While consumers in the US are still waiting patiently for a federal data protection law, we are seeing more and more states introduce their own comprehensive laws, giving consumers a greater say in how businesses collect and use their personal data.
With its Tennessee Information Protection Act, Tennessee is one of the latest states to join this positive trend. Here is everything you need to know about TIPA to ensure compliance for your company. Let’s get into it.
Key Takeaways
- The Tennessee Information Protection Act was signed on 11th May 2023 and becomes effective on 1st July 2025.
- The law applies to Tennessee for-profit businesses offering Tennessee residents goods and services.
- The Attorney General & Reporter fully enforces the law, including a fine of up to $7,500 per violation.
Tennessee Information Protection Act (TIPA) Overview
The Tennessee Information Protection Act (TIPA) is a consumer data protection and privacy law that regulates data processing by businesses in this state and empowers Tennessee residents to safeguard their personal data.
Previously known as House Bill No 1181, Governor Bill Lee signed the Tennessee IPA into full law on 11th May 2023 and will become effective on 1st July 2025.
Important Definitions Under TIPA
Similar to other laws, like the Texas Data Privacy and Security Act (TDPSA), the Tennessee Information Protection Act also defines some key terms, such as:
- Consent: A clear and affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer.
The law further states this may include a written statement (via electronic means) and affirmative action.
- Consumer: A natural person who resides in this state acting only in a personal context.
Under TIPA, a consumer cannot be someone acting in a commercial or employment context.
- Controller: Natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information.
- Personal information: Information that is linked or linkable to an identified or identifiable natural person.
Personal information does not include publicly available and de-identified information.
- Processor: Natural or legal entity that processes personal information on behalf of a controller.
- Sensitive data: A category of personal information that includes personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data to uniquely identify a natural person; the personal information collected from a known child; and precise geolocation data.
Scope of Tennessee Information Protection Act
The Tennessee Information Protection Act applies to businesses that operate in this state and offer products and services that target Tennessee residents and whose:
- Revenue is above $25,000,000 and,
- a) Control or process the personal information of 25,000 consumers minimum and derive over 50% of their gross revenue from the sale of personal data; or
b) Control or process the personal information of at least 175,000 consumers during one calendar year.
The “sale of personal information” includes any exchange of PI for a monetary consideration by the controller to a third party (i.e., anyone other than the consumer, controller, processor, or affiliate).
Certain businesses and organizations are exempt from compliance with the Tennessee Information Protection Act. This includes:
- An agency, authority, body, board, bureau, commission, or district of Tennessee or its political subdivision.
- A financial institution or its affiliate is subject to the Gramm-Leach-Bliley Act (GLBA).
- A covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health Act (HITECH).
- An insurance company licensed in Tennessee.
- Nonprofit organizations.
- Institutions of higher education.
The following types of data are also exempt, and TIPA does not apply to them:
- Personal data used or shared for research purposes.
- Medical data and patient records covered by any federal or state law
- Employment data.
- Data covered by federal laws such as the Fair Credit Reporting Act (FCRA), Driver’s Privacy Protection Act (DPPA), Family Educational Rights and Privacy Act (FERPA), Farm Credit Act (FCA), etc.
Consumer Data Rights Under Tennessee IPA
Under the Tennessee Information Protection Act, consumers may exercise certain data rights and submit a request to the controller or as parents or legal guardians on behalf of a known child.
The controller must comply with an authenticated consumer request and respond within no more than 45 days of receiving the request.
The TIPA consumer data rights include:
- Right to access personal information: The consumer has the right to confirm that the controller is processing and accessing their personal information.
- Right to correct inaccuracies: Consumers can also request that the controller correct inaccurate personal information.
- Right to delete personal information: Also, the consumer can request that the controller delete their personal information. However, the controller does not have to delete de-identified data or personal information it uses or maintains as aggregate data.
- Right to data portability: The right to data portability grants the consumer the right to request a copy of their personal information in a portable and readily usable format, allowing them to transmit the data to another controller.
- Right to opt out of the processing of personal data: The consumer can opt out of processing their personal data for the following:
- Selling personal information about the consumer
- Targeted advertising
- Profiling
“Targeted advertising” includes showing ads based on personal information obtained over time from monitoring the consumer’s online activities. On the other hand, “profiling” consists of the automated processing of personal data to build a detailed consumer profile based on their behaviors, characteristics, or preferences.
Data Controller and Processor Responsibilities
Under the Tennessee Information Protection Act, the data controller and processor have established responsibilities, which include:
Data Controller Responsibilities
The controller is responsible for:
- Limiting the collection of consumer personal information to what is adequate, relevant, and reasonably necessary for the data processing purposes and disclosed to the consumer;
- Not processing any personal information for purposes not reasonably necessary or compatible with the disclosed purposes unless the consumer gives his consent;
- Using appropriate data security practices, including administrative, physical, and technical, to protect personal information’s integrity and confidentiality;
- Not processing any personal information in violation of federal or state laws that prohibit unlawful discrimination against consumers;
- Not processing sensitive data without obtaining explicit consent from the consumer or their parent or legal guardian in case of known children;
- Providing a clear and readily accessible privacy notice that includes:
- Categories of personal data being processed;
- Purpose of processing personal information;
- How consumers can exercise their rights;
- Categories of personal information the controller sells or shares with third parties (if any);
- Categories of third parties to whom the controller sells or shares personal information (if any).
