?On May 11, Gov. Bill Lee signed the Tennessee Information Protection Act (TIPA) into law, making Tennessee the eighth state to enact a comprehensive privacy law.
Tennessee joins Indiana and Iowa in enacting such laws within the last six weeks, as the momentum for these laws continues to move quickly. The TIPA will take effect July 1, 2024, which is sooner than the laws in Indiana and Iowa.
The TIPA will apply to people conducting business in Tennessee or producing products or services that are targeted to residents of Tennessee and that either:
- Control or process personal information of at least 100,000 consumers during a calendar year; or
- Control or process personal information of at least 25,000 consumers and derive more than 50 percent of their gross revenue from the sale of personal information.
These applicability thresholds under the TIPA replicate those under the privacy laws in Virginia, Iowa, and Indiana.
Like the other state privacy laws, the TIPA contains exemptions for governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act, businesses subject to the federal Health Insurance Portability and Privacy Act (HIPAA), nonprofit organizations, and institutions of higher education. The TIPA also exempts certain types of data, such as protected health information under HIPAA, personal information regulated by the Family Educational Rights and Privacy Act, and data processed or maintained in the course of employment.
Key Definitions
Similar to some of the statewide comprehensive privacy laws, other than California, the TIPA narrowly defines “consumer” to mean an individual who is a Tennessee resident acting only in a personal context. It excludes an individual acting in a commercial or employment context. As a result, employee personal information and business contact information fall outside the scope of the TIPA.
With respect to consumers, the TIPA regulates their personal information, as well as sensitive data, which includes:
- Personal information revealing a mental or physical health diagnosis, racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status.
- Genetic or biometric data.
- Personal information collected from person under age 13.
- Precise geolocation data.
Under the TIPA, the “sale of personal information” means the exchange of personal information for monetary consideration or other valuable consideration by the controller to a third party. This definition mirrors the definitions of “sale” in California’s, Colorado’s, and Connecticut’s laws and is contrary to the narrower definitions of “sale” in Virginia’s, Utah’s, Iowa’s and Indiana’s laws, which only consider monetary consideration as sufficient to constitute a “sale.” This is one aspect of these laws on which the states continue to be split.
Compliance
Some of the compliance obligations found in the TIPA are substantially similar to those found in the other state privacy laws, such as requiring controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal information for the controller.
The TIPA requires controllers to undertake data protection impact assessments of any processing activities that involve personal information used in targeting advertising, the sale of personal information, profiling, sensitive data, and data that presents a heightened risk of harm to consumers.
The TIPA also requires controllers and processors to create, maintain, and comply with a written privacy program and creates a safe harbor for businesses whose privacy program reasonably conforms with the National Institute of Standards and Technology (NIST) privacy framework. When a subsequent revision of the NIST privacy framework is published, businesses have one year to update their privacy program to conform to the revised framework. The TIPA is the first comprehensive privacy law in the country to dictate a privacy framework that all businesses must follow.
Consumer Rights and Requests
Like the other statewide privacy laws, the TIPA grants rights to individuals regarding their own personal information. Specifically, the TIPA allows consumers to make requests correct inaccuracies in their personal information, delete their personal information, obtain a copy of their personal information, and opt out of the sale of personal information. Notably, the opt-out rights under the TIPA do not expressly include the right to opt out from the use of personal information for targeted advertising. Additionally, the TIPA requires controllers to obtain consent prior to the processing of sensitive data.
Under the TIPA, a controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary upon considering the complexity and number of the consumer’s requests. Like under the comprehensive privacy laws in Colorado, Connecticut, Virginia, Iowa, and Indiana, the TIPA requires a controller to provide consumers with an appeals process if it denies a consumer’s request, and a controller has 60 days to respond to an appeal. There is no right to appeal in California or Utah.
There is no private right of action under the TIPA. The law grants enforcement rights exclusively to the Tennessee Attorney General, who can seek civil penalties of up to $15,000 for each violation of the law, a higher penalty amount than most other state privacy laws.
The TIPA clarifies that each provision of the law violated is a separate violation, and each consumer affected is a separate violation, meaning that penalties could accumulate quickly. The TIPA permits a court to award treble damages for willful or knowing violations. Violators, however, are granted an opportunity to cure violations within 60 days of receiving notice of a violation from the Attorney General before such penalties are assessed.
Conclusion
The state privacy law movement is burgeoning. As more states continue to enact similar laws, there may be a stronger push for a federal law, but it remains uncertain whether Congress will act. Meanwhile, the benefits of a universal approach to privacy compliance, especially for medium to large businesses, continues to be important. Although the TIPA will not take effect until July 1, 2024, impacted businesses may want to consider integrating compliance for the TIPA sooner rather than later, especially if they do not already adhere to the NIST privacy framework.
Billee Elliott McAuliffe and Melissa G. Powers are attorneys with Lewis Rice in St. Louis. © 2023. Lewis Rice. All rights reserved. Reprinted with permission via Lexology.
