Tennessee Passes the Tennessee Information Protection Act (TIPA)

Delene Lantz
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing LLP

​On May 11, 2023, Tennessee became the eighth state to join the most recent trend in state legislation when Governor Lee signed the Tennessee Information Protection Act (TIPA) into law.  Tennessee follows other states that have recently enacted comprehensive privacy legislation, starting with California's Privacy Rights Act (CPRA) that went into effect on January 1, 2023, and swiftly followed by Colorado, Connecticut, Utah, Virginia, Iowa, Indiana, and Montana. This flurry of legislation is a result of lawmakers establishing individual state data privacy laws in the absence of a comprehensive data privacy law at the federal level. 

What You Need to Know:

  • The Tennessee Information Protection Act (TIPA) was signed into law on May 11th targeting companies that do business in Tennessee.
  • The TIPA defines the term personal information broadly as applicable to any information that identifies or relates to or describes a particular consumer.
  • The TIPA establishes individual rights for consumers, including the right for a consumer to access their personal information and to confirm whether a controller is processing the consumer's personal information.

Scope of TIPA

TIPA applies to companies ("controllers") that do business in Tennessee or target products or services to Tennessee consumers and: (1) have more than $25 million in "revenue" and (2) control or process personal information of 175,000 or more Tennessee consumers; or (3) control or process personal information of 25,000 or more Tennessee consumers and derive over 50 percent of gross revenue from the sale of that data. The law defines "personal information" broadly to include any "information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer." Such information includes identifiers, education, employment, financial, and medical information, biometric data, internet or other electronic network activity, and inferences drawn from personal information that are used to create a profile of a consumer.

Consumer Rights

Consumers are granted the right to do all of the following under the TIPA including :

  • The right to confirm whether a controller is processing their personal information.
  • The right to access their personal information.
  • The right to correction inaccuracies in their personal information, but limited to data the consumer previously provided.
  • The right to have their personal information deleted.
  • The right to receive a copy of the personal information held about them in a portable and usable form (data portability).
  • The right to opt-out of the sale of their personal information, cross-contextual behavioral targeted advertising and profiling through solely automated means in furtherance of decisions with legal or similar effect.
  • The right to appeal any denial of a consumer request relating to the above rights.

Controller Duties

Controllers under the TIPA will be required to limit the collection of personal information to what is adequate, relevant, and reasonably necessary for the purposes of the processing activity and must not process personal information for purposes other than those outlined in the controller's privacy notice unless further consent is obtained.

Controllers will be required to implement security measures that establish, implement, and maintain reasonable administrative, technical, and physical data security practices.

Controllers are prohibited from processing sensitive data without first obtaining the consumer's consent. Additionally, processing the personal information of a known child should be done in line with the federal Children's Online Privacy Protection Act (COPPA).

Controllers must present the consumer with a privacy notice that is reasonably accessible, clear, and meaningful and should include:

  • The categories of personal information.
  • The purposes for processing.
  • Explain how consumers may exercise their consumer rights.
  • Define the categories of personal information sold to third parties.
  • Define the categories of third parties that personal information is sold.

Controllers shall conduct and document a data protection assessment for certain processing activities that identifies and balances the benefits and risks of the processing activity. Activities that require a data protection assessment include:

  • The processing of personal information for purposes of targeted advertising.
  • The sale of personal information.
  • The processing of personal information for purposes of profiling.
  • The processing of sensitive data.
  • Processing activities involving personal information that present a heightened risk of harm to consumers.

The controller must give the consumer the ability to opt out of the following:

  • Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
  • Targeted advertising.
  • The sale of personal information.

In addition, the TIPA provides that there will be a contract between a controller and a processor that governs the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract is binding and must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties and includes specific requirements that the processor must follow in regard to how personal information is handled.

Enforcement

TIPA will be enforced by the Tennessee Attorney General, and controllers found to be in violation of the law will be granted a 60-day cure period. Controllers that do not remediate violations within 60 days are liable for civil penalties of up to $7,500 per violation. In addition a court may award treble damages for willful or knowing violations. There is no private right of action.

Affirmative Defense

In the event of an allegation of violation of the TIPA, a Controller or Processor has an affirmative defense if it creates, maintains, and complies with a written privacy program that conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0" or other documented policies, standards, and procedures designed to safeguard consumer privacy.

Pertinent Definitions

  • Consumer: A natural person who is a resident of Tennessee acting in a personal context. This means that employees and B2B contacts are expressly excluded from the definition of consumer.
  • Controller: An entity that conducts business in Tennessee or produces products or services that are targeted to residents of Tennessee, and that determines the purpose and means of processing personal information.
  • Personal information: Information that is linked or reasonably linkable to an identified or identifiable individual. It excludes, however, deidentified data, aggregate data and publicly available data.
  • Processor: A vendor that processes personal information for or on behalf of a controller.
  • Pseudonymous data: Personal information that cannot be attributed to a specific natural person without the use of additional information.
  • Sale: The exchange of personal information for monetary or other purposes—which aligns with California's broad approach to sale including more than data brokers.
  • Sensitive data: Personal information that includes information such as racial/ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric information used to uniquely identify an individual, personal information collected from a known child (under the age of 13) and precise geolocation (location within a radius of 1,750 feet).

Exemptions

The TIPA does not apply to government entities, nonprofit organizations or higher education institutions or licensed insurance companies.

The TIPA expressly states that if any of the data is "pseudonymous" data (i.e., data in which any identifiers are kept separately and are subject to controls to prevent the controller from accessing those identifiers) or de-identified data (i.e., data that cannot be attributed to a specific natural person or device linked to a person), then opt-out rights do not apply. The TIPA's carveout for pseudonymized information extends to the consumer right to opt-out of data sales, targeted advertising, and significant profiling decisions. Depending on how the definition of "pseudonymous data" is interpreted and enforced, this approach could significantly narrow the impact of consumers' opt-out rights.

Further Tennessee Privacy Initiatives

House Bill 1310 for the Genetic Information Privacy Act, as substituted by its companion Senate Bill 1295, was signed into law, on 28 April 2023, by the Tennessee Governor, and thereby enacted as the Genetic Information Privacy Act. In particular, the Genetic Information Privacy Act will take effect on 1 July 2023.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide