On May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act (TIPA) into law. Tennessee now joins the rapidly increasing group of states, California, Utah, Colorado, Connecticut, Virginia, Iowa and Indiana (together, "US State Data Privacy Laws"), with their own comprehensive consumer data privacy laws. TIPA becomes effective on July 1, 2025. TIPA mostly follows other states, so controllers should have little difficulty adapting their existing data privacy compliance program to the TIPA. Similar to our other articles on US State Data Privacy Laws, we summarize the key components of TIPA below.
Who does TIPA apply to?
Similar to the US State Data Privacy Laws, the Tennessee Data Privacy Law imposes transparency and disclosure obligations on a "controller" (a person or entity who determines the purpose and means of processing personal information) who conducts business in Tennessee by producing products or services that are targeted to the residents of Tennessee,
and that:
- exceed $25 million in revenue; and
- either (1) control or process personal information of at least 25,000 consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information, or (2) during a calendar year, control or process personal information of at least 175,000 consumers.
The jurisdictional thresholds for TIPA are notably more restrictive compared to most other US State Data Privacy Laws by requiring both a processing, and revenue threshold. In addition, TIPA does not apply to government entities, nonprofits, HIPAA-covered entities and business associates, higher educational institutions (public or private), insurance companies licensed under state law, and Gramm-Leach-Bliley Act-regulated entities and data. TIPA also does not apply to certain classes of data including health records, scientific research data, consumer credit-reporting data, personal motor vehicle record, insurance data, data regulated by the Family Educational Rights and Privacy Act or federal Farm Credit Act, and employment-related information.
What rights does TIPA vest in consumers?
TIPA grants Tennessee residents acting in an individual or household context ("consumers") certain access and control rights concerning their personal information. Consumers may submit authenticated requests to a controller to:
- confirm whether the controller is processing their personal information and provide them access to their personal information;
- correct inaccuracies in their personal information;
- delete personal information provided by or obtained about them;
- obtain a copy of the consumer's personal information that the consumer previously provided to the controller (i.e., data portability); and
- opt-out of the processing of their personal information for targeted advertising, selling personal information about them, or profiling.
A controller must respond to consumer requests within 45 days, though that time may be extended for an additional 45 days if reasonably necessary, depending on the complexity and number of requests. Notably, TIPA also grants consumers the right to appeal the controller's refusal to take action on requests to exercise their rights, to which the controller must reply within 60 days. TIPA also grants consumers the right to appeal the controller's refusal to take action on requests to exercise their rights.
What obligations does TIPA impose on controllers?
TIPA applies to "personal information." Personal information is defined as "information that is linked or reasonably linkable to an identified or identifiable natural person," and similar to other US State Data Privacy Laws, excludes de-identified or aggregate data or publicly available information.
TIPA requires controllers to:
- limit the collection of personal information to what is adequate, relevant and reasonably necessary in relation to disclosed purposes for which such data is processed;
- adopt and implement reasonable administrative, technical and physical data security practices;
- process consumers' sensitive data only after obtaining the consumer's affirmative consent. Sensitive data is defined to include genetic or biometric data, data of known children, precise geolocation data, and personal information revealing racial or ethnic origin, religious beliefs and health status;
- process consumer data in a non-discriminatory manner, and refrain from discriminating against consumers who exercise the rights granted by the statute;
- provide a clear privacy policy that includes the categories of personal information processed; the purpose for processing personal information; the categories of personal information sold to third parties; the types of third parties; and the consumer's rights and the manner in which consumers may exercise their rights, including to appeal;
- clearly disclose if the controller sells consumers' personal information to third parties or engages in targeted advertising, and provide consumers an opportunity to opt out;
- establish a process for consumers to appeal the refusal to take action on requests to exercise their rights and provide consumers an online mechanism to contact the attorney general should their appeal be denied;
- conduct a data protection impact assessment on the processing of personal information for targeted advertising, the sale of personal information, profiling, sensitive data and any processing activities that involve personal data that present a heightened risk of harm to consumers; and
- when in possession of de-identified data, take reasonable measures to ensure that the data cannot be associated with an individual, commit publicly to maintaining data as de-identified data, and obligate any recipients of the data to comply with TIPA.
TIPA imposes additional requirement on "processors" (a person or entity who processes personal information on behalf of a controller). Processors must cooperate with the controller to comply with its obligations under the act, including its obligations regarding consumer rights requests and security of data processing. TIPA also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions set forth under TIPA.
Key Aspects of TIPA
- Affirmative Defense - NIST privacy framework: TIPA allows controllers and processors to assert an affirmative defense to a cause of action for a violation if they create, maintain and comply with a written privacy policy that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework, or if they have documented policies designed to safeguard consumer privacy. The privacy policy must also be updated to reasonably conform to subsequent revisions to the NIST or comparable privacy framework within two years of its publication. Additionally, the privacy policy must provide a person with the substantive rights required by TIPA.
- The appropriateness of controllers or processors' privacy program is determined based on several factors. These factors include the size and complexity of the business, the nature and scope of their activities, the sensitivity of the personal information processed, the availability and cost of tools to enhance privacy protections and data governance, and compliance with comparable state or federal laws.
- In addition to the requirements mentioned above, there are certification options available. Controllers can seek certification under the Asia Pacific Economic Cooperation's Cross Border Privacy Rules system, while processors can pursue certification under the Asia Pacific Economic Cooperation's Privacy Recognition for Processors system. These certifications may be considered in addition to the factors mentioned above.
- Processing Agreement Required between Controllers and Processors: Like certain other US State Data Privacy Laws, TIPA requires controllers to enter into contracts with data processors governing the processor's data processing procedures. Contracts under TIPA must set forth clear instructions for processing personal information, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the parties' rights and obligations. The contracts also must include a duty of confidentiality and must require processors' subcontractors to sign contracts with the same requirements. TIPA also requires processors to delete or return personal data upon the controller's request.
- Attorney General Investigations and Enforcement: Like most of the US State Data Privacy Laws, TIPA does not provide for a private right of action. The Tennessee Attorney General may conduct enforcement actions and issue investigative demands. Before initiating an action, the attorney general must provide a written notice to the controller or processor, giving 60 days to cure the noticed violation. The attorney general may bring an action in court seeking various forms of relief, including declaratory judgment, injunctive relief, civil penalties, attorney's fees and investigative costs. A court may impose civil penalties of up to $7,500 for each violation, and if the violation is found to be willful or knowing, treble damages may be awarded.
White & Case's Data, Privacy and Cybersecurity team will continue to provide updates as these laws and regulations emerge. Please reference our US Data Privacy Guide and other client alerts for general steps to take to comply with US data privacy laws.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP