The Tennessee Data Privacy Law: An Overview
On May 11, 2023, Tennessee became the eighth state in the U.S. to enact comprehensive data privacy legislation with Tennessee Governor, Bill Lee, signing amended House Bill No. 1181 (the Tennessee Information Protection Act or TIPA). The TIPA comes into effect on July 1, 2025. The TIPA joins other U.S. state data privacy laws that are either in effect or will soon come into force (together with the TIPA, the State Data Privacy Laws). This article summarizes key provisions of the TIPA.
Scope and Applicability
The TIPA applies to a person that conducts business in Tennessee by producing products or services that target Tennessee residents, and that (i) exceeds $25,000,000 in revenue and (ii) (A) controls or processes personal information of at least 25,000 Tennessee residents and derives over fifty percent (50%) of gross revenue from the "sale" of any personal information or (B) during a calendar year, controls or processes personal information of at least 175,000 consumers.
The TIPA is similar to most other State Data Privacy Laws with respect to certain exclusions and exemptions. For example, the TIPA only applies to personal information collected from "a natural person who is a resident of [the] state" and, like most State Data Privacy Laws other than the California Consumer Privacy Act and California Privacy Rights Act, expressly excludes personal information collected or processed from a natural person in an employment or commercial context (e.g., business-to-business activities). The TIPA also includes typical exemptions in line with most other State Data Privacy Laws, such as for state political subdivisions or entities, nonprofit organizations, institutions of higher education, and any information or data regulated by certain other privacy laws, including the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.
Controller and Processor Regime
The TIPA, like certain other State Data Privacy Laws, contains the regulatory framework of the European Union's General Data Protection Regulation, which distinguishes roles and responsibilities between controllers and processors. The TIPA defines a "controller" as a natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information and a "processor" as a natural or legal entity that processes personal information on behalf of a controller.
The TIPA requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice, which, among other things, discloses:
- the categories of personal information processed by the controller and the purpose of such processing
- the categories of personal information and third parties with whom the controller sells personal information
- how consumers may exercise their privacy rights, including the appeals process.
Controllers may only process personal information to the extent such processing is "reasonably necessary and proportionate" and "adequate, relevant, and limited to what is necessary" for certain specified purposes. Controllers are also required to establish, implement, and maintain administrative, technical, and physical data security practices (see NIST Affirmative Defense section below) to protect the confidentiality, integrity, and accessibility of personal information, which are appropriate to the volume and nature of personal information at issue, and to reduce reasonably foreseeable risks of harm to consumers.
Similar to certain other State Data Privacy Laws, the TIPA requires that controllers conduct and document data protection assessments in connection with certain processing activities, such as processing personal information for targeted advertising or certain profiling purposes, selling personal information, processing sensitive data, or any other processing activity that presents a heightened risk of harm to consumers. A data protection assessment must identify and weigh the benefits of the processing activity with potential risks to consumers (as mitigated by the safeguards employed by the controller related to such risks). Data protection assessment obligations under the TIPA apply to activities created or generated on or after July 1, 2024, and are not retroactive. Controllers may also use data protection assessments created pursuant to other laws with similar requirements, including other relevant State Date Privacy Laws, for TIPA compliance purposes.
Like most other State Data Privacy Laws, the TIPA requires controllers and processors to enter into a written contract, which governs the processor's data processing procedures performed on behalf of the controller. The TIPA requires contractual provisions that clearly set out instructions for the processing of applicable data, describe the type of data subject to and duration, nature, and purpose of such processing, and specify the rights and obligations of each party. Processors must be subject to a duty of confidentiality with respect to the applicable data and enter into subcontracts with sub-processors to ensure similar protections. Processors are also generally required to adhere to the controller's instructions and must assist the controller for meeting its applicable obligations under the TIPA (e.g., responding to consumer rights requests and completing data protection assessments).
Consumer Rights and Requests
The TIPA provides a variety of individual consumer rights that align with most other State Data Privacy Laws. These rights provide consumers with a right to access, obtain a copy of, delete, and correct their personal information, and to opt-out of the selling of personal information and/or sharing of personal information for targeted advertising.
The TIPA permits parents and guardians to exercise rights on behalf of their children (defined as individuals under the age of thirteen (13)). Children's data must be processed in accordance with the Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq. (COPPA), which requires consent from parents or guardians.
The TIPA also grants consumers certain rights with respect to other "sensitive data." The TIPA's definition of "sensitive data" is similar to definitions seen in most other State Data Privacy Laws, which encompass a consumer's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation data. In contrast to certain other State Data Privacy Laws, like the Virginia Consumer Data Protection Act, the TIPA provides an "opt-in" regime with respect to the processing of sensitive data where controllers may not process a consumer's sensitive data "without obtaining the consumer's consent" (or in accordance with COPPA if the "sensitive data" is children's data).
