What is the Tennessee Information Protection Act?
The Tennessee Information Protection Act (TIPA), or Senate Bill 73 is Tennessee’s privacy law, and the eighth data privacy law across the United States. It was passed unanimously on May 11, 2023, and will become effective as of July 1, 2024, and it bears similarities to other laws such as Virginia, Utah, or Iowa, taking a more business-friendly approach.
What is Personal Information and what are other key definitions?
The Tennessee Information Protection Act (TIPA) offers a definition for ‘personal information’ as “information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer” and includes an exhaustive list of what is considered personal information, namely:
- “Identifiers such as a real name, alias, unique identifier, online identifier, internet protocol address, email address, account name, social security number, driver license number, passport number, or other similar identifiers;
- Information that identifies, relates to, describes, or could be associated with, a particular individual, including, but not limited to, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or other financial, medical, or health insurance information;
- Characteristics of protected classifications under state or federal law;
- Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
- Biometric data;
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory, or similar information;
- Professional or employment-related information;
- Education information that is not publicly available information, or that is personally identifiable information;
- Inferences drawn from the information identified to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
However, personal information does not include information that is publicly available information or de-identified or aggregate consumer information. Just like with other consumer privacy laws across the United States, the Tennessee privacy law also offers a definition for ‘sensitive data’ as “a category of personal information that includes:
- personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- the personal information collected from a known child; or
- precise geolocation data.”
Along the same lines, ‘biometric data’ is “data generated by automatic measurement of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics that are used to identify a specific individual; which excludes “a physical or digital photograph, video recording, or audio recording or data generated from a photograph or video or audio recording; or information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA.”
Under the Tennessee Information Protection Act (TIPA) a ‘child’ is defined as “a natural person younger than thirteen years of age,” and a data subject, or ‘consumer,’ is “a natural person who is a resident of this state acting only in a personal context.” A ‘controller’ is “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information” and a ‘processor’ is “a natural or legal entity that processes personal information on behalf of a controller.”
‘Consent’ has to be “a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer” and it includes “a written statement, including a statement written by electronic means, or an unambiguous affirmative action.” The act of ‘processing’ refers to “an operation or set of operations performed, whether by manual or automated means, on personal information or on sets of personal information, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal information.”
Last but not least, the Tennessee Information Protection Act (TIPA) defines the ‘sale of personal information’ as “the exchange of personal information for monetary or
other valuable consideration by the controller to a third party” which does not include certain types of disclosures as follows:
- “the disclosure of personal information to a processor that processes the personal information on behalf of the controller;
- the disclosure of personal information to a third party for purposes of providing a product or service requested by the consumer;
- the disclosure or transfer of personal information to an affiliate of the controller;
- the disclosure of information that the consumer:
- intentionally made available to the general public via a channel of mass media; and
- did not restrict to a specific audience;
- the disclosure or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets; or
- the disclosure of personal information to a third party at the direction, and with the consent, of the consumer.”
Who has to comply with the Tennessee Information Protection Act?
The Tennessee Information Protection Act applies to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee and that:
- during a calendar year, control or process personal information of at least one hundred thousand (100,000) consumers; or
- control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information.
Who is excluded from compliance with the Tennessee Information Protection Act?
The Tennessee Information Protection Act exempts certain types of data and certain entities as follows:
- a body, authority, board, bureau, commission, district, or agency of this state or of a political subdivision of this state;
- a financial institution, an affiliate of a financial institution, or data subject to Title V of the federal Gramm-Leach-Bliley Act;
- an individual, firm, association, corporation, or other entity that is licensed in this state under title 56 as an insurance company and transacts insurance business;
- a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States department of health and human services, established pursuant to HIPAA, and the federal Health Information Technology for Economic and Clinical Health Act;
- a nonprofit organization;
- an institution of higher education;
- protected health information under HIPAA;
- patient health records;
- patient identifying information;
- personal information processed for purposes of research conducted, human subjects research conducted in accordance with good clinical practice guidelines issued by The International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use, or research conducted in accordance with the protection of human subjects;
- information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986;
- patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act;
- information derived from healthcare-related information that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA;
- information used only for public health activities and purposes as authorized by HIPAA;
- information related to an consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living;
- personal information collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994, the federal Family Educational Rights and Privacy Act (FERPA), or the federal Farm Credit Act;
- data processed for employment purposes, or for administering employment benefits to a consumer or their dependents;
- information collected as part of public- or peer-reviewed scientific or statistical research in the public interest.
