Tennessee Enacts Comprehensive Consumer Data Privacy Law

Tennessee recently enacted a comprehensive state data privacy law, the Tennessee Information Protection Act (“TIPA”), following other states like Virginia, California, Colorado, Utah, Connecticut, Iowa, and Indiana.  TIPA becomes effective on January 1, 2025.

Scope

TIPA applies to persons doing business in the state targeting products or services towards Tennessee residents and that have revenue exceeding $25,000,000 and either (i) control or process the personal information from 25,000 or more consumers and more than 50% of its gross revenue derives from the sale of this information, or (ii) control or process the personal information from 175,000 or more consumers during a calendar year.  “Personal information” is defined as “information that is linked or reasonably linkable to an identified or identifiable natural person,” but excludes de-identified or aggregate information, or publicly available information.  TIPA also addresses the processing of de-identified data and the limitations of the law.

Certain entities are exempt from TIPA, including, but not limited to, (i) financial institutions, their affiliates, and data subject to Title V of the Gramm-Leach-Bliley Act, (ii) entities and persons governed by the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) rules, 45 CFR Parts 160 and 164, (iii) Tennessee-licensed insurance businesses or individuals, (iv) government entities, including any agency of the state or of a political subdivision of the state, (v) institutions of higher education, and (vi) non-profit organizations.  Certain information is also exempt, such as protected health information under HIPAA.

TIPA differentiates a “controller,” which is an entity that determines the purpose and means of processing personal information from a “processor,” which is the person or entity that processes personal information on behalf of the controller.  The processor must adhere to the processing instructions of the controller set forth in a written contract that requires the processor to keep personal information confidential, return or delete personal information at the end of the services provided by the processor, and make available information needed to demonstrate its compliance with TIPA. 

Consumer Rights

TIPA grants Tennessee consumers certain rights with respect to their personal information.  Consumers may request, (i) confirmation of whether the controller is processing the consumer’s personal information and access to that information, (ii) correction of inaccuracies, (iii) deletion of the data obtained (though the controller is allowed to maintain and use the data if it is aggregate or de-identified, under certain circumstances, and there are guidelines for compliance with TIPA when deleting personal information that was not obtained directly from the consumer), (iv) a copy of that information in a portable and usable format so the consumer can transmit it to another controller, and (v) an ability to opt-out of any sale, targeted advertising, or certain types of profiling related to the processing of personal information.

A controller must reply to a consumer’s request within 45 days of receipt, but can extend this time once by 45 days, if reasonably necessary and the consumer is informed of the extension within the original 45-day time period.  Responses to a consumer’s reasonable requests are required to be provided up to twice a year for free, with some exceptions.  If the controller cannot authenticate the consumer’s request, it is not required to comply with it.  A controller can decline to act on the request, but must inform the consumer within 45 days of receiving the request, explain why no action was taken, and provide instructions for how to appeal.  The appeal process must be free, conspicuous, and similar to the original request process, and TIPA provides additional requirements. 

Notice Requirements and Other Obligations

Among other duties, the controller must provide a privacy notice that includes certain information, including, but not limited to, the categories of personal data that it processes, the reason it is processing personal data, and any categories of personal data that are shared with third parties.  Additionally, TIPA requires that controllers conduct and document data protection assessments.

Penalties and Enforcement

There is no private right of action.  The Tennessee attorney general has exclusive enforcement authority.  But a company with a conforming privacy program is able to use that as an affirmative defense to any cause of action.