On May 11, 2023, the governor of Tennessee signed the Tennessee Information Protection Act (“TIPA”), assigned Public Chapter Number 408, into law. TIPA takes effect on July 1, 2025. In this article, we highlight five key points of the new law.
Five Key Points
1. TIPA applies to certain entities conducting business in Tennessee.
TIPA applies to a person who (1) conducts business in Tennessee producing products or services that target Tennessee residents; (2) earns over $25 million in revenue; and (3) controls or processes at least 25,000 consumers’ personal information, with at least fifty percent of gross revenue derived from the sale of personal information (as defined by TIPA), or controls or processes at least 175,000 consumers’ personal information during a calendar year. Certain types of information, e.g., protected health information under HIPAA, and certain entities, e.g., institutions of higher education, are exempt from compliance with TIPA.
2. Controller and processors have certain obligations to protect consumer personal information.
Controllers and processors (as those terms are defined by TIPA) are subject to various obligations under TIPA to protect personal information. For example, controllers may collect personal information only as “is adequate, relevant, and reasonably necessary” to the controller’s disclosed processing purposes. And they must maintain “reasonable administrative, technical, and physical data security practices” for protecting personal information. Notably, TIPA points to reasonable conformance to the National Institute of Standards and Technology’s (“NIST”) Privacy Framework or a comparable privacy framework as satisfying the requirement for reasonable administrative, technical, and physical data security practices. The practical meaning of such “reasonable conformance” remains to be seen, however, as no definition is provided and appropriateness of the scale and scope of a privacy program is determined by a variety of factors including the controller or processor’s business and activities and sensitivity of the processed personal information.
Other requirements for controllers include that consumer consent is required for processing sensitive data such as biometric data or precise geolocation data. Controllers must also provide privacy notices including information such as the categories of processed personal information and the purpose for such processing. Controllers are also required to conduct and document data protection assessments for certain processing and other activities involving personal information and performed on or after July 1, 2024, including with respect to targeted advertising and the sale of personal information. Data protection assessments prepared to comply with other laws and that are reasonably comparable in scope and effect to the assessments required under TIPA are acceptable substitutes. Meanwhile, processors are required to follow controllers’ instructions.
3. Conformance to the NIST Privacy Framework is an affirmative defense to TIPA violations.
Among the ten enacted US comprehensive state privacy laws, TIPA is unique in that controllers and processors may assert as an affirmative defense, against allegations of TIPA violations, the creation, maintenance, and compliance with a written privacy policy that “reasonably conforms” to NIST’s Privacy Framework or a comparable privacy framework, as updated from time to time, and which provides the substantive rights established by TIPA. As discussed above, the appropriate scale and scope for such a privacy program depends on various factors.
4. Consumers have certain rights to their collected personal information.
Similar to other enacted comprehensive state privacy laws, under TIPA, consumers are afforded certain rights, including the rights to: (1) know or confirm that a company is processing the consumer’s data; (2) access such data; (3) correct inaccuracies in the data; (4) request deletion of the data; (5) obtain a copy of the data; and (6) opt out of the processing of the data. A company must respond within forty-five days to a consumer’s request to exercise these rights. Contractual waivers of these rights are void and unenforceable. Note that aggregated or de-identified data is excluded from the scope of personal information, and companies cannot be required to delete such aggregated or de-identified data as long as it is not linked to a specific consumer.
5. No private right of action under TIPA.
Only Tennessee’s attorney general may enforce TIPA; there is no private right of action. Upon receipt of written notice of the attorney general’s allegations that a controller or processor has violated TIPA, the controller or processor has sixty days to cure the violation and promise to not commit future violations. Otherwise, the attorney general may initiate an action for an uncured violation. Each TIPA violation may be subject to a civil penalty of $7,500, and a court may award treble damages for a willing or knowing violation.
Conclusion
Tennessee’s adoption of TIPA is one more development in a year already notable for a myriad of state privacy laws being adopted or coming into force, including in Arkansas, Indiana, Iowa, Montana, Texas, Virginia, and Washington. While TIPA is not effective until July 2025, we encourage companies and individuals who sell products or services in Tennessee to begin considering their obligations under TIPA. Please contact any of the Baker McKenzie attorneys listed below with questions or for assistance.
