And Another One: Tennessee Becomes 8th State to Enact Comprehensive Privacy Law

This alert has been updated to reflect amendments to the Tennessee Information Protection Act.

On May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act (the “TIPA”) into law, making Tennessee the eighth state to enact a comprehensive privacy law. Tennessee joins Indiana and Iowa in enacting such laws within the last six weeks (see our prior alerts here and here), as the momentum for these laws continues to move quickly. The TIPA will take effect on July 1, 2025, which is sooner than the recently enacted law in Indiana. While the TIPA is similar to other state comprehensive privacy laws, it also contains its own nuances, as described more herein.

Applicability

The TIPA will apply to persons conducting business in Tennessee or producing products or services that are targeted to residents of Tennessee, that exceed $25,000,000 in revenue, and either:

  1. during a calendar year, control or process personal information of at least 175,000 consumers (defined below); or
  2. control or process personal information of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal information.

The applicability thresholds under the TIPA are most similar to those under Utah’s privacy law, but the TIPA raises the threshold of consumers from 100,000 to 175,000, which is higher than the other state privacy laws. Similar to California’s and Utah’s privacy laws, there is also a monetary threshold for businesses as part of applicability under the TIPA, contrary to Virginia’s, Colorado’s, Connecticut’s, Indiana’s and Iowa’s laws.

Additionally, like the other state comprehensive privacy laws, the TIPA contains exemptions for certain types of entities, such as governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act, covered entities and business associates subject to HIPAA and HITECH, non-profit organizations, and institutions of higher education. The TIPA also exempts certain types of data, such as protected health information under HIPAA, personal information regulated by the Family Educational Rights and Privacy Act, and data processed or maintained in the course of employment.

Key Definitions

Similar to the state comprehensive privacy laws, other than California, the TIPA narrowly defines “consumer” to mean an individual who is a Tennessee resident acting only in a personal context (i.e., it excludes an individual acting in a commercial or employment context). As a result, employee personal information and business contact personal information fall outside the scope of the TIPA.

With respect to such consumers, the TIPA regulates their “personal information” as well as a special category of personal information known as “sensitive data,” which it defines as (i) personal information revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data processed for the purpose of uniquely identifying a natural person; (iii) personal information collected from a known child (i.e., an individual under thirteen); or (iv) precise geolocation data. This definition of “sensitive data” is substantially similar to the definitions within the other state comprehensive privacy laws, except for California’s law, which encompasses a broader range of information.

Under the TIPA, the “sale of personal information” means the exchange of personal information for valuable monetary consideration by the controller to a third party. This definition essentially mirrors the definitions of “sale” in Virginia’s, Utah’s, Iowa’s and Indiana’s laws and is contrary to the broader definition of “sale” in California’s, Colorado’s, and Connecticut’s laws, which also considers non-monetary, valuable consideration. This is one aspect of these laws on which the states continue to be split.

Compliance

Some of the compliance obligations found in the TIPA are substantially similar to those found in the other state comprehensive privacy laws, such as requiring controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal information for the controller. Further, like the privacy laws in Colorado, Connecticut, Virginia, and Indiana, the TIPA requires controllers to undertake data protection impact assessments of any processing activities that involve personal information used in targeting advertising, the sale of personal information, profiling (in certain instances), sensitive data, and data that presents a heightened risk of harm to consumers. This is unlike the laws in California, Utah, and Iowa, which do not currently require data protection impact assessments.

Other compliance obligations are unique to the TIPA. For example, it grants controllers and processors who voluntarily create, maintain, and comply with a written privacy program that “reasonably conforms” to the National Institution of Standards and Technology (NIST)’s privacy framework or a comparable privacy framework an affirmative defensive to a cause of action for a TIPA violation. When a subsequent revision of the NIST privacy framework is published, controllers and processors have two years to update their privacy program to conform to the revised framework. The TIPA is the first comprehensive privacy law in the US to provide this type of affirmative defense.

Consumer Rights and Requests

Like the other state comprehensive privacy laws, the TIPA grants rights to individuals regarding their own personal information. Specifically, the TIPA grants consumers the right to make requests to (1) know and access their personal information; (2) correct inaccuracies in their personal information; (3) delete their personal information; (4) obtain a copy of their personal information; and (5) opt out of the processing of their personal information for purposes of (i) selling their personal information; (ii) targeted advertising; and (ii) certain profiling. Additionally, the TIPA requires controllers to obtain consent prior to the processing of sensitive data.

Under the TIPA, a controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary upon considering the complexity and number of the consumer’s requests. Like under the comprehensive privacy laws in Colorado, Connecticut, Virginia, Iowa, and Indiana, the TIPA requires a controller to provide consumers with an appeals process if it denies a consumer’s request, and a controller has 60 days to respond to an appeal. There is no right to appeal in California or Utah.

Enforcement

There is no private right of action under the TIPA. The TIPA grants enforcement rights exclusively to the Tennessee Attorney General, who can seek civil penalties of up to $7,500 for each violation of the law, a financial penalty that mirrors the laws in Iowa, Virginia and Utah. Further, the TIPA permits a court to award treble damages for willful or knowing violations. Violators, however, are granted an opportunity to cure violations within 60 days of receiving notice of a violation from the Attorney General before such penalties are assessed.

Conclusion

At this point, the US state privacy law movement is burgeoning. As states continue to enact similar laws at this rate, there may be a stronger push for a federal law, but it remains uncertain whether Congress will act. Meanwhile, the benefits of a universal approach to privacy compliance, especially for medium to large businesses, continues to be important. Although the TIPA will not take effect until July 1, 2025, impacted businesses may want to consider integrating compliance for the TIPA sooner rather than later, especially if they plan to take advantage of the affirmative defense for NIST-compliant privacy programs.

If you would like assistance with, or have any questions about, complying with the TIPA or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys. Check out our U.S. Privacy Laws page for more information.