Tennessee Information Protection Act: What Businesses Need to Know

August 8, 2023

Reading Time : 10+ min

On May 11, 2023, Tennessee joined the rapidly growing ranks of U.S. states to enact a comprehensive data privacy law as Gov. Bill Lee (R-TN) signed the Tennessee Information Protection Act (TIPA) into law. Taking effect July 1, 2025, TIPA is more similar to the Virginia Consumer Data Protection Act (VCDPA), and the more “business-friendly” family of state privacy laws such the Utah Consumer Privacy Act (UCPA), and the Iowa Act Relating to Consumer Data Protection (ICDPA). While TIPA extends important privacy protections to consumers, several key provisions signal that it is less consumer friendly than the California Consumer Privacy Act (CCPA) and its amending California Privacy Rights Act (CPRA), the Indiana Consumer Data Protection Act (INCDPA) or the Colorado Privacy Act (CPA). In this article, we highlight key provisions of TIPA and dive into the important compliance requirements that businesses need to know.

Key Provisions

  • Applicability –The law only applies to businesses exceeding $25 million in annual revenue, and that either control or process the personal information of 175,000 or more Tennessee consumers, or control or process the data of 25,000 consumers while deriving more than 50% of gross revenue from the sale of personal information.
  • Safe Harbor – Controllers and processors are allowed to assert an affirmative defense to violations if they maintain a written privacy program that “reasonably conforms” to the current privacy framework set by the National Institute of Standards and Practices (NIST), among other requirements.
  • Insurance Companies Exempt – There is an entity-level carve out for state-licensed insurance companies, a first among state data privacy laws.
  • High Civil Penalties and Treble Damages – Courts may impose civil penalties of up to $7,500 per violation, and treble damages may be awarded for willful or knowing violations.1
  • 60-Day Cure Period – TIPA’s 60-day cure period is one of the longest of all of the enacted state privacy laws. Only Iowa’s 90-day cure period is longer. Importantly for businesses, unlike under the CCPA, for example, TIPA’s cure period does not currently have a sunset date.
  • Two Years to Prepare – Businesses have more than two years to come into compliance with TIPA, providing a generous ramp-up period as compared to the roughly one-year period provided by Connecticut, Montana, Texas and Utah.

What Information Is Covered?

TIPA defines “personal information” as information that is linked or reasonably linkable to an identified or identifiable natural person.2 Similar to other state privacy laws, TIPA establishes a category of “sensitive data” as personal information that includes: (1) personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (3) the personal information collected from a known child (e.g., a natural person under 13 years of age); or (4) precise geolocation data (e.g., information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 ft.)3

Who Must Comply with TIPA?

Like other state data privacy laws and the European General Data Protection Regulation (GDPR), the Tennessee law governs the activities of “controllers”—those determining the purpose and means of processing personal data—and “processors”—those who process the personal data on the controller’s behalf.4 To be applicable, TIPA requires a $25 million annual revenue threshold akin to that of the UCPA.

Unless the business is deriving more than 50% of its gross annual revenue from the sale of personal information and controls or processes the information of at least 25,000 Tennessee consumers, TIPA only applies if the business controls or processes the personal information of 175,000 Tennessee consumers—the highest state resident threshold of any enacted state privacy law to date.

What Are the Notable Exemptions?

Just like the other state data privacy laws, TIPA features exemptions for both entities and types of data.

Entity-based Exemptions

TIPA exempts government entities, nonprofits, financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA), institutions of higher education, and covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).5 TIPA is also the first state privacy law to feature an entity-level carve-out for insurance companies, entirely exempting all insurance companies licensed under Tennessee law (though insurance companies are often using the GLBA exemption of the other comprehensive state privacy laws to achieve similar exemptions).6

Data-Based Exemptions

Much like Utah, Virginia and Iowa, Tennessee’s TIPA does not apply to personal information processed or maintained in the course of employment, including information provided by an individual applying to, or acting as an employee, agent or independent contractor of a controller, processor or third party, as well as emergency contact information and data used to administer benefits.7 The law’s definition of “consumer” also explicitly excludes natural persons acting in a commercial or employment context.8 Data that is publicly available, aggregated or de-identified is also excluded from the definition of “personal information.”9 Information subject to Title V of the GLBA is exempt, along with information governed by the Fair Credit Reporting Act (FCRA) and information governed by the Family and Educational Rights and Privacy Act (FERPA), among others.10 The statute further deems companies that meet the verifiable parental consent requirements of the federal Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. § 6501 et seq.) compliant with TIPA’s parental consent requirements regarding the collection and processing of the personal information of children under age 13.11

TIPA also has a variety of exemptions specific to health data, including an exemption for protected health information under HIPAA, and information and documents created for the Health Care Quality Improvement Act (HCQIA). Patient safety work product created for the Patient Safety and Quality Improvement Act (PSQIA) is exempt, along with information used only for public health activities and purposes as authorized by HIPAA. There are also a number of carve-outs specifically related to personal information collected, processed or sold in connection with certain types of research, such as human subject research and public or peer-reviewed scientific or statistical research in the public interest.12

What Rights Do Tennessee Consumers Have?

Consumers under TIPA enjoy a similar assortment of rights as under other state data privacy laws. For instance, Tennessee consumers have the right to: (1) know whether a controller is processing the consumer’s data and the right to access that data; (2) request a controller correct inaccuracies in the consumer’s personal data; (3) delete personal data provided by, or obtained about, the consumer; (4) obtain a copy of their personal data in a portable and readily usable format; and (5) opt out of processing for the sale of personal data, targeting advertising or profiling.13 The consumer rights afforded under TIPA most closely align with those under the VCDPA, which includes similar rights to correct inaccuracies and to delete both personal data provided by the consumer, and personal data obtained about the consumer, both of which are absent from the UCPA. Similar to the Iowa, Virginia, Colorado and Connecticut laws, Tennessee’s TIPA requires that controllers establish a process for consumers to appeal the refusal to take action on requests to exercise their rights.

However, TIPA contains an expansive carve-out for pseudonymous data. While the law excludes “de-identified data”—data that cannot reasonably be linked to an identified or identifiable natural person—it also does not apply consumer rights to pseudonymous data if the controller demonstrates that consumer identifying information is kept separate with effective technical and organizational controls preventing the controller’s access.14 In the case that controllers disclose either de-identified or pseudonymous data to third parties, controllers must exercise oversight and monitor compliance with contractual commitments concerning that data.15 Additionally, similar to the laws of Utah, Virginia and Iowa, Tennessee’s TIPA does not appear to explicitly require organizations to recognize universal opt-out mechanisms.

What Obligations Do Controllers and Processors Have?

As seen in other state data privacy laws and the GDPR, TIPA divides responsibilities between data controllers and processors.

Controller Requirements:

