Who is excluded from compliance with the Tennessee Information Protection Act? 

The Tennessee Information Protection Act exempts certain types of data and certain entities as follows: 

• a body, authority, board, bureau, commission, district, or agency of this state or of a political subdivision of this state;
• a financial institution, an affiliate of a financial institution, or data subject to Title V of the federal Gramm-Leach-Bliley Act;
• an individual, firm, association, corporation, or other entity that is licensed in this state under title 56 as an insurance company and transacts insurance business;
• a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States department of health and human services, established pursuant to HIPAA, and the federal Health Information Technology for Economic and Clinical Health Act;
• a nonprofit organization;
• an institution of higher education;
• protected health information under HIPAA;
• patient health records;
• patient identifying information; 
• personal information processed for purposes of research conducted, human subjects research conducted in accordance with good clinical practice guidelines issued by The International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use, or research conducted in accordance with the protection of human subjects; 
• information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986;
• patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act;
• information derived from healthcare-related information that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA;
• information used only for public health activities and purposes as authorized by HIPAA;
• information related to an consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living;
• personal information collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994, the federal Family Educational Rights and Privacy Act (FERPA), or the federal Farm Credit Act;
• data processed for employment purposes, or for administering employment benefits to a consumer or their dependents; 
• information collected as part of public- or peer-reviewed scientific or statistical research in the public interest. 
  
  

How can I keep my organization compliant with the Tennessee Information Protection Act? 

The following apply to controllers under the Tennessee Privacy Act:

• limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer;
• except as otherwise provided, do not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal information is processed, as disclosed to the consumer, unless you obtain the consumer's consent;
• establish, implement, and maintain reasonable administrative, technical, and physical data security practices, to protect the confidentiality, integrity, and accessibility of personal information. The data security practices must be appropriate to the volume and nature of the personal information at issue;
• you are not required to delete information that you maintain or use as aggregate or de-identified data, provided that such data in your possession is not linked to a specific consumer;
• do not process personal information in violation of state and federal laws that prohibit unlawful discrimination against consumers. 
• you cannot discriminate against a consumer for exercising their consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, you are not required to provide a product or service that requires the personal information of a consumer that you don’t collect or maintain, and you can offer a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the right to opt out or the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; 
• do not process sensitive data concerning a consumer without obtaining their consent, or, in the case of the processing of sensitive data concerning a known child, without processing the data in accordance with the federal Children's Online Privacy Protection Act;
• provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
  • the categories of personal information processed by the controller; 
  • the purpose for processing personal information;
    how consumers may exercise their consumer rights, including how a consumer may appeal a decision you made with regards to their consumer request;
  • the categories of personal information that the controller sells to third parties, and the categories of third parties, if any, to whom you sell personal information;
  • the right to opt out of the sale of personal information to third parties and the ability to request deletion or correction of certain personal information; 
  • at least one of the following: a toll-free telephone number; an email address; a web form; or a clear and conspicuous link on your main internet homepage to an internet webpage that enables a consumer to exercise the rights provided. Regardless of method, you have to ensure the method is capable of authenticating the identity of the consumer making the request and cannot  require a consumer to create a new account in order to exercise their consumer rights but may require a consumer to use an existing account.
• if you sell personal information to third parties or process personal information for targeted advertising, then you have to clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing;
• conduct and document a data protection assessment of each of the following processing activities involving personal information:
  • the processing of personal information for purposes of targeted advertising;
  • the sale of personal information;
  • the processing of personal information for purposes of profiling, where the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, consumers; financial, physical, or reputational injury to consumers; a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or other substantial injury to consumers;
  • the processing of sensitive data; and 
  • processing activities involving personal information that present a heightened risk of harm to consumers.

As a processor you are responsible for adhering to the instructions of a controller and you have to assist the controller in meeting its obligations under this law. A contract between a controller and a processor has to govern the processor's data processing activity with respect to processing performed on behalf of the controller, which is binding and must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

One obligation of both controllers and processors that the Tennessee Privacy Act mandates is that both parties have to create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled ‘A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.’ Every time there is a revision to the NIST privacy framework both a controller and a processor has to reasonably conform its privacy program to the revised framework not later than one year after the publication date. The privacy program has to provide consumers with the substantive rights required and its scale and scope is considered appropriate if it is based on all of the following factors:

• the size and complexity of the controller or processor's business; 
• the nature and scope of the activities of the controller or processor; 
• the sensitivity of the personal information processed;
• the cost and availability of tools to improve privacy protections and data governance;
• compliance with a comparable state or federal law.

In addition to this, a controller or processor's privacy program must also disclose the commercial purposes for which the controller or processor collects, controls, or processes personal information. Failure to maintain such a privacy program “that reflects the controller or processor's data privacy practices to a reasonable degree of accuracy is considered an unfair and deceptive act or practice.” Also, alongside a privacy program, controllers or processors have the option of certification “pursuant to the Asia Pacific Economic Cooperation's Cross Border Privacy Rules system” or “the Asia Pacific Economic Cooperation's Privacy Recognition for Processors system.”

What data access rights does Tennessee Information Protection Act grant? 

Under Tennessee privacy law consumers have the following rights: 

• The right to know
• The right to access
• The right to correct
• The right to delete
• The right to data portability
• The right to opt out of the sale of personal information or processing for purposes of targeted advertising. 

How to address data subject access requests under Tennessee Information Protection Act?

You have to respond to a consumer request “without undue delay, but in all cases within 45 days of receipt of a request submitted.” You may extend this with an additional 45 days “when reasonably necessary, taking into account the complexity and number of the consumer's requests,” as long as you inform the consumer of the extension within the initial forty-five-day response period, together with the reason for the extension. 

If you decline to take action on a consumer request you have to inform the consumer “without undue delay, but in all cases and at the latest within 45 days of receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.” Any information provided in response to a consumer request has to be provided free of charge “up to twice annually per consumer,” however “if requests from a consumer are manifestly unfounded, technically infeasible, excessive, or repetitive,” then you may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request, but you bear the responsibility of demonstrating the manifestly unfounded, technically infeasible, excessive, or repetitive nature of the request.

Consumer requests have to be authenticated and if you are unable to do so “using commercially reasonable efforts,” then you are not required to comply with the request and may ask the consumer to provide additional information reasonably necessary to authenticate them and their  request. For those cases where you refuse to take an action on a consumer request you have to establish a process for a consumer to appeal your refusal within a reasonable period of time after they received your decision.This appeal process has to be made available to consumers in a conspicuous manner, must be available at no cost to them, and must be similar to the process for submitting requests. 

Upon receipt of an appeal to your decision, you have 60 days to inform the consumer in writing of action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If you deny the appeal then you have to  provide the consumer with an online mechanism, if available, or other method through which they can contact the attorney general to submit a complaint.

Enforcement and penalties

The Tennessee Information Protection Act (TIPA) grants enforcement authority to the Attorney General who may investigate complaints. Prior to initiating an action, the Attorney General will allow for a 60 day cure period after which, if the violation is not cured, the Attorney General “may bring an action in a court of competent jurisdiction seeking any of the following relief:

• declaratory judgment that the act or practice violates this chapter;
• injunctive relief, including preliminary and permanent injunctions, to prevent an additional violation of and compel compliance with this part;
• civil penalties;
  reasonable attorney's fees and investigative costs; 
• other relief the court determines appropriate.”

As regards civil penalties these can go up to $15,000 for each violation.

Data Subject Rights - GDPR vs. the Tennessee Information Protection Act 

FAQs about the Tennessee Information Protection Act