We said it earlier this month: With many state legislative sessions coming to an end, we were likely to see a push by states to finish up debates and votes on consumer privacy laws, and now you can count Tennessee (and Montana) among those states doing just that. The Tennessee Information Protection Act (TIPA) has passed both houses of the Tennessee legislature and heads to Governor Bill Lee’s desk. We anticipate that he will sign the bill into law. The TIPA closely tracks the laws in Connecticut and Virginia, which is good news for many companies that are already subject to those laws; however, there are some wrinkles, as we discuss below. The TIPA will go into effect on January 1, 2025.
Below we provide an overview of some of the key aspects of Tennessee’s new consumer privacy law.
To Whom Does the TIPA Apply?
The TIPA takes a Utah-like approach to applicability, including both a revenue threshold and a processing volume threshold. Specifically, the TIPA applies to companies that do business in Tennessee or target products or services to Tennessee consumers and:
- Have more than $25 million in “revenue;” and
- Control or process personal information of 175,000 or more Tennessee consumers; or
- Control or process personal information of 25,000 or more Tennessee consumers and derive over 50% of gross revenue from the sale of that data.
The TIPA does not define “revenue” but, like California and Utah, we believe that the way that term will be defined is annual gross revenue on a worldwide basis.
Who Is a “Consumer”?
In the TIPA, a “consumer” is a natural person who is a resident of Tennessee acting in a personal context. This means that employees and B2B contacts are expressly excluded from the definition of “consumer.”
What Is “Personal Information”?
“Personal information” in the TIPA is “information that is linked or reasonably linkable to an identified or identifiable individual.” It excludes, however, deidentified data, aggregate data and publicly available data. The limitations for deidentified data and publicly available data closely track those of Virginia (e.g., deidentification requires a public commitment to keep data deidentified, and public data is both from government files as well as data that is generally available through mass media sources).
Although not expressly excluded from the definition of “personal information,” just as in Virginia, companies do not need to include pseudonymous data (under certain circumstances) when responding to consumer requests under the TIPA.
Who Can Enforce?
The Tennessee Attorney General has exclusive enforcement authority, and there is an express provision disclaiming any private right of action. Before initiating any enforcement proceeding, the Attorney General must give 60 days’ written notice and an opportunity to cure to the controller. If an enforcement action follows, violations of the TIPA are up to $7,500 per violation.
The TIPA does, however, also allow for an “affirmative defense” for companies that adopt privacy programs that (1) “reasonably conform” to the NIST privacy framework; (2) which program is updated regularly; and (3) afford Tennessee consumers the rights afforded under the TIPA.
Who Is Exempt?
The exemptions to the TIPA closely mimic those of other state privacy laws. For example, personal information is covered by laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act, and a litany of other federal laws.
In addition, the TIPA does not apply to government entities, nonprofit organizations or higher education institutions.
The TIPA also exempts the use of personal information for certain specific purposes, such as compliance with law, preventing fraud or injury to others and defending legal claims, just as in Virginia.
What Obligations Are Imposed?
Under the TIPA, controllers must:
- Limit the purpose of processing personal information to that which is reasonably necessary and proportional;
- Take steps to implement reasonable safeguards for the personal information within their control;
- Refrain from discriminating against consumers for exercising their rights and from processing personal information in violation of federal laws that prohibit discrimination;
- Be transparent in their reasonably accessible, clear and meaningful privacy notice; and
- Ensure contracts control relationships with their processors (note: the law itself details the minimum necessary provisions of these contracts).
What Consumer Rights Are Created by the TIPA?
Controllers must provide a now-standard set of consumer rights to Tennessee consumers:
- Opt-out rights related to the sale of personal information, targeted marketing and profiling (automated decision-making that could have significant legal effects such as related to housing, drinking water, credit, etc.);
- Deletion rights (with respect to the data provided by or about the consumer);
- Access rights, including a right to confirm whether the controller is processing any data at all;
- Correction rights, but limited to data the consumer previously provided;
- Appeal rights; and
- Data portability rights, but limited to data the consumer previously provided.
Sensitive Personal Information
Under the TIPA, “sensitive data” is considered personal information that includes information such as racial/ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric information used to uniquely identify an individual, personal information collected from a known child (under the age of 13) and precise geolocation (location within a radius of 1,750 feet). Under the TIPA, a controller may not process (including collection) sensitive data without obtaining the consumer’s consent or, in the case of a child, complying with COPPA.
Response to Consumer Inquiries
As has become something of a standard in state consumer privacy laws, controllers must respond to a consumer personal information request within forty-five (45) days of receipt of the request, with a forty-five (45) day extension available. If a consumer appeals a decision of the controller to deny a consumer request, the appeal response must be delivered within sixty (60) days. As in Virginia, if the appeal is denied, controllers must provide the consumer with a method for contacting the attorney general.
Data Protection Impact Assessments
Just as the laws that the TIPA is modeled after, controllers will need to document impact assessments before they engage in a number of different processing activities, including: (i) processing for targeted marketing; (ii) sale of personal information; (iii) processing of personal information for profiling if the profiling presents a reasonably foreseeable risk of legal, deceptive, discriminatory, financial, reputational or physical harms; (iv) processing sensitive data; and (v) a catch-all category of any processing activities involving personal information “that present a heightened risk of harm to consumers.”
As in Virginia, Colorado, Connecticut and elsewhere, these impact assessments must analyze the benefits of the processing to the company, consumer and public, while weighing the harms and potential mitigants. Thankfully, the TIPA allows for the use of impact assessments done under other state laws to count towards the requirements of the TIPA and does not require retroactive impact assessments for processing activities occurring prior to the effective date of the law. However, the TIPA does expressly specify that assessments must be created or generated on or after July 1, 2024, and are not retroactive.
When Does the TIPA Take Effect?
The TIPA comes into effect on July 1, 2025.
Creating a successful and effective, comprehensive privacy program for your organization requires a thorough understanding of both the relevant legal obligations and the personal information subject to compliance. Setting up a program that is prepared to respond to various state privacy laws as they come into effect will save organizations time in the long run, especially as many of these laws reflect one another.
If you have questions or need assistance in readiness work for the new state consumer laws, please contact your regular McDermott lawyer or reach out to David Saunders.
Check out our additional coverage on new state consumer privacy laws:
Consumer Privacy Law Comes to Big Sky Country as Montana Passes New Law
Indiana Passes Consumer Privacy Bill
Iowa’s New Privacy Law: The Basics
Colorado Finalizes Sweeping New Privacy Rules; Iowa Joins the Fray
Preparing for New Consumer Privacy laws in Colorado, Connecticut and Utah