How Tennessee Privacy Law Nuances Could Affect Compliance

This article was originally published on Law360.com.

On May 11, Gov. Bill Lee signed the Tennessee Information Protection Act into law, making Tennessee the eighth state in the U.S. to enact a comprehensive privacy law.¹

The momentum of this wave of state privacy laws continues to rise quickly, with Iowa and Indiana having enacted similar laws within the past few weeks and bills in other states awaiting signature from their respective governors. TIPA will take effect on July 1, 2025.²

While TIPA is similar to other state comprehensive privacy laws, it also contains its own nuances, as described more herein, which could change how a business needs to comply.

Does TIPA Apply to Your Business?

TIPA will apply to persons conducting business in Tennessee or producing products or services that are targeted to residents of Tennessee, that exceed $25 million in revenue, and either:

• During a calendar year, control or process personal information of at least 175,000 consumers, defined below; or
• Control or process personal information of at least 25,000 consumers and derive over 50% of their gross revenue from the sale of personal information.³

The applicability thresholds under TIPA are most similar to those under Utah's privacy law, but TIPA raises the threshold of consumers from 100,000 to 175,000.⁴

The 175,000 consumer threshold is higher than the threshold for the number of consumers under any of the other state privacy laws, which may indicate that TIPA is intended for larger businesses only.

In the same vein, and similar to California's and Utah's privacy laws, TIPA includes a $25 million revenue threshold for businesses as part of applicability under TIPA, contrary to the laws in Colorado, Connecticut, and Indiana, Iowa and Virginia, which do not contain a revenue threshold.⁵

Additionally, like the other state comprehensive privacy laws, TIPA contains exemptions for certain types of entities, such as governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act, covered entities and business associates subject to the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act, nonprofit organizations and institutions of higher education.

TIPA also exempts certain types of data, such as protected health information under HIPAA, personal information regulated by the Family Educational Rights and Privacy Act, and data processed or maintained in the course of employment.⁶

What is TIPA's Scope?

Key Definitions

Similar to the other state comprehensive privacy laws, other than California, TIPA narrowly defines "consumer" to mean an individual who is a Tennessee resident acting only in a personal context and expressly excludes an individual acting in a commercial or employment context.⁷

As a result, employee personal information and business contact personal information fall outside the scope of TIPA.

With respect to such consumers, TIPA regulates their personal information, as well as a special category of personal information known as sensitive data, which it defines as:

• Personal information revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• Genetic or biometric data processed for the purpose of uniquely identifying a natural person;
• Personal information collected from a known child, i.e., an individual under 13; or
• Precise geolocation data.⁸

This definition of "sensitive data" is substantially similar to the definitions within the other state comprehensive privacy laws, except for California's law, which encompasses a broader range of information.⁹

Under TIPA, the sale of personal information means the exchange of personal information for valuable monetary consideration by the controller to a third party.¹⁰

This definition essentially mirrors the definitions of "sale" in Virginia's, Utah's, Iowa's and Indiana's laws, although it adds the word "valuable" in front of "monetary consideration," which implies that nominal monetary consideration may not fall within the definition.

TIPA's definition of "sale" is contrary to the broader definition of "sale" in California's, Colorado's and Connecticut's laws, which also consider nonmonetary, yet still valuable, consideration as sufficient to constitute a sale.¹¹

As such, receiving other consideration — like preferable contractual terms — instead of monetary compensation in exchange for additional uses of data would not constitute a sale under certain states' privacy laws, including Tennessee's, while it would constitute a sale under California's, Colorado's and Connecticut's privacy laws.

Although these state comprehensive privacy laws are increasingly looking similar, this is one aspect on which the states continue to be split.

Compliance

Many of the compliance obligations found in TIPA are substantially similar to those found in the other state comprehensive privacy laws, such as requiring controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal information for the controller.¹²

Further, like the privacy laws in Colorado, Connecticut, Virginia and Indiana, TIPA requires controllers to undertake data protection impact assessments of any processing activities that involve personal information used in targeting advertising, the sale of personal information, profiling — in certain instances — sensitive data, and data that presents a heightened risk of harm to consumers.¹³

This is unlike the laws in California, Utah and Iowa, which do not currently require data protection impact assessments. However, unique to TIPA, controllers and processors are given an affirmative defense for TIPA violations.

If a controller or processor voluntarily creates, maintains and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology's privacy framework or a comparable privacy framework, then the controller has an affirmative defensive to a cause of action for a TIPA violation.¹⁴

When a subsequent revision of the NIST privacy framework or a comparable privacy framework is published, controllers and processors must update their privacy program to conform to the revised framework within two years.¹⁵

How courts or enforcement authorities will determine if a controller or processor has a privacy program that reasonably conforms remains unknown.

However, TIPA does provide a set of factors for controllers and processors to determine if the scale and scope of their privacy program is appropriate, namely:

• The size and complexity of the controller's or processor's business;
• The nature and scope of the activities of the controller or processor;
• The sensitivity of the personal information processed;
• The cost and availability of tools to improve privacy protections and data governance; and
• Compliance with a comparable state or federal law.¹⁶

Consumer Rights and Requests

Like the other state comprehensive privacy laws, TIPA grants rights to individuals regarding their own personal information.

Specifically, TIPA grants consumers the right to make requests to:

• Know and access their personal information;
• Correct inaccuracies in their personal information;
• Delete their personal information; and
• Obtain a copy of their personal information.¹⁷

Additionally, consumers have the right to opt out of the processing of their personal information for purposes of selling their personal information,  targeted advertising profiling — i.e., solely automated decision making that produces legal or similarly significant effects on a consumer's economic situation, interests, health, etc.¹⁸

Additionally, TIPA requires controllers to obtain consent prior to the processing of sensitive data.¹⁹

Under TIPA, a controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary upon considering the complexity and number of the consumer's requests.²⁰ Controllers under TIPA are required to provide the requested information to consumers free of charge up to twice per year.²¹

The controller may charge consumers the administrative costs of complying with or denying the request if the controller deems the consumers' request to be unfounded, technically infeasible, excessive or repetitive.²²

Though not expressly stated, presumably, if the consumer makes a request beyond twice a year, the controller may be able to charge the consumer administrative costs to comply with such requests. Importantly, a controller is not required to respond to a request it cannot authenticate using commercially reasonable efforts.²³

Like under the comprehensive privacy laws in Colorado, Connecticut, Virginia, Iowa and Indiana, TIPA requires a controller to provide consumers with an appeals process if it denies a consumer's request and a controller has 60 days to respond to an appeal.²⁴ There is no right to appeal in California or Utah.

In both the consumer request process and the appeals process, if a controller declines to take action on an authenticated request, the controller must notify the consumer that no action is being taken.²⁵

This response must come within the applicable timeframe, 45 days for consumer requests and 60 days for appeals.²⁶

Who Will Enforce TIPA?

There is no private right of action under TIPA.

TIPA grants enforcement rights exclusively to the Tennessee attorney general, who can seek civil penalties of up to $7,500 for each violation of the law, a financial penalty that mirrors those under the laws in Iowa, Virginia and Utah.²⁷

Further, TIPA permits a court to award treble damages for willful or knowing violations, which could significantly increase penalties.²⁸

Violators, however, are granted an automatic opportunity to cure violations within 60 days of receiving notice of a violation from the attorney general before such penalties are assessed.²⁹

What's Next?

At this point, the U.S. state privacy law movement is burgeoning and many of these laws are passing votes of state legislatures with little opposition.

Even since the passage of TIPA, others states have inched closer to enacting their own privacy laws.

As states continue to enact similar laws at this rate, there may be a stronger push for a federal law, but it remains uncertain whether Congress will act. Meanwhile, the benefits of a universal approach to privacy compliance, especially for medium to large businesses, continues to be important.

Although TIPA will not take effect until July 1, 2025,³⁰ affected businesses may want to consider integrating compliance for TIPA sooner rather than later, especially if they plan to take advantage of the affirmative defense for NIST-compliant privacy programs.