Right to Appeal
Under the TIPA, a controller must respond to a consumer's request to exercise a right within forty-five (45) days of receipt of such request. A controller can extend the response period by an additional forty-five (45) days when reasonably necessary and in consideration of the complexity and number of consumer requests within the initial forty-five (45) day period by providing notice and an explanation to the consumer. Like most other State Data Privacy Laws, if the controller denies a consumer's request, the controller must explain the justification for the denial and include instructions for appeal that are conspicuously available and similar to the process for submitting consumer rights requests. Within sixty (60) days of receipt of an appeal request, a controller must inform the consumer of any action taken or not taken in response to the appeal. If the appeal is denied, the controller must provide the consumer with an online mechanism or other method through which the consumer may contact the Tennessee Attorney General to submit a complaint.
Selling Personal Information
The TIPA defines the "sale of personal information" as "the exchange of personal information for valuable monetary consideration by the controller to a third party." The TIPA also provides exceptions to the "sale of personal information" in line with a number of other State Data Privacy Laws, including a controller's disclosure of personal information:
- to a processor that processes personal information on behalf of the controller
- to a third party for purposes of providing a product or service requested by the consumer
- to the controller's affiliates
- that the consumer intentionally made available to the general public and did not restrict to a specific audience
- to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction.
As noted above, controllers must provide consumers with the ability to opt-out of the selling of their personal information, but the TIPA does not provide any additional guidance on how controllers must offer and process such consumer opt-out requests from a technical perspective.
Targeted Advertising
The TIPA defines "targeted advertising" as "displaying to a consumer an advertisement that is selected based on personal information obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests." Like most other State Data Privacy Laws, the TIPA expressly excludes certain activities as "targeted advertising," such as advertisements based on:
- activities within a controller's own websites or online applications
- the context of a consumer's current search query, visit to a website, or online application
- the consumer's request for information or feedback
- the measuring or reporting the performance, reach, or frequency of an advertisement.
The TIPA also imposes the same opt-out requirements on controllers in connection with targeted advertising as it does with respect to the sale of personal information.
De-identified and Pseudonymous Data
The TIPA defines "de-identified data" as data that cannot reasonably be linked to an identified or identifiable individual, and such data is expressly excluded from the definition of "personal information." Similar to certain other State Data Privacy Laws, the TIPA requires that controllers in possession of de-identified data take reasonable measures to ensure that such data cannot be associated with a natural person and contractually obligate any recipients of de-identified data to comply with all applicable provisions of the TIPA. Additionally, like some other State Data Privacy Laws, such as the Virginia Consumer Data Protection Act, Utah Consumer Privacy Act, and Connecticut Data Privacy Act, the TIPA requires controllers to "publicly commit" not to re-identify de-identified data.
The TIPA defines "pseudonymous data" as personal information that cannot be attributed to a specific individual without the use of additional information. Certain consumer rights (e.g., right to access, delete, opt-out, etc.) under the TIPA do not apply to pseudonymous data if the controller demonstrates that any additional information necessary to identify the consumer is kept separately and subject to effective technical and organizational measures to prevent the controller from accessing such information.
The TIPA requires controllers that disclose de-identified data and/or pseudonymous data to exercise reasonable oversight to monitor compliance with any contractual commitments with third parties related to such de-identified data (including avoiding attempts to re-identify such data) and/or pseudonymous data and to take appropriate actions to address any breaches of such contractual commitments.
Enforcement and Penalties
In contrast to the California Consumer Privacy Act and California Privacy Rights Act, the TIPA does not provide consumers with a private right of action and is not enforced by a dedicated privacy agency. Rather, the TIPA is enforced by the Tennessee Attorney General. Under the TIPA, the Tennessee Attorney General, prior to initiating an action, will provide a controller and/or processor with sixty (60) days' written notice that identifies the specific provision(s) alleged to be violated. The controller and/or processor may cure such alleged violations within the sixty (60) day period. If uncured, the Tennessee Attorney General may initiate an action against the controller and/or processor and recover up to $7,500 in civil penalties per violation.
NIST Affirmative Defense
Perhaps the most notable aspect of the TIPA when compared to other State Data Privacy Laws is that it is the first comprehensive state data privacy law that provides controllers and processors with an affirmative defense. Under the TIPA, a controller or processor has an affirmative defense if it "creates, maintains, and complies with a written privacy policy" that (i) "reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0" or other policies designed to safeguard consumer privacy and (ii) is updated to conform with subsequent NIST or a comparable privacy frameworks within two (2) years of publication of the most recent version. However, the TIPA also provides that such an affirmative defense will be determined on a case-by-case basis. For purpose of asserting this affirmative defense, privacy programs will be assessed based on a variety factors, including
- the size and complexity of the business
- the nature and scope of the controller's or processor's activities
- the sensitivity of the personal information that is processed
- the cost and availability of tools to improve privacy protection and data governance
- compliance with comparable state or federal laws.