Published on

A Look at the Tennessee Information Protection Act

Authors
Governor Bill Lee signing the Tennessee Information Protection Act into law

On May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act (TIPA) into law, bringing Tennessee into the growing cohort of states with comprehensive consumer data privacy regulations.1 Set to take effect on July 1, 2025, TIPA largely mirrors the frameworks established by other states with a few important nuances.2 Accordingly, established controllers are expected to adapt their existing data privacy compliance programs with relative ease.3 Nevertheless, understanding TIPA's specific requirements will be crucial to ensuring compliance and avoiding penalties.4 Further, as businesses continue to expand their online operations and presence, more and more owners will need to become familiar with this robust regulatory landscape.5 In this blog post I walk through some key provisions of TIPA, and attempt to shed light on what they mean for companies and consumers alike going forward.6

Applicability of TIPA

TIPA imposes transparency and disclosure obligations on "controllers"—persons or entities determining the purpose and means of processing personal information—conducting business in Tennessee by producing products or services targeted at Tennessee residents.7 To be subject to TIPA, a controller must exceed $25 million in revenue and either control or process personal information of at least 25,000 consumers while deriving more than fifty percent of gross revenue from the sale of personal information, or control or process personal information of at least 175,000 consumers during a calendar year.8

These jurisdictional thresholds signify that TIPA is mainly designed to regulate larger entities that have a substantial impact on the privacy of Tennessee residents.9 The revenue and data processing stipulations ensure that small businesses, which might not have the resources to comply with stringent data protection mandates, are excluded from these obligations.10 Consequently, TIPA strikes a balance between protecting consumer privacy and not overburdening smaller enterprises.11 This approach aligns with the trend seen in other state-level data privacy laws, such as the California Consumer Privacy Act (CCPA), which sets comparable thresholds to filter out smaller businesses.12

Notably, TIPA’s jurisdictional thresholds are more restrictive compared to most other US State Data Privacy Laws, requiring both a processing and revenue threshold.13 Moreover, there are several exemptions, including government entities, nonprofits, HIPAA-covered entities and business associates, higher educational institutions, insurance companies licensed under state law, and Gramm-Leach-Bliley Act-regulated entities and data.14 Additionally, TIPA excludes certain classes of data such as health records, scientific research data, consumer credit-reporting data, personal motor vehicle records, insurance data, data regulated by the Family Educational Rights and Privacy Act or federal Farm Credit Act, and employment-related information.15

By incorporating these exemptions and exclusions, TIPA demonstrates an acknowledgment of existing federal regulations and makes efforts to avoid regulatory overlap.16 These carved-out areas recognize the adequacy of pre-existing frameworks covering sensitive sectors such as health and finance, thus ensuring that businesses and consumers are not subjected to duplicative regulatory burdens.17 This categorization allows TIPA to sidestep redundancy and focus its regulatory efforts on sectors where state intervention is deemed necessary for enhanced consumer data protection.18

Consumer Rights Under TIPA

TIPA grants Tennessee residents certain access and control rights regarding their personal information.19 Consumers may submit authenticated requests to a controller to confirm whether their personal information is being processed and gain access to it, correct inaccuracies, delete personal information provided by or obtained about them, obtain a copy of their personal information previously provided to the controller, and opt out of the processing of their personal information for targeted advertising, selling, or profiling.20 Controllers must respond to these requests within 45 days, extendable by an additional 45 days if necessary.21 Moreover, consumers also have the right to appeal the controller's refusal to take action on their requests, to which the controller must respond within 60 days.22

The rights provided by TIPA empower consumers by granting them significant control over their personal data.23 This empowerment reflects a broader trend in data protection regulations worldwide, aimed at enhancing individual agency and transparency in data processing practices.24 The ability to correct inaccuracies and delete personal data allows consumers to maintain an accurate and updated digital presence, crucial in environments where outdated or incorrect data can significantly impact one's personal and professional life.25 Additionally, the opt-out provisions for targeted advertising, sales, and profiling reflect a growing concern over privacy abuses in digital marketing practices.26