---

¹Tenn. Code Ann. § 47-18-3201, et. seq.

²Amendment No. 1 to HB1181, H.A.0348, 112th Cong. § 6 (Tenn. 2023).

³Tenn. Code Ann. § 47-18-3202.

⁴Utah Code Ann. §13-61-102 (1).

⁵Tenn. Code Ann. § 47-18-3202; Cal. Civ. Code §1798.140(d)(1); Utah Code Ann. §13-61-102 (1); C.R.S.A. §6-1-1304(1); Pub. Act No. 22-15, Gen. Assemb., Reg. Sess. §2 (Conn. 2022); Ind. Code Ann. § 24-15-1-1(a); S.F. 262, 90th Gen. Assemb., Reg. Sess. §§ 715D.2 (1) (Iowa 2023); Va. Code Ann. §59.1-576(A).

⁶Tenn. Code Ann. § 47-18-3210(a).

⁷Id. at § 47-18-3201(7); Cal. Civ. Code §1798.140(i).

⁸Tenn. Code Ann. §§ 47-18-3201(26).

⁹Cal. Civ. Code §1798.140(ae).

¹⁰Tenn. Code Ann. § 47-18-3201(25).

¹¹Va. Code Ann. §59.1-575; Utah Code Ann. §13-61-101(31); S.F. 262, 90th Gen. Assemb., Reg. Sess. §§ 715D.1(25) (Iowa 2023); Ind. Code Ann. § 24-15-3.A-2(27); Cal. Civ. Code §1798.140 (ad); C.R.S.A. §6-1-1303 (23); Pub. Act No. 22-15, Gen. Assemb., Reg. Sess. § 1(26) (Conn. 2022).

¹²Tenn. Code Ann. §§ 47-18-3204(c), 3205(b).

¹³Id. at § 47-18-3206; C.R.S.A. §6-1-1309; Pub. Act No. 22-15, Gen. Assemb., Reg. Sess. § 8 (Conn. 2022); Va. Code Ann. §59.1-580; Ind. Code Ann. § 24-15-6-1.

¹⁴Tenn. Code Ann. § 47-18-3213(a); U.S. Department of Commerce, National Institute of Standards and Technology NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0, (January 2023), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf.

¹⁵Tenn. Code Ann. § 47-18-3213(a)(1)(B).

¹⁶Id. at § 47-18-3213(b).

¹⁷Id. at § 47-18-3203(a)(2).

¹⁸Id. at § 47-18-3203(a)(2)(D).

¹⁹Id. at § 47-18-3204(a)(6).

²⁰Id. at § 47-18-3203(b)(1).

²¹Tenn. Code Ann. § 47-18-3203(b)(3).

²²Id. at § 47-18-3203(b)(3).

²³Id. at § 47-18-3203(b)(4).

²⁴Id. at § 47-18-3203(c); C.R.S.A. §6-1-1306 (2)(b); Pub. Act No. 22-15, Gen. Assemb., Reg. Sess. § 4(d) (Conn. 2022); Va. Code Ann. §59.1-577(C); S.B. 262, 90th Gen. Assemb., Reg. Sess. §§ 715D.3 (3) (Iowa 2023); Ind. Code Ann. § 24-15-3-1(d).

²⁵Tenn. Code Ann. § 47-18-3203(b-c).

²⁶Id. at § 47-18-3203(b-c).

²⁷Id. at § 47-18-3212(d)(1); S.F. 262, 90th Gen. Assemb., Reg. Sess. §§ 715D.8 (3) (Iowa 2023); Va. Code Ann. §59.1-584(C); Utah Code Ann. §13-61-402(3)(d)(ii).

²⁸Tenn. Code Ann. § 47-18-3212(d)(2).

²⁹Id. at § 47-18-3212(b).

³⁰Amendment No. 1 to HB1181, H.A.0348, 112th Cong. § 6 (Tenn. 2023).

Resources

• Weblink