On May 11, 2023, Tennessee Governor Bill Lee signed the Tennessee Information Protection Act (the “TIPA”) into law. Tennessee is now the eighth state to enact a comprehensive privacy law, joining California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia. The TIPA is set to go into effect on July 1, 2025.
Who Must Comply?
The TIPA applies to businesses that conduct business in Tennessee and produce products or services targeted to Tennessee residents and that:
- Exceed twenty-five (25) million dollars in revenue; and
- control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of its gross revenue from the sale of personal information; or
- during a calendar year, control or process personal information of at least one hundred seventy-five thousand (175,000) consumers.
Like the other enacted privacy laws, the TIPA provides exemptions for certain entities and information governed by certain laws. The entities and information exempted include, but are not limited to:
- the state or any political subdivisions of the state;
- entities licensed under Tennessee law as insurance companies;
- financial institutions subject to the Gramm-Leach-Bliley Act;
- covered entities, business associates, and protected health information that is by the Health Insurance Portability and Accountability Act (HIPAA) and/or the Health Information Technology for Economic and Clinical Health Act (HITECH);
- institutions of higher-education;
- personal or education information governed by the Family Educational Rights and Privacy Act; and
- entities that are governed by and comply with Children’s Online Privacy Protection Act.
The TIPA provides consumers rights in regard to their personal data. These rights include the right to:
- confirm the processing of their personal information and access their personal information;
- correct inaccuracies of their personal information;
- delete personal information;
- obtain a copy of their personal information; and
- opt-out of the processing of their personal information for purposes of:
- sale of personal information;
- targeted advertising; or
Businesses must respond to consumer requests without undue delay, specifically within 45 days of a request. Businesses may extend the response period by one 45-day period, when reasonably necessary.
Data Controller Responsibilities:
Under the TIPA, controllers have responsibilities which include, but are not limited to:
- limiting the collection of personal information to only what is adequate, relevant, and reasonably necessary for the purposes of processing that is disclosed to the consumer;
- establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices;
- not discriminating against consumers exercising their consumer rights;
- not processing sensitive data without obtaining consent;
- providing an accessible, clear, and meaningful privacy notice that includes:
- categories of personal information processed;
- purposes of processing personal information;
- how consumers can exercise their rights;
- categories of personal information sold to third parties, if any; and
- categories of third parties sold personal information
- clearly and conspicuously disclosing if it sells personal information to third parties or processes personal information for targeted advertising and providing the manner in which consumers may exercise their right to opt out of such processing.
Processors, entities processing personal information on behalf of controllers, must adhere to the instructions of the controllers. Controllers and processors must have a binding contract governing the processor’s data processing procedures. This contract must set clear instructions on processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. Additionally, the contract must include requirements that the processor:
- ensures all those processing personal information are subject to a duty of confidentiality;
- delete or return all personal information to the controller, as requested;
- make all information available to the controller, as requested;
- cooperate with assessments by the controller; and
- engage in written contracts regarding processor obligations with any subcontractors.
Data Protection Assessments:
Controllers must create and document data protection assessments when personal information is involved in the following processing activities:
- processing of personal information for targeted advertising;
- selling personal information;
- processing personal information for profiling;
- processing of sensitive data; and
- processing activities of personal information that present a heighted risk of harm to consumers.
The Tennessee attorney general has exclusive enforcement authority and there is no private right of action. Alleged violators are given a 60-day period for notice and opportunity to cure the alleged violation, before any enforcement. If alleged violations are not cured, the attorney general may file an action for declaratory judgment, injunctive relief, civil penalties of up to $7,500 for each violation, reasonable attorney’s and investigative fees, and treble damages for willful and knowing violations.
The enactment of another state privacy law means that it remains imperative for businesses to develop, implement, and maintain strong processes and systems for data privacy and security. As the legal landscape continues to evolve, Taft’s Privacy and Data Security Practice is ready to assist. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.