United States: Final Tennessee Privacy Act Signed Into Law, Expanding Consumer Rights And Data Controller Flexibility In Developing And Measuring A Written Privacy Program That May Qualify For An Affirmative Defense To Violations Of The Act

This article was originally published on Privacy World on May 4, 2023 and was updated on May 16, 2023.

The Tennessee Information Protection Act ("TIPA"), signed into law on May 11, 2023, is a hodgepodge of the current U.S. state consumer privacy laws, but with a notable twist.

What's the Same

Like the other state privacy laws, TIPA includes role-based processing (controller vs. processor), privacy rights for Tennessee residents acting only in a personal context, privacy notice requirements, transparency, data minimization and security obligations, limits on sensitive data processing and targeted advertising, and data protection assessment requirements. TIPA is enforced by the Attorney General (i.e., no private right of action) subject to a 60-day cure period.

What's Different

Some of the notable differences between TIPA and the other state privacy laws are:

• TIPA's data minimization provision limits use beyond the disclosed purposes without consent, suggesting some kind of pre-collection notice is necessary regardless of authentication. TIPS has a few other references to privacy notices, but they are not helpful in interpreting Section 3204(c).
• Under the TIPA, a controller or processor has an affirmative defense to a cause of action for a violation of TIPA if the controller or processor "creates, maintains, and complies with a written privacy [program] policy that" (1) reasonably conforms to U.S. Department of Commerce's, National Institute of Standards and Practices ("NIST") voluntary privacy framework ("NIST PF") or other documented policies, standards, and procedures designed to safeguard consumer privacy, (2) is updated to reasonably conform with subsequent revisions of NIST PF or comparable privacy framework, and (3) provides a person with the substantive rights required by the TIPA. (47-18-3213).

Although the draft version of the TIPA required a written privacy program that conforms with NIST PF, the published version incorporated an amendment that provides for the application of any comparable privacy framework in order to qualify for the affirmative defense and removes the absolute obligation to use a framework altogether. The amendment was considered in April, but publicly available Tennessee government sources did not clarify the revisions, leaving those tracking the bill in the dark until the signed law was published on May 15, 2023. The published law contains the following amendments:

• The TIPA now provides that businesses are subject to the law if they exceed $25 million in revenue, in addition to meeting one of the thresholds. Businesses must also either (1) control or process the personal information of at least 25,000 consumers and derive over 50% of their revenue from the sale of personal information, or (2) control or process personal data from over 175,000 consumers (up from 100,000 consumers in the original draft bill).
• The published law removes the consumer right to request that a controller disclose the categories of personal information the business sold about the consumer, third parties it was sold to, and categories of personal data that were disclosed.
• The published law adds certain requirements for controllers receiving a deletion request. When personal information about a consumer is obtained from a source other than a consumer, controllers shall retain a record of the deletion request and minimum information necessary to ensure that the consumer's personal information remains deleted. Controllers must also refrain from using retained personal information for prohibited purposes under TIPA or shall opt the consumer out of the processing of such personal information.
• The TIPA grants additional opt-out rights, including the right to opt out of sale, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Originally, consumers only had the right to opt out of sale.
• The TIPA no longer requires a consumer to request that the controller provide a privacy notice. A controller must provide a privacy notice regardless of consumer request.
• The published law lowers civil penalties, from up to $15,000 per violation to up to $7,500 per violation. The TIPA also removed the requirements to consider certain listed criteria and considerations in the assessment of civil penalties, and consumers will not be able to get "appropriate relief" when they are affected by a violation.
• Finally, the effective date was changed by one year. TIPA will now go into effect on July 1, 2025, a year later than originally proposed.

Conforming to NIST PF

It is unclear what it would mean to "conform" to NIST PF, which is a set of flexible constructs and tools, not an auditable checklist of requirements or even standards, to aid in the development and operation of an enterprise-wide privacy risk governance and ethical processing program, designed to be adaptable to each organization's needs, risk tolerance, values and circumstances. Here is an entertaining video about NIST PF published by NIST. NIST PF describes itself as "a risk management tool" that "can assist an organization in its efforts to optimize beneficial uses of data and the development of innovative systems, products, and services while minimizing adverse consequences for individuals".

"The Privacy Framework can help organizations answer the fundamental question, 'How are we considering the impacts to individuals as we develop our systems, products, and services?' To account for the unique needs of an organization, use of the Privacy Framework is flexible, although it is designed to complement existing business and system development operations. The decision about how to apply it is left to the implementing organization. For example, an organization may already have robust privacy risk management processes, but may use the Core's five Functions as a streamlined way to analyze and articulate any gaps. Alternatively, an organization seeking to establish a privacy program can use the Core's Categories and Subcategories as a reference. Other organizations may compare Profiles or Tiers to align privacy risk management priorities across different roles in the data processing ecosystem. The variety of ways in which the Privacy Framework can be used by organizations should discourage the notion of 'compliance with the Privacy Framework' as a uniform or externally referenceable concept." [Emphasis added.]