Controllers are expected to facilitate a seamless process for consumers to exercise these rights, including creating user-friendly interfaces for request submissions.27 This requirement places a burden on businesses to invest in appropriate technological solutions and customer service infrastructure to handle potential influxes of consumer requests efficiently.28 The stipulated response times—45 days with an extension of up to another 45 days—put a definitive limit on response periods, compelling organizations to prioritize such requests to maintain compliance.29 This provision underscores the importance of prioritizing consumer data rights within organizational workflows.30

Obligations Imposed on Controllers

TIPA defines "personal information" as information linked or reasonably linkable to an identified or identifiable natural person, excluding de-identified or aggregate data or publicly available information.31 Controllers are required to limit the collection of personal information to what is adequate, relevant, and necessary for disclosed purposes, adopt reasonable data security practices, process sensitive data only with affirmative consent, process data in a non-discriminatory manner, provide a clear privacy policy, disclose if personal information is sold to third parties or used for targeted advertising, and offer an opt-out option.32 Furthermore, controllers must establish a process for consumers to appeal refusals to exercise their rights and provide an online mechanism for contacting the attorney general if an appeal is denied.33 Additionally, controllers must conduct data protection impact assessments for certain data processing activities and ensure de-identified data remains de-identified.34

By mandating these obligations, TIPA sets a high bar for the responsible handling and protection of personal data.35 The necessity to obtain affirmative consent for processing sensitive data and to ensure data minimization aligns with the principles of data protection by design and by default.36 This proactive stance aids in preemptively mitigating privacy risks and underscores the significance of informed consent from consumers.37 The requirement for privacy policies to be clear and public bolsters transparency, enabling consumers to make informed decisions regarding their personal data.38

Processors, who process personal information on behalf of controllers, must cooperate with controllers to comply with their obligations under TIPA, including handling consumer rights requests and securing data processing.39 Additionally, processing must be governed by a contract that outlines relevant privacy provisions set forth under TIPA.40 These contractual requirements impose a structured and formalized approach to data processing, ensuring that processors uphold the same standards of data protection as controllers.41 The mandated cooperation between controllers and processors creates a cohesive framework where obligations are clearly defined and responsibilities are shared.42 By outlining these procedures, TIPA helps foster a culture of accountability throughout the data processing chain, thereby elevating overall data protection standards.43 Business relationships between controllers and processors must be characterized by transparency and rigorous adherence to the statutes, reflecting TIPA’s overarching aims of stringent data governance and consumer protection.44

Consumer rights under the Tennessee Information Protection Act

Key Aspects of TIPA

With a clear understanding of the obligations imposed and rights established by TIPA, it is essential to delve into the specific provisions that underscore its implementation and enforcement.

Affirmative Defense - NIST Privacy Framework

TIPA allows controllers and processors to assert an affirmative defense to a cause of action for a violation if they maintain and comply with a written privacy policy reasonably conforming to the National Institute of Standards and Technology (NIST) privacy framework, or if they have documented policies designed to safeguard consumer privacy.45 The privacy policy must be updated to conform to subsequent NIST revisions within two years of publication and must provide the substantive rights required by TIPA.46 The appropriateness of the privacy program is determined by factors such as business size and complexity, activity scope, sensitivity of processed information, and compliance with comparable laws.47 Certification options include the Asia Pacific Economic Cooperation's Cross Border Privacy Rules system and the Privacy Recognition for Processors system.48

Utilizing the NIST privacy framework as a benchmark emphasizes TIPA's preference for widely recognized, standardized procedures which can provide consistency across various jurisdictions.49 Affirmative defenses anchored in a robust framework like NIST pave the way for organizations to adopt proven best practices and prevent legal disputes before they arise.50 Moreover, this integration highlights the importance of evolving with the latest standards, as companies are required to update their privacy policies in congruence with new revisions, ensuring that their data protection measures remain cutting-edge and relevant.51