Data Processor Responsibilities
The responsibilities of the data processor include:
- Following the controller’s instructions and assisting the controller in meeting its obligations. (i.e. information to fulfill consumer requests regarding their data rights and information needed by the controller to conduct a Data Processing Assessment);
- Ensuring that any person processing data follows a duty of confidentiality concerning the data they are processing;
- Delete or return all personal data to the controller at their request at the end of their service unless its retention is required by law;
- Allow and cooperate with the controller’s reasonable assessment or designated assessor. The law also allows processors to find an independent assessor;
Data Processing Assessment (DPA)
The controller also must conduct a Data Processing Assessment (DPA) for the following processing activities:
- Processing for targeted advertising
- Sale of personal information
- Processing for profiling, where it presents a financial, physical, or reputational risk to the consumer or unfairly or deceptively treats the consumer.
- Processing of sensitive data
- Processing of personal information that poses an increased risk of harm to the consumer
Checklist for Compliance With the Tennessee Information Protection Act
Here’s a checklist you can follow to ensure you are compliant with TIPA if you are running a business and selling products and services targeting Tennessee residents:
Understand the Tennessee Information Protection Act Scope and Definitions
- Verify that the TIPA applies to your business (operating a business in Tennessee, processing personal information of 25,000+ consumers, and deriving 50% of revenue from the sale of personal data)
- Get familiar with the definitions provided by the law (personal data, consumer, consent, controller, etc.)
Data Processing and Consumer Rights
- Understand the rights consumers have under this law (right to access information, right to correct, right to delete, right to portability, proper to opt-out)
- Build clear procedures for consumers to exercise these rights
- Introduce and implement transparent authentication processes for consumer requests regarding their rights (DSARs, do not sell my data, deletion requests, etc.)
- Ensure you obtain explicit consumer consent and process sensitive data per the TIPA provisions.
Data Security and Privacy Practices
- Ensure your privacy policy meets the TIPA requirements and update it if necessary.
- Establish and carry out reasonable data security measures to protect consumers’ data
- Limit data processing to what is needed for the specific purpose
- Do not process personal data in a way that discriminates against consumers exercising their rights
Third-Party Management
- Enforce third-party management, ensure your third-party vendors and suppliers comply with TIPA, and update their contracts if necessary.
- Ensure they are only processing data for the purposes specified under the contract.
Employee Data Security Training
- Conduct regular data privacy and compliance training to help employees understand their importance.
- Monitor employee data processing activities and ensure they follow the best data protection practices.
Security Incident Reports and Notification
- Introduce and implement a response plan to address security incidents and data breaches.
- Follow the TIPA requirements regarding data breach privacy notices to affected consumers and relevant authorities.
Documentation
- Maintain detailed records of your data processing activities, consumer requests, and the steps you’ve taken to respond to them.
- Record any efforts to comply with TIPA (security measures, privacy notices, etc.)
Staying Up to Date
- Consult with data protection and compliance experts to better understand your obligations under TIPA.
- Stay informed and up-to-date on the Tennessee Information Protection Act changes and relevant laws that affect your data processing activities.
Enforcement and Penalties
The Tennessee Information Protection Act provisions are enforced by the Tennessee Attorney General & Reporter (AGR), who can conduct a civil investigation demand regarding the controller’s or processor’s violation of the law based on their own inquiry or public or consumer complaints.
Before taking any action, the Attorney General must provide a 60-day notice to the controller, in which they specify which TIPA provisions have been violated.
The controller then has 60 days from receiving the notice to cure the alleged violation. If they do, and no more violations occur, no action will be taken against the controller or processor.
In case the controller does not cure the violations within 60 days, the AGR may bring the controller’s case to the court and seek one of the following:
- A declaratory judgment that the act or practice violates the Act;
- Civil penalties of up to $7,500 per violation
- Preliminary and permanent injunctions and other injunction relief
- Attorney fees
- Investigative costs
- Other reliefs instructed by the court
One of the unique provisions of the Tennessee IPA is the affirmative defense.
The controller or processor has an affirmative defense for a TIPA provision violation if they create, maintain, and comply with a privacy policy that conforms to the National Institute of Standards and Technology (NIST) privacy framework titled “A Tool for Improving Privacy Through Enterprise Risk Management Version 1.0” or another documented policy, standard or procedure created to protect consumer privacy.
Frequently Asked Questions (FAQs)
What is the TN Protection Act?
The Tennessee Information Protection Act was signed on 11th May 2023 and will become effective for businesses that operate in Tennessee, offer products and services to Tennessee residents, and process their personal information on 1st July 2025.
What is the Tennessee Patient Privacy Protection Act?
The Tennessee Patient Protection Act is a part of the Tennessee Code under Title 68: Health, Safety and Environmental Protection, Chapter 11: Health Facilities and Resources.
Part 15 – Patient’s Privacy Protection Act, indicates that:
Every patient entering and receiving care at a health care facility licensed by the board for licensing health care facilities has the expectation of and right to privacy for care received at such facility.
What is the Consumer Protection Act in Tennessee?
The Consumer Protection Act, or the Tennessee Information Protection Act, is a state regulation that empowers Tennessee residents to safeguard their personal data that is being processed by businesses.
The Tennessee Information Protection Act applies to businesses that operate in this state and offer products and services that target Tennessee residents and whose:
- Revenue is above $25,000,000 and,
- Control or process the personal information of 25,000 consumers minimum and derive over 50% of their gross revenue from the sale of personal data, or control or process the personal information of at least 175,000 consumers during one calendar year.
How Can Captain Compliance Be Your Ally in Navigating TIPA?
If you run a business in Tennessee, time is running out on reading your company for compliance with the new Tennessee Information Protection Act on 1st July next year.
Ensure you are TIPA-compliant and safeguard your consumers’ data with the help of Captain Compliance.