPA distinguishes a "controller"—an entity that "determines the purpose and means of processing personal information"—from a "processor"—an entity that "processes personal information on behalf of a controller." A processor must adhere to the processing instructions of a controller as set forth in a written contract between the controller and processor. That contract also must require the processor to keep personal information confidential, to return or delete personal information at the end of the services provided by the processor (except where required by law), make available to the controller information needed to demonstrate the processor's compliance with TIPA, allow and cooperate with reasonable assessments by the controller or its agent, and engage any subprocessor with written contracts requiring the subprocessor to meet the same obligations as the processor regarding the personal information.
As with other state privacy laws, TIPA establishes individual rights for consumers, including the right for a consumer to access their personal information and to confirm whether a controller is processing the consumer's personal information. In addition, TIPA provides the right for a consumer to request that a controller correct inaccuracies in the consumer's personal information, the right to delete personal data provided by the consumer or obtained by a controller regarding the consumer and the right to obtain a copy of the data in a portable and readily usable format.
Tennessee consumers also have the right to opt out of a controller's processing of personal information for the purpose of selling personal information about a consumer, targeted advertising, or profiling in furtherance of decisions producing legal or similarly significant effects concerning a consumer.
As with other state privacy law, controllers in Tennessee are required to respond to a consumer's request for personal information within 45 days of receipt. TIPA provides companies with the option to utilize an additional 45-day extension, with proper notice to the requesting consumer.
If a consumer appeals a decision of the controller to deny a request for personal information, the appeal response must be issued by the controller within 60 days. If the appeal is denied, controllers are obligated to provide the consumer with a method for contacting the attorney general's office.
Upon receipt of an authenticated consumer request, a controller shall provide the consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:
- Purpose of processing personal information;
- Categories of personal information processed by the controller;
- Categories of personal information the controller sells to third parties, if any;
- How consumers may exercise their rights, including how a consumer may appeal a controller's decision with regard to the consumer's request; and
- The right to opt out of the sale of personal information to third parties and the ability to request deletion or correction of certain personal information.
Like the Virginia privacy law and some others, TIPA requires companies to obtain consent, which must be a "clear affirmative act" signifying a consumer's "freely given, specific, informed, and unambiguous agreement," in order to process "sensitive data." TIPA defines "sensitive data" as:
- Personal data revealing:
- Racial or ethnic origin;
- Religious beliefs;
- Mental or physical health diagnosis;
- Sexual orientation;
- Citizenship and immigration status;
- Genetic and biometric data that identifies an individual;
- Precise geolocation data (location within a radius of 1,750 feet); and
- Personal data collected from a known child (i.e., someone under the age of 13).
To process data of known children, a company must comply with the requirements of COPPA.
Definition of "Sale"
TIPA defines "sale" as an "exchange of personal information for monetary or other valuable consideration by the controller to a third party" (emphasis added). TIPA follows the laws in Connecticut and Colorado in adopting this relatively broad definition of sale. By comparison, a "sale" under the laws in Virginia (among others) is limited to an exchange of personal information for monetary consideration only.
The definition of a "sale" under TIPA and other state privacy laws is important because the scope of this term impacts whether a consumer can only opt out of a "sale" of their personal data (see below), and not from other disclosures.
In practical terms, TIPA's broader definition of "sale" may, among other things, provide consumers with the ability to opt out of third-party marketing and other disclosures of personal information that do not strictly involve monetary consideration. Consistent with all other state privacy laws, TIPA's definition of a "sale" excludes any disclosure to an affiliate of the controller, the controller's processor, for the purpose of providing a requested product or service, in a merger or acquisition of the controller's business or assets, or of information that the consumer intentionally made public via mass media.
Data Protection Impact Assessments
TIPA requires controllers to conduct and document data protection impact assessments before engaging in specific processing activities, including:
- Processing for targeted marketing;
- Sale of personal information;
- Processing of personal information for profiling if the profiling presents a reasonably foreseeable risk of legal, deceptive, discriminatory, financial, reputational or physical harms;
- Processing sensitive data; and
- A catch-all category of any processing activities involving personal information "that present a heightened risk of harm to consumers."
Impact assessments conducted in accordance with other state laws will be compliant under TIPA, provided that those assessments "have a reasonably comparable scope and effect." TIPA requires that impact assessments be conducted for applicable processing activities created or generated on or after July 1, 2024, but there is no requirement to conduct an assessment prior to TIPA's effective date of January 1, 2025.
TIPA includes standard limitations under state privacy laws, including that the law does not restrict a controller or processor from collecting, using, or retaining personal data to:
- Conduct internal research to develop, improve, or repair products, services or technology;
- Effectuate a product recall;
- Identify and repair technical errors that impair existing or intended functionality; or
- Perform internal operations" that are reasonable based on consumer expectations or the consumer relationship.
No Private Right of Action
There is no private right of action, including "a class action lawsuit," afforded to consumers for violations of TIPA under this or "any other law."
Attorney General Authority and Penalties for Non-Compliance
TIPA allows the Tennessee attorney general to investigate anyone who has engaged in "or is about to engage" in a violation and bring an action for declaratory, injunctive and monetary relief, including $7,500 in civil penalties for each violation of the law (in situations where a company fails to remedy the violation within the statutory cure period), as well as attorney's fees and investigative costs. Treble damages may be awarded for willful or knowing violations.
The attorney general's office must provide a covered company with the "opportunity to cure" any alleged violation within 60 days of receiving the notice of violation. This cure period is notably longer than those under other privacy laws, including Virginia, Utah and Indiana (which have 30-day cure periods). If a covered company fails to take remedial measures within 60 days, the attorney general may initiate an action against the company, such as seeking injunctive and monetary relief. Unlike under some other state laws, the right to cure in TIPA does not sunset.
Additional states may enact comprehensive privacy laws as legislative sessions wind down in state houses across the country. On April 21, 2023, the Montana legislature unanimously passed the Montana Consumer Data Privacy Act, which is likely to become the ninth such law across the country. Companies are advised to actively monitor proposed state legislation and assess their privacy compliance programs as new requirements come online.