Processing Agreement Requirements

Similar to other US State Data Privacy Laws, TIPA requires controllers to enter into contracts with processors, governing data processing procedures.52 These contracts must set forth clear instructions for processing personal information, including the nature and purpose, data types, duration, and parties' rights and obligations.53 The contracts must include a duty of confidentiality and require processors' subcontractors to sign agreements with the same requirements.54 Furthermore, processors must delete or return personal data upon the controller's request.55

The stipulation for detailed processing agreements ensures a high degree of clarity and accountability in the handling of personal data.56 By codifying the obligations and expectations within contractual frameworks, controllers can mitigate potential misunderstandings or misuses of personal data.57 This legal foundation facilitates smoother cooperation and coordination between controllers and processors, promoting a predictable and secure data processing environment.58 Emphasizing confidentiality and delineating duties across the contractual chain safeguards the integrity of data protection commitments throughout the life cycle of data processing activities.59

Attorney General Investigations and Enforcement

TIPA does not provide for a private right of action.60 Instead, the Tennessee Attorney General may conduct enforcement actions and issue investigative demands.61 Before initiating an action, the attorney general must provide written notice to the controller or processor, allowing 60 days to cure the noticed violation.62 The attorney general can seek various forms of relief in court, including declaratory judgment, injunctive relief, civil penalties, attorney's fees, and investigative costs.63 Courts may impose civil penalties of up to $7,500 per violation, with treble damages for willful or knowing violations.64

This enforcement model underscores a preference for resolving compliance issues through regulatory oversight and remediation, rather than litigation.65 Affording controllers and processors a 60-day cure period emphasizes the importance of encouraging compliance over punitive measures, giving businesses the opportunity to rectify violations without automatically incurring penalties.66 Such an approach helps foster a cooperative relationship between regulators and businesses, promoting adherence to privacy standards while allowing for corrective action.67

Conclusion

In conclusion, the Tennessee Information Protection Act represents a significant step forward in the realm of data privacy regulations.68 By aligning closely with existing state laws while introducing some unique elements, TIPA ensures a robust framework for protecting consumer data.69 Businesses operating in Tennessee must carefully review and adapt their compliance programs to meet TIPA's requirements.70 For consumers, TIPA provides enhanced control and transparency over their personal information, reinforcing their rights in an increasingly digital world.71 As the July 1, 2025, effective date approaches, both companies and consumers should prepare for the changes TIPA will bring to the data privacy landscape in Tennessee.72

The continuous evolution of data privacy laws like TIPA illustrates the dynamic nature of regulatory landscapes, responding to the escalating concerns over personal data misuse and privacy breaches.73 The synchronization of TIPA with a broader national and international data protection framework reflects a shared global priority to secure personal data.74 As organizations align their compliance strategies with TIPA’s stipulations, it will establish a precedent for other states considering similar regulations, thereby influencing the overarching regulatory approaches to privacy in the United States.75

For businesses, the impetus to comply with TIPA may also drive innovation in data governance technologies and practices.76 This has the dual benefit of not only ensuring regulatory compliance but also enhancing consumer trust and business reputation.77 For consumers, the clearer delineation of their data rights under TIPA offers a renewed confidence in engaging with digital services.78 Organizations succeeding in this new regulatory environment are likely to be those proactively integrating privacy considerations into their operational ethos, setting the stage for a more secure and transparent digital economy in Tennessee and beyond.79

Footnotes

  1. Tenn. Code Ann. § 47-18-3201 (2023).

  2. See Cal. Civ. Code § 1798.100 (West 2020); Va. Code Ann. § 59.1-575 (2021); Colo. Rev. Stat. § 6-1-1301 (2021).

  3. See Chris Jay Hoofnagle, "Federal Trade Commission Privacy Law and Policy," 55 (2016).

  4. See Daniel J. Solove & Paul M. Schwartz, "Information Privacy Law," 89 (7th ed. 2021).

  5. See Ira S. Rubinstein, "Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes," 6 I/S: J. L. & Pol'y for Info. Soc'y 355, 359 (2010).