How can I keep my organization compliant with the Tennessee Information Protection Act?
The following apply to controllers under the Tennessee Privacy Act:
- limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer;
- except as otherwise provided, do not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal information is processed, as disclosed to the consumer, unless you obtain the consumer's consent;
- establish, implement, and maintain reasonable administrative, technical, and physical data security practices, to protect the confidentiality, integrity, and accessibility of personal information. The data security practices must be appropriate to the volume and nature of the personal information at issue;
- you are not required to delete information that you maintain or use as aggregate or de-identified data, provided that such data in your possession is not linked to a specific consumer;
- do not process personal information in violation of state and federal laws that prohibit unlawful discrimination against consumers.
- you cannot discriminate against a consumer for exercising their consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, you are not required to provide a product or service that requires the personal information of a consumer that you don’t collect or maintain, and you can offer a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the right to opt out or the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program;
- do not process sensitive data concerning a consumer without obtaining their consent, or, in the case of the processing of sensitive data concerning a known child, without processing the data in accordance with the federal Children's Online Privacy Protection Act;
- provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- the categories of personal information processed by the controller;
- the purpose for processing personal information;
how consumers may exercise their consumer rights, including how a consumer may appeal a decision you made with regards to their consumer request;
- the categories of personal information that the controller sells to third parties, and the categories of third parties, if any, to whom you sell personal information;
- the right to opt out of the sale of personal information to third parties and the ability to request deletion or correction of certain personal information;
- at least one of the following: a toll-free telephone number; an email address; a web form; or a clear and conspicuous link on your main internet homepage to an internet webpage that enables a consumer to exercise the rights provided. Regardless of method, you have to ensure the method is capable of authenticating the identity of the consumer making the request and cannot require a consumer to create a new account in order to exercise their consumer rights but may require a consumer to use an existing account.
- if you sell personal information to third parties or process personal information for targeted advertising, then you have to clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing;
- conduct and document a data protection assessment of each of the following processing activities involving personal information:
- the processing of personal information for purposes of targeted advertising;
- the sale of personal information;
- the processing of personal information for purposes of profiling, where the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, consumers; financial, physical, or reputational injury to consumers; a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or other substantial injury to consumers;
- the processing of sensitive data; and
- processing activities involving personal information that present a heightened risk of harm to consumers.
As a processor you are responsible for adhering to the instructions of a controller and you have to assist the controller in meeting its obligations under this law. A contract between a controller and a processor has to govern the processor's data processing activity with respect to processing performed on behalf of the controller, which is binding and must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.
One obligation of both controllers and processors that the Tennessee Privacy Act mandates is that both parties have to create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled ‘A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.’ Every time there is a revision to the NIST privacy framework both a controller and a processor has to reasonably conform its privacy program to the revised framework not later than one year after the publication date. The privacy program has to provide consumers with the substantive rights required and its scale and scope is considered appropriate if it is based on all of the following factors:
- the size and complexity of the controller or processor's business;
- the nature and scope of the activities of the controller or processor;
- the sensitivity of the personal information processed;
- the cost and availability of tools to improve privacy protections and data governance;
- compliance with a comparable state or federal law.
In addition to this, a controller or processor's privacy program must also disclose the commercial purposes for which the controller or processor collects, controls, or processes personal information. Failure to maintain such a privacy program “that reflects the controller or processor's data privacy practices to a reasonable degree of accuracy is considered an unfair and deceptive act or practice.” Also, alongside a privacy program, controllers or processors have the option of certification “pursuant to the Asia Pacific Economic Cooperation's Cross Border Privacy Rules system” or “the Asia Pacific Economic Cooperation's Privacy Recognition for Processors system.”