  • Data Minimization: Controllers must limit personal data collection to what is adequate, relevant and reasonably necessary for the disclosed purpose for which the data is processed.16
  • Avoid Secondary Use: Controllers must have the consumer’s consent before processing personal data for purposes beyond those reasonably necessary for and compatible with the disclosed purpose for which the data is processed.17
  • Data Security: Controllers are required to establish, implement and maintain reasonable administrative, technical and physical practices for data security, appropriate to the volume and nature of the data.18
  • Nondiscrimination: Controllers must not process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers, and may not discriminate against consumers who exercise their rights under TIPA. This does not preclude controllers from offering different prices or goods to consumers exercising the right to opt out as part of a loyalty or rewards program.19 
  • Processor Agreements: Similar to other state laws, controllers are required to enter into binding contracts with processors that, among other things, detail the nature and purpose of the processing, instructions for the processing, and the rights and obligations of both parties. Processors under this contract have a number of requirements, such as establishing a duty of confidentiality for personal data, deleting or returning all personal data to the controller upon the controller’s request at the end of the provision of services, making personal data available upon controller request, arranging for cooperation with the controller’s assessor or independent assessor; and mandating conditions for subcontractor engagement.20
  • Sensitive Data: Much like in Virginia, Colorado and Connecticut, Tennessee’s TIPA requires controllers to obtain a consumer’s opt-in consent prior to processing that consumer’s sensitive data.21 In the event the consumer is a child, the controller must process the child’s sensitive data in accordance with COPPA.
  • Transparency and Purpose Specification: Controllers must provide a clear and reasonably accessible privacy notice and disclose: (1) the categories of data processed; (2) the purpose of the processing; (3) how the consumer may exercise their rights; (4) the categories of data the controller sells to third parties; (5) the categories of third parties, if any, to whom the data is sold; and (6) a reliable means for consumers to submit a request, without requiring the consumer to create a new account. In the event a controller is selling personal information or using it for targeted advertising, the controller must clearly and conspicuously disclose the processing as well as how the consumer may opt out.22
  • Data Protection Assessments: Like many other state laws, including the Virginia, Colorado and Connecticut laws, Tennessee’s TIPA requires controllers to perform a data protection assessment before engaging in certain processing activities. These include: (1) processing for targeted advertising; (2) selling personal data; (3) processing personal data for profiling, in the event the profiling presents a reasonably foreseeable risk of certain legal, financial, physical, reputational or deceptive harms; (4) processing sensitive data; and (5) other processing presenting a heightened risk of harm to consumers.23 TIPA allows the use of assessments conducted for other state laws, provided they have a reasonably comparable scope and effect. Assessments must be conducted for processing generated on or after July 1, 2024.24 However, there is no requirement to conduct assessments prior to TIPA’s effective date of January 1, 2025.

Controllers under TIPA have 45 days to respond to consumer requests, consistent with the timelines of other state privacy laws. TIPA also grants companies the option for a 45-day extension provided they issue proper notice to the consumer.25

Processor Requirements:

TIPA requires processors to adhere to controller instructions and assist controllers with their obligations, which includes entering into a binding contract, responding to consumer requests and providing necessary information for the controller to conduct data protection assessments.

NIST Safe Harbor

Tennessee is the first state to provide an explicit affirmative defense provision within its comprehensive privacy law, providing a safe harbor in the event it is sued for a violation of the TIPA.26 TIPA provides this never-before-seen affirmative defense to violations of the law, if the controller or processor creates, maintains and complies with a written privacy policy that “reasonably conforms” to the NIST Privacy Framework or “other documented polices, standards, and procedures designed to safeguard consumer privacy.”27 The NIST Privacy Framework is a set of voluntary guidelines for privacy programs, based on five core functions:

  1. Identify: Developing organizational understanding to manage privacy risk to individuals from processing personal data.
  2. Govern: Implementing governance structure to enable ongoing understanding of risk management priorities.
  3. Control: Implementing appropriate activities to allow individuals or organizations to manage data to effectively manage privacy risk.
  4. Communicate: Developing appropriate activities to allow individuals and organizations to understand privacy risks associated with data processing.
  5. Protect: Implementing appropriate data processing safeguards to prevent cybersecurity-related privacy events.28

The scale and scope of this reasonably conforming privacy framework must also be based on: (1) the size and complexity of the controller or processor’s business; (2) the nature and scope of the activities of the controller or processor; (3) the sensitivity of the personal data; (4) the cost and availability of tools to improve privacy protections and data governance; and (5) compliance with a comparable state or federal law.29

Because the NIST Privacy Framework is a set of voluntary guidelines developed to give businesses flexibility in risk management, and there are currently no Tennessee Rules & Regulations interpreting TIPA, it is unclear how privacy programs will be evaluated to determine if they “reasonably conform” to the NIST framework. Likewise, it remains to be seen how successful controllers and processors will be in invoking this affirmative defense in enforcement actions.