So while the NIST PF was designed as a voluntary framework to help enterprises better develop and manage a program for managing privacy risks, and not a blueprint for the minimum requirements of a program, controllers and processors under the TIPA can create a written privacy governance document that could take any number of reasonable forms and approaches, but based on the NIST PF, at least in part, to articulate and measure program elements, goals, controls, performance measurement, and processes, including data management, risk and impact assessments, transparency, accountability and training.

TIPA Section 3213(a) provides for a defense to violation of any of the TIPA, though what the elements of establishing the defense are remains uncertain. It seems that if you can establish a NIST-consistent written privacy program (or consistency with a comparable framework), that enshrines TIPA's statutory rights and obligations, you can potentially avoid enforcement remedies for various TIPA violations, even if you do not cure within the 60-day cure period the Act otherwise provides. Section 3213(b) explains that the scale and scope of a privacy program that qualifies for the affirmative defense under subsection (a) is to be determined based on (1) the size and complexity of the business, (2) the nature and scope of the activities of the controller or processor, (3) the sensitivity of the personal information processed, (4) the cost and availability of tools to improve privacy protections and data governance, and (5) compliance with a comparable state or federal law. Although not explicitly stated, it would seem that an appropriate determination under subsection (b) is necessary to qualify for the affirmative defense under subsection (a). Further, subsection (c) provides that, in addition to the factors in subsection (b), certifications under the Asia Pacific Economic Cooperation's Cross Border Privacy Rules System, and the Asia Pacific Economic Cooperation's Privacy Recognition for Processors system may be considered. Thus, the APEC Privacy Framework appears to be intended as a measure of program appropriateness. Section 3213 was substantially broadened by the amendment to allow more flexibility in choice of framework and measure of appropriateness for judging a written privacy program.

So, practically, what does that really mean? The NIST framework is a paradigm that calls for using its unique nomenclature and methods of analysis to help a business manage personal data and privacy risk, and uses specific tools:

• Core: A set of 5 primary privacy protection functional activities (Identify, Govern, Control, and Protect), which are subdivided into 18 categories and 100 subcategories of discrete outcomes. The idea is that senior management will select specific categories and subcategories as priority activities and outcomes, enterprise-wide, based on the business's particular circumstances and values, and the minimum standards of applicable law.
• Profiles: Sets of current state activities and goals for improvement built off of the selected Core categories and subcategories. This creates a way to measure performance and improvement.
• Implementation Tiers: (Partial, Risk Informed, Repeatable, and Adaptive): Points of reference to measure the maturity of risk management, which tie to 4 designated, key components of the privacy program (Privacy Risk Management Process, Integration of the Risk Management Program, Data Processing Ecosystems Relationships and Workforce Management) and reflect the multi-stakeholder, cross-departmental philosophy underpinning the framework. The tiers are thought to help drive enterprise-wide budgeting, staffing, and training to help a business achieve its program goals, which may differ from business to business.

As noted above, under the TPIA, the "scale and scope" of the privacy program is to be "based on all of the following factors: (1) [t]he size and complexity of the controller or processor's business; (2) [t]he nature and scope of the activities of the controller or processor; (3) [t]he sensitivity of the personal information processed; (4) [t]he cost and availability of tools to improve privacy protections and data governance; and (5) [c]ompliance with comparable state or federal law." So, aside from operationalizing the rights and obligations mandated by applicable law, the robustness of a program, and of the level of privacy protection, will vary from business to business.

In short, NIST creates a language and process for discussing and measuring privacy risk management and information governance. At its core, it is a self-assessment and improvement tool. Further, the NIST framework calls for ethical decision-making around data practice decisions, but concedes that "there is no objective standard for ethical decision-making." As mentioned, it also takes the approach that privacy is inherently a cross-disciplinary exercise that necessitates the participation by all internal data stakeholders. It is thought, by NIST's creators, that the framework's standard terminology and analytical models and tools will foster collaboration between Legal, HR, Product, IT, InfoSec, Marketing and Management and help a business stay on track with achieving both compliance with applicable law and its own privacy goals.

Other cybersecurity laws, such as ones in Connecticut and Ohio, require a cybersecurity program with "reasonable" controls. These laws do not define what is reasonable, but make available an affirmative defense to a tort claim that a business' failure to "implement reasonable cybersecurity controls" results in a data breach. The affirmative defense is available when the defendant business can demonstrate that it conformed to one of the enumerated "industry recognized" cybersecurity frameworks, including NIST special publications 800-171 or 800-53 and 800-53a.

Complying with an industry data protection framework like NIST PF is clearly beneficial but, depending on the volume and sensitivity of a business' information processing and available resources, the time and money needed to meaningfully adhere may prove overwhelming. And, whether TIPA's specific reliance on the NIST PF will catch on – whether in other state privacy laws or as predominant means for privacy risk management– remains to be seen. What is clear, however, is that businesses subject to the TIPA can benefit from an affirmative defense if they develop a written privacy program that uses NIST, or a comparable framework, for developing and operating a formal privacy program. For those companies the NIST privacy framework can inform how they discuss and manage enterprise-wide data privacy risk and information governance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.