This week Tennessee joined seven states in enacting a comprehensive consumer data privacy law. Let us remind you that before that such laws were created by California, Virginia, Colorado, Connecticut, Utah, Iowa, and Indiana.
General information
The Tennessee Information Protection Act (TIPA) passed unanimously through both houses of the Tennessee legislature and was signed by Governor Bill Lee on May 11, 2023. TIPA is using “business-friendly" approach. TIPA cones into effect on July 1, 2025.
Key rules:
Scope of application:
TIPA applies to companies that conduct business in Tennessee or produce products or services that target Tennessee residents and that:
Exceed $25 million in annual revenue, and
Either (1) control or process personal information of at least 25,000 consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information or (2) during a calendar year, control or process personal information of at least 175,000 consumers.
Exemptions
Consistent with most other state data privacy laws, TIPA contains both entity-level exemptions and data-specific exemptions. TIPA's entity-level exemptions include:
Government entities, which includes any authority, board, body, bureau, commission, district, or agency of the state or of a political subdivision of the state;
Insurance companies licensed under state law (TIPA is unique among state privacy laws in exempting licensed insurance companies entirely);
Nonprofit organizations;
Financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA);
Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH); and
Institutions of higher education.
TIPA's data-specific exemptions include:
Information governed by the Fair Credit Reporting Act (FCRA);
Information subject to Title V of the GLBA;
Protected health information under HIPAA;
Information and documents created for purposes of the Health Care Quality Improvement Act (HCQIA);
Patient safety work product for purposes of the Patient Safety and Quality Improvement Act (PSQIA);
Controllers and processors in compliance with provisions of the Children's Online Privacy Protection Act (COPPA);
Information governed by the Family Educational Rights and Privacy Act (FERPA);
Personal information collected, processed, sold or disclosed in compliance with the Driver's Privacy Protection Act;
Personal information collected, processed, sold, or disclosed in compliance with the Farm Credit Act;
Personal information maintained or used for purposes of compliance with the regulation of listed chemicals under the Controlled Substances Act;
Information collected as part of public- or peer-reviewed scientific or statistical research in the public interest;
Information relating to applicants and employees "to the extent that the data is collected and used within the context of that role," including emergency contact information and benefits.
TIPA includes standard limitations under state privacy laws. This includes: the law does not restrict a controller or processor from collecting, using, or retaining personal data to:
Conduct internal research to develop, improve, or repair products, services or technology;
Effectuate a product recall;
Identify and repair technical errors that impair existing or intended functionality; or
Perform internal operations" that are reasonable based on consumer expectations or the consumer relationship.
Definitions
“consumer" a natural person who resides in Tennessee "acting only in a personal context." TIPA does not apply to the personal data of individuals acting in a commercial or employment context.
"Sensitive data" is quite close to GDPR understanding, however has the “precise geolocation” and known children’s data added. Precise geolocation data (location within a radius of 1,750 feet). Personal data collected from a known child (i.e., someone under the age of 13).
The rights of data subjects and time limit for data subject requests
The rights of data subjects: Right to erasure, right to data portability, consumer to access their personal information and to confirm whether a controller is processing the consumer's personal information, Request that a controller that sold personal information about the consumer, or disclosed the information for a business purpose, to disclose to the consumer.
Nuances about the right to erasure “A business is not required to delete information that it maintains or uses as aggregate or de-identified data, provided that such data in the possession of the business is not linked to a specific consumer”
Nuance about Request that a controller that sold personal information about the consumer:
The categories of personal information about the consumer the business sold;
(ii) The categories of third parties to which the personal information about the consumer was sold by category of personal information for each category of third parties to which the personal information was sold;
(iii) The categories of personal information about the
consumer that the business disclosed for a business purpose; and
DSAR time limits: A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of a request submitted pursuant to subsection (The period may be extended once by forty-five (45) additional days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial forty-five-day response period, together with the reason for the extension
Information provided in response to a consumer request must be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are manifestly unfounded, technically infeasible, excessive, or repetitive, then the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, technically infeasible, excessive, or repetitive nature of the request
Transparency obligation of controller
Upon receipt of an authenticated consumer request, a controller shall provide the consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:
Purpose of processing personal information;
Categories of personal information processed by the controller;
Categories of personal information the controller sells to third parties, if any;
How consumers may exercise their rights, including how a consumer may appeal a controller's decision with regard to the consumer's request; and
The right to opt out of the sale of personal information to third parties and the ability to request deletion or correction of certain personal information.
Compliance with the NIST Privacy Framework
TIPA provides a first-of-its-kind safe harbor by allowing controllers and processors to assert an affirmative defense to claims for violations if they create, maintain, and comply with a written privacy program that "reasonably conforms" to the current and updated National Institute of Standards and Practices ("NIST") privacy framework ("NIST Privacy Framework") or "other documented policies, standards, and procedures designed to safeguard consumer privacy." The NIST Privacy Framework provides a guidance on how to improve risk management for data processing focusing on the following principles:
Identify the privacy risk.
Govern = developing and implementing organizational governance with respect to privacy risk.
Control =developing and implementing policies, processes, to manage privacy risk.
Communicate =raise and ensure awareness of proper data-processing practices.
Protect = implementing appropriate safeguards.
DPIA requirement activities
Processing for targeted marketing;
Sale of personal information;
Processing of personal information for profiling if the profiling presents a reasonably foreseeable risk of legal, deceptive, discriminatory, financial, reputational or physical harms;
Processing sensitive data; and
A catch-all category of any processing activities involving personal information "that present a heightened risk of harm to consumers."
No Private Right of Action
There is no private right of action, including "a class action lawsuit," afforded to consumers for violations of TIPA under this or "any other law."
Commentaires