Who Enforces TIPA? 

As with all other similar state laws except the CCPA, there is no private right of action under TIPA. Rather, the Tennessee Attorney General and Reporter (AG) retains exclusive enforcement authority for TIPA violations. Before initiating any action against an offending controller or processor, the AG must provide 60 days’ written notice and an opportunity to cure.30 The AG may not initiate an enforcement action against the business if, within the cure period, the business submits a written confirmation that the violation has been cured and no further violations of the kind will occur.31 If the alleged violations are not cured, the AG may file an action and seek declaratory, injunctive and monetary relief, including a $7,500 maximum civil penalty per violation, along with reasonable attorney’s fees and investigative costs. However, in the event of willful or knowing violations, treble damages may be awarded at the court’s discretion.32

Companies will have until July 1, 2025 when TIPA goes into effect to ensure they are compliant, and those that have already taken steps to comply with earlier state privacy laws should be well positioned for compliance with TIPA. As additional comprehensive state privacy laws are on the way, along with forthcoming international data protection laws, it is more important than ever for companies to adopt a robust privacy program framework that can adapt to new regulatory requirements.

Learn about the other State Laws in Akin’s State Data Privacy Law Series, as well as our CCPA Report:

  1. Virginia Consumer Data Protection Act: What Businesses Need to Know | Akin (akingump.com)
  2. Colorado Privacy Act: What Businesses Need to Know | Akin (akingump.com)
  3. Connecticut Data Privacy Act: What Businesses Need to Know | Akin (akingump.com); Businesses and Consumers Prepare as the CTDPA Takes Effect on July 1 | Akin Gump Strauss Hauer & Feld LLP
  4. Utah Consumer Privacy Act: What Businesses Need to Know | Akin (akingump.com)
  5. Iowa Data Protection Act: What Businesses Need to Know | Akin Gump Strauss Hauer & Feld LLP
  6. Key Takeaways from Akin’s CCPA Litigation and Enforcement Report | Akin (akingump.com)

1 Further, the law explicitly provides that each provision violated and each consumer affected are considered separate violations.

2 Public Chapter No. 408 §§ 47-18-3201(18) (Tennessee 2023), available at https://publications.tnsosfiles.com/acts/113/pub/pc0408.pdf, hereinafter “TIPA.”

3 Id. §3201(5), (18) and (26).

4 Id.  §3201(8), (20).

5 Id. § 3210(a)(1-6).

6 Id. § 3210(a)(3).

7 Id. § 3210(a)(20).

8 Id. § 3201(7)(B).

9 Id. § 3201(17)(B).

10 Id. § 3210(a). 

11 Id. § 3210(b).

12 Id. § 3210(a)(10), (21).

13 Id. § 3203(a)(2)(A-E), § 3201(21) “profiling” here refers to “a form of solely automated processing performed on personal information to evaluate, analyze, or predict personal aspect related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”  

14 Id. § 3207(c).

15 Id. § 3207(d).

16Id. § 3204(a)(1).

17 Id. § 3204(a)(2).

18 Id. § 3204(a)(3).

19 Id. § 3204(a)(5).

20 Id. § 3205(b).

21 Id. § 3204(a)(6), § 3201(26).

22 Id. § 3204(c-d).

23 Id. § 3206(a).

24 Id. § 3206(f).

25 Id. § 3203(b)(1).

26 Other states such as Utah, Connecticut and Ohio have included safe harbors for those companies that follow various cybersecurity frameworks, including the NIST Cybersecurity Framework. Tennessee’s is the first law adopting a safe harbor for those following the NIST Privacy Framework.

27 Id. § 3213(a).

28 Dep’t of Com., NIST, The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management Version 1.0 (January 16, 2020), available at https://www.nist.gov/privacy-framework/privacy-framework.

29 TIPA at § 3213(b).

30 Id. § 3212(b).

31 Id.

32 Id. § 3212(d)(1-2).

 

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.