On May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act (the "TIPA") into law, making Tennessee the eighth state to enact a comprehensive privacy law. Tennessee joins Indiana and Iowa in enacting such laws within the last six weeks (see our prior alerts here and here), as the momentum for these laws continues to move quickly. The TIPA will take effect on July 1, 2024, which is sooner than the laws in Indiana and Iowa. While the TIPA is similar to other state comprehensive privacy laws, it also contains its own nuances, as described more herein.

Applicability

The TIPA will apply to persons conducting business in Tennessee or producing products or services that are targeted to residents of Tennessee and that either:

  1. during a calendar year, control or process personal information of at least 100,000 consumers (defined below); or
  2. control or process personal information of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal information.

The applicability thresholds under the TIPA replicate those under the privacy laws in Virginia, Iowa, and Indiana. As now appears to be the trend, there is no monetary threshold for businesses as part of applicability under the TIPA, which is unlike California's and Utah's privacy laws.

Additionally, like the other state comprehensive privacy laws, the TIPA contains exemptions for certain types of entities, such as governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act, covered entities and business associates subject to HIPAA and HITECH, non-profit organizations, and institutions of higher education. The TIPA also exempts certain types of data, such as protected health information under HIPAA, personal information regulated by the Family Educational Rights and Privacy Act, and data processed or maintained in the course of employment.

Key Definitions

Similar to the state comprehensive privacy laws, other than California, the TIPA narrowly defines "consumer" to mean an individual who is a Tennessee resident acting only in a personal context (i.e., it excludes an individual acting in a commercial or employment context). As a result, employee personal information and business contact personal information fall outside the scope of the TIPA.

With respect to such consumers, the TIPA regulates their "personal information" as well as a special category of personal information known as "sensitive data," which it defines as (i) personal information revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data processed for the purpose of uniquely identifying a natural person; (iii) personal information collected from a known child (i.e., an individual under thirteen); or (iv) precise geolocation data. This definition of "sensitive data" is substantially similar to the definitions within the other state comprehensive privacy laws, except for California's law, which encompasses a broader range of information.

Under the TIPA, the "sale of personal information" means the exchange of personal information for monetary consideration or other valuable consideration by the controller to a third party. This definition mirrors the definitions of "sale" in California's, Colorado's, and Connecticut's laws and is contrary to the narrower definitions of "sale" in Virginia's, Utah's, Iowa's and Indiana's laws, which only consider monetary consideration as sufficient to constitute a "sale." This is one aspect of these laws on which the states continue to be split.

Compliance

Some of the compliance obligations found in the TIPA are substantially similar to those found in the other state comprehensive privacy laws, such as requiring controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal information for the controller. Further, like the privacy laws in Colorado, Connecticut, Virginia, and Indiana, the TIPA requires controllers to undertake data protection impact assessments of any processing activities that involve personal information used in targeting advertising, the sale of personal information, profiling (in certain instances), sensitive data, and data that presents a heightened risk of harm to consumers. This is unlike the laws in California, Utah, and Iowa, which do not currently require data protection impact assessments.

Other compliance obligations are unique to the TIPA. For example, it requires controllers and processors to create, maintain, and comply with a written privacy program and creates a safe harbor for businesses whose privacy program "reasonably conforms" with the National Institute of Standards and Technology (NIST) privacy framework. When a subsequent revision of the NIST privacy framework is published, businesses have one year to update their privacy program to conform to the revised framework. The TIPA is the first comprehensive privacy law in the US to dictate a privacy framework that all businesses must follow.

Consumer Rights and Requests

Like the other state comprehensive privacy laws, the TIPA grants rights to individuals regarding their own personal information. Specifically, the TIPA grants consumers the right to make requests to (1) know and access their personal information; (2) correct inaccuracies in their personal information; (3) delete their personal information; (4) obtain a copy of their personal information; and (5) opt out of the sale of personal information. Notably, the opt out rights under the TIPA do not expressly include the right to opt out from the use of personal information for targeted advertising. Additionally, the TIPA requires controllers to obtain consent prior to the processing of sensitive data.

Under the TIPA, a controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary upon considering the complexity and number of the consumer's requests. Like under the comprehensive privacy laws in Colorado, Connecticut, Virginia, Iowa, and Indiana, the TIPA requires a controller to provide consumers with an appeals process if it denies a consumer's request, and a controller has 60 days to respond to an appeal. There is no right to appeal in California or Utah.

Enforcement

There is no private right of action under the TIPA. The TIPA grants enforcement rights exclusively to the Tennessee Attorney General, who can seek civil penalties of up to $15,000 for each violation of the law, a higher penalty amount than most other state privacy laws. Further, the TIPA clarifies that each provision of the TIPA violated is a separate violation and each consumer affected is a separate violation, meaning that penalties could accumulate quickly. On top of that, the TIPA permits a court to award treble damages for willful or knowing violations. Violators, however, are granted an opportunity to cure violations within 60 days of receiving notice of a violation from the Attorney General before such penalties are assessed.

Conclusion

At this point, the US state privacy law movement is burgeoning. As states continue to enact similar laws at this rate, there may be a stronger push for a federal law, but it remains uncertain whether Congress will act. Meanwhile, the benefits of a universal approach to privacy compliance, especially for medium to large businesses, continues to be important. Although the TIPA will not take effect until July 1, 2024, impacted businesses may want to consider integrating compliance for the TIPA sooner rather than later, especially if they do not already adhere to the NIST privacy framework.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.