  6. See Woodrow Hartzog, "Privacy's Blueprint: The Battle to Control the Design of New Technologies," 109 (2018).

  7. Tenn. Code Ann. § 47-18-3202(8) (2023).

  8. Id. § 47-18-3203(a)(1)-(2).

  9. See Paul M. Schwartz, "Global Data Privacy: The EU Way," 94 N.Y.U. L. Rev. 771, 784 (2019).

  10. See Daniel J. Solove & Woodrow Hartzog, "The FTC and the New Common Law of Privacy," 114 Colum. L. Rev. 583, 603 (2014).

  11. See Lothar Determann, "Determann's Field Guide to Data Privacy Law: International Corporate Compliance," 29 (4th ed. 2020).

  12. See 2018 Cal. Legis. Serv. Ch. 55 (A.B. 375) (West).

  13. See Va. Code Ann. § 59.1-576(A) (2021); Colo. Rev. Stat. § 6-1-1303(1)(a)-(b) (2021).

  14. Tenn. Code Ann. § 47-18-3205(1)-(6) (2023).

  15. Id. § 47-18-3206(a)-(f).

  16. See Joel R. Reidenberg, "The Data Surveillance State in the United States and Europe," 49 Wake Forest L. Rev. 583, 593 (2014).

  17. See Peter P. Swire, "The Goldilocks Solution: The Combination of Federal and State Privacy Regulation," 28 SANTA CLARA COMPUTER & HIGH TECH. L.J. 113, 121 (2011).

  18. See Kenneth A. Bamberger & Deirdre K. Mulligan, "Privacy on the Ground: Driving Corporate Behavior in the United States and Europe," 49 (2015).

  19. Tenn. Code Ann. § 47-18-3207(a)-(f) (2023).

  20. Id.

  21. Id. § 47-18-3208(a)-(b).

  22. Id.

  23. See Ryan Calo, "Digital Market Manipulation," 82 Geo. Wash. L. Rev. 995, 1005 (2014).

  24. See Paul Ohm, "Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization," 57 UCLA L. Rev. 1701, 1705 (2010).

  25. See Ari Ezra Waldman, "Privacy as Trust: Information Privacy for an Information Age," 83 (2018).

  26. See Neil M. Richards, "Intellectual Privacy: Rethinking Civil Liberties in the Digital Age," 42 (2015).

  27. See Danielle Keats Citron, "Hate Crimes in Cyberspace," 76 (2014).

  28. See Viktor Mayer-Schönberger & Kenneth Cukier, "Big Data: A Revolution That Will Transform How We Live, Work, and Think," 125 (2013).

  29. See Benjamin Wittes & Jane Chong, "Our Cyborg Future: Law and Policy Implications," 17 Stan. Tech. L. Rev. 220, 226 (2013).

  30. See Andrew Guthrie Ferguson, "The Rise of Big Data Policing: Surveillance, Race, and the Future of Law Enforcement," 104 (2017).

  31. Tenn. Code Ann. § 47-18-3201(11) (2023).

  32. Id. § 47-18-3209(a)-(b).

  33. Id.

  34. Id. § 47-18-3210.

  35. See Daniel J. Solove, "Understanding Privacy," 84 (2008).

  36. See Gerd Gigerenzer & Julian N. Marewski, "Surrogate Science: The Idol of a Universal Method for Scientific Inference," 24 J. Mgmt. Inquiry 19, 21 (2015).

  37. See Julie E. Cohen, "Configuring the Networked Self: Law, Code, and the Play of Everyday Practice," 71 (2012).

  38. See Helen Nissenbaum, "Privacy in Context: Technology, Policy, and the Integrity of Social Life," 56 (2010).

  39. Tenn. Code Ann. § 47-18-3211 (2023).

  40. Id.

  41. See Margot E. Kaminski, "The Right to Explanation, Explained," 34 Berkeley Tech. L.J. 189, 192 (2019).

  42. See Paul M. Schwartz & Karl-Nikolaus Peifer, "Transatlantic Data Privacy Law," 106 Geo. L.J. 115, 121 (2017).

  43. See Woodrow Hartzog, "Privacy's Blueprint: The Battle to Control the Design of New Technologies," 109 (2018).

  44. See Colin J. Bennett & Charles D. Raab, "The Governance of Privacy: Policy Instruments in Global Perspective," 39 (2006).