What data access rights does Tennessee Information Protection Act grant?
Under Tennessee privacy law consumers have the following rights:
- The right to know
- The right to access
- The right to correct
- The right to delete
- The right to data portability
- The right to opt out of the sale of personal information or processing for purposes of targeted advertising.
How to address data subject access requests under Tennessee Information Protection Act?
You have to respond to a consumer request “without undue delay, but in all cases within 45 days of receipt of a request submitted.” You may extend this with an additional 45 days “when reasonably necessary, taking into account the complexity and number of the consumer's requests,” as long as you inform the consumer of the extension within the initial forty-five-day response period, together with the reason for the extension.
If you decline to take action on a consumer request you have to inform the consumer “without undue delay, but in all cases and at the latest within 45 days of receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.” Any information provided in response to a consumer request has to be provided free of charge “up to twice annually per consumer,” however “if requests from a consumer are manifestly unfounded, technically infeasible, excessive, or repetitive,” then you may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request, but you bear the responsibility of demonstrating the manifestly unfounded, technically infeasible, excessive, or repetitive nature of the request.
Consumer requests have to be authenticated and if you are unable to do so “using commercially reasonable efforts,” then you are not required to comply with the request and may ask the consumer to provide additional information reasonably necessary to authenticate them and their request. For those cases where you refuse to take an action on a consumer request you have to establish a process for a consumer to appeal your refusal within a reasonable period of time after they received your decision.This appeal process has to be made available to consumers in a conspicuous manner, must be available at no cost to them, and must be similar to the process for submitting requests.
Upon receipt of an appeal to your decision, you have 60 days to inform the consumer in writing of action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If you deny the appeal then you have to provide the consumer with an online mechanism, if available, or other method through which they can contact the attorney general to submit a complaint.
Enforcement and penalties
The Tennessee Information Protection Act (TIPA) grants enforcement authority to the Attorney General who may investigate complaints. Prior to initiating an action, the Attorney General will allow for a 60 day cure period after which, if the violation is not cured, the Attorney General “may bring an action in a court of competent jurisdiction seeking any of the following relief:
- declaratory judgment that the act or practice violates this chapter;
- injunctive relief, including preliminary and permanent injunctions, to prevent an additional violation of and compel compliance with this part;
- civil penalties;
reasonable attorney's fees and investigative costs;
- other relief the court determines appropriate.”
As regards civil penalties these can go up to $15,000 for each violation.
Data Subject Rights - GDPR vs. the Tennessee Information Protection Act
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
Oregon Consumer Privacy Act
- Right to know
- Right to access
- Right to correct
- Right to delete
- Right to data portability
- Right to Opt Out of personal data processing for the purposes of targeted advertising
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
FAQs about the Tennessee Information Protection Act
What does the Tennessee Information Protection Act apply to?
The Tennessee Information Protection Act applies to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee and that during a calendar year, control or process personal information of at least 100,000 consumers; or control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.
What does the Tennessee Information Protection Act exempt?
The Tennessee Information Protection Act exempts certain types of data and certain entities such as, for example, a body, authority, board, bureau, commission, district, or agency of this state or of a political subdivision of Tennessee; financial institutions and their affiliates; nonprofits; higher education institutions; protected health information under HIPAA; patient health records; patient identifying information; etc.
What privacy rights does the Tennessee Information Protection Act provide to Tennessee residents?
Under the Tennessee Information Protection Act (TIPA) consumers have the following rights:
- The right to know
- The right to access
- The right to correct
- The right to delete
- The right to data portability
- The right to opt out of the sale of personal information or processing for purposes of targeted advertising
Who enforces the Tennessee Information Protection Act?
The Tennessee Information Protection Act (TIPA) grants enforcement authority to the Attorney General who may investigate complaints. Prior to initiating an action, the Attorney General will allow for a 60 day cure period.
What are the penalties for violations of the Tennessee Information Protection Act?
Penalties under the Tennessee Information Protection Act consist of a civil penalty of up to $15,000 for each violation.