Tennessee Information Protection Act

Tennessee has enacted a data privacy bill that could impose certain obligations on your business, and it is essential for you to familiarize yourself with its provisions.

What is the Tennessee Information Protection Act?

The Tennessee Information Protection Act (TIPA) serves as the consumer data privacy law in the state of Tennessee. It aligns with the patterns established by other U.S. states that had previously implemented data protection legislation. TIPA was officially signed into law on May 11, 2023, and its provisions are set to take effect from July 1, 2025.

Does the TIPA apply to your business?

TIPA applies to businesses that meet certain criteria and are either based in Tennessee or target Tennessee consumers. These criteria include:

• Generating more than $25 million in annual revenue.
• Controlling or processing the personal information of either:
  - At least 175,000 Tennessee consumers, or
  - At least 25,000 Tennessee consumers, with more than 50% of their annual revenue coming from the sale of personal information.

It's important to note that TIPA does not apply to all businesses, but only to those that meet these specific thresholds.

Are there exemptions from the TIPA?

Under TIPA, there are certain organizations and types of personal data that are exempt from its requirements. Exempt organizations include:

• Government entities
• Non-profit organizations
• Higher education entities
• Entities covered under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Insurance companies

Additionally, there is a long list of exempt types of data, which includes but is not limited to:

• Data protected by industry-specific laws such as HIPAA, GLBA, Fair Credit Reporting Act (FCRA), and others.
• Information collected for research purposes that serve the public interest.
• Employment-related information.

What is personal data under the TIPA?

Any information identifying an individual, directly or indirectly, is personal information under the Tennessee Information Protection Act.

That includes anything from a personal name, Social Security Number, and phone number to IP addresses, browsing history, purchase history, health data from fitness tracker apps, geolocation, and other data that could indirectly point out an individual.

What is sensitive personal data under the TIPA?

Sensitive data under the TIPA includes:

• Data revealing an individual’s racial origin, ethnic origin, sexual orientation, citizenship or immigration status, or health diagnosis
• Child’s data
• Precise geolocation data
• Biometric data to identify a person

Sensitive data has a special regime under the TIPA. It must not be collected without consent and must be subject to a Data Protection Assessment.

What are TIPA controllers and processors and what are their duties?

A controller is the company that decides about processing. The processor is the company that processes data on behalf of the controller.

If you run a SaaS company and have Google Analytics installed on your website, you are the controller. You decide that you want analytics data, and you make the decision to use GA and share the data with Google for processing purposes. Google, in this case, is your data processor.

The controller has the following TIPA duties:

• Implement technical and organizational measures to ensure that the data is safe.
• Conduct and document a data protection assessment for the processing of sensitive data, the sale of data, and other cases where required.
• Collect and process data that is adequate for processing purposes.
• Obtain explicit consent for the processing of sensitive data.
• Have signed contracts with each data processor.
• Honor consumer requests.
• Allow consumers to opt out of the sale of data, of profiling, or from processing for targeted advertising.

The processor, on the other hand, must:

• Comply with processing instructions as set out in the contract with the controller.
• Provide the controller with the information needed for data protection assessments.
• Implement technical and organizational measures for data security.

What Is a Data Processing Agreement, and why do we need it?

The TIPA, like other privacy laws, requires processors to process data only upon written instructions and a contract with the controller. The data processing agreement is the contract between the controller and processor that governs the processing.

It contains at least:

• The identity of both parties
• The nature and purposes of processing
• Categories of personal data to be processed
• The duration of processing
• Rights and duties of both parties
• Confidentiality provisions
• Requirement for deletion of data upon the controller’s request
• Require the processor to prove compliance to the controller, upon request.
• Provisions on hiring subcontractors

What is a TIPA-compliant privacy notice?

The privacy notice, also known as the privacy policy, is compliant with the Tennessee data protection law if it contains at least the following:

• Why do you process data?
• What data do you process?
• The categories of data you sell, if applicable
• The categories of third parties to whom you sell data, if applicable
• Details on consumer rights and how to exercise them

You can always add more information to increase transparency, but it is not required.

Do we need to obtain consent from consumers for data processing?

You must obtain explicit consumer consent for the processing of sensitive personal data.

The consent must be freely given, specific, informed, and unambiguous.

When you collect the information of a known child for processing, you can rely on the parental consent standards set out in COPPA.

Do we need to respect universal opt-out mechanisms?

The TIPA does not mention anything about universal opt-out mechanisms; therefore, you are not obliged to conform to them.

However, you must allow consumers to opt out through your designated methods.

What is Data Protection Assessment?

Data Protection Assessment is a process where the controller assesses the risks of processing for consumers. This exercise will give you an idea of what the risks of your processing activities are and what you need to do to mitigate those risks.

Businesses are required to conduct and document a Data Protection Assessment for:

• Sale of personal data
• Processing of sensitive data
• Processing data for targeted advertising
• Processing of data for profiling
• Any other processing that poses a heightened risk to consumers.

What are TIPA personal data rights and requests?

TIPA grants consumers certain rights related to their own personal data. They can exercise these rights by submitting requests to you, which you must honor to avoid penalties.

TIPA grants the rights to:

• Know about the processing
• Access personal data
• Delete data
• Data portability
• Correct data
• Opt out of:
  - Targeted advertising
  - Profiling
  - Sale of personal information

Consumers can submit requests using any of the methods designated in your privacy notice. Once received, you have 45 days to respond. In more complex cases, the deadline can be prolonged for 45 more days.

Who enforces the TIPA and how much are the fines?

The Tennessee Attorney General is competent to enforce the TIPA.

Consistent with other laws, businesses will get a cure period to remedy the violations before getting a fine. The cure period is 60 days. The fines are up to the usual $7,500 per violation.

It is important to note that the business under investigation has an affirmative defense if it has a written privacy program according to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0" or other documented policies, standards, and procedures designed to safeguard consumer privacy.