  45. Tenn. Code Ann. § 47-18-3212(a) (2023).

  46. Id.

  47. Id. § 47-18-3213.

  48. Id.

  49. See Peter Swire & DeBrae Kennedy-Mayo, "U.S. Private-Sector Privacy: Law and Practice for Information Privacy Professionals," 69 (2021).

  50. See Chris Jay Hoofnagle, "Federal Trade Commission Privacy Law and Policy," 120 (2016).

  51. See Daniel J. Solove & Paul M. Schwartz, "Information Privacy Law," 146 (7th ed. 2021).

  52. Tenn. Code Ann. § 47-18-3214(a) (2023).

  53. Id.

  54. Id.

  55. Id.

  56. See Ira S. Rubinstein, "Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes," 6 I/S: J. L. & Pol'y for Info. Soc'y 355, 359 (2010).

  57. See Neil M. Richards & Jonathan H. King, "Three Paradoxes of Big Data," 66 Stan. L. Rev. Online 41, 42 (2013).

  58. See Lothar Determann, "Determann's Field Guide to Data Privacy Law: International Corporate Compliance," 67 (4th ed. 2020).

  59. See Woodrow Hartzog, "Privacy's Blueprint: The Battle to Control the Design of New Technologies," 109 (2018).

  60. Tenn. Code Ann. § 47-18-3215(a) (2023).

  61. Id. § 47-18-3216(a).

  62. Id.

  63. Id.

  64. Id.

  65. See Peter Swire, "The Goldilocks Solution: The Combination of Federal and State Privacy Regulation," 28 SANTA CLARA COMPUTER & HIGH TECH. L.J. 113, 121 (2011).

  66. See Margot E. Kaminski, "The Right to Explanation, Explained," 34 Berkeley Tech. L.J. 189, 192 (2019).

  67. See Ira S. Rubinstein, "Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes," 6 I/S: J. L. & Pol'y for Info. Soc'y 355, 359 (2010).

  68. Tenn. Code Ann. § 47-18-3201 (2023).

  69. See Peter P. Swire, "The Goldilocks Solution: The Combination of Federal and State Privacy Regulation," 28 SANTA CLARA COMPUTER & HIGH TECH. L.J. 113, 121 (2011).

  70. See Lothar Determann, "Determann's Field Guide to Data Privacy Law: International Corporate Compliance," 29 (4th ed. 2020).

  71. See Daniel J. Solove, "Understanding Privacy," 84 (2008).

  72. See Ira S. Rubinstein, "Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes," 6 I/S: J. L. & Pol'y for Info. Soc'y 355, 359 (2010).

  73. See Neil M. Richards, "Intellectual Privacy: Rethinking Civil Liberties in the Digital Age," 42 (2015).

  74. See Paul M. Schwartz & Karl-Nikolaus Peifer, "Transatlantic Data Privacy Law," 106 Geo. L.J. 115, 121 (2017).

  75. See Julie E. Cohen, "Configuring the Networked Self: Law, Code, and the Play of Everyday Practice," 71 (2012).

  76. See Daniel J. Solove & Paul M. Schwartz, "Information Privacy Law," 146 (7th ed. 2021).

  77. See Woodrow Hartzog, "Privacy's Blueprint: The Battle to Control the Design of New Technologies," 109 (2018).

  78. See Helen Nissenbaum, "Privacy in Context: Technology, Policy, and the Integrity of Social Life," 56 (2010).

  79. See Peter P. Swire, "The Goldilocks Solution: The Combination of Federal and State Privacy Regulation," 28 SANTA CLARA COMPUTER & HIGH TECH. L.J. 113, 121 (2011).