On April 21, 2023, the Tennessee State Senate passed the Tennessee Information Protection Act (TIPA). The passing of this privacy bill is the latest in a flurry of privacy legislation being passed in the first half on 2023 and adds to an increasingly complex privacy landscape in the US.
The TIPA will enter into effect on July 1, 2025, and will introduce several requirements for businesses covered by its scope including risk assessments, data minimization requirements, and obtaining opt-in consent for processing sensitive personal information.
Keep reading to learn more about the key provisions and compliance areas of the latest comprehensive privacy bill to be passed.
Key requirements of the Tennessee Information Protection Act
A good place to start with the TIPA is to understand its scope and what businesses it will cover. The TIPA will apply to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee. TIPA will apply to businesses that exceed $25,000,000 in revenue and meet one of the following criteria:
- Control or process personal information of at least 175,000 consumers; or
- Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.
One unique feature of the TIPA is that businesses can voluntarily “create, maintain, and comply with a written privacy program” in line with the National Institute of Standards and Technology’s (NIST) Privacy Framework which can be used as an affirmative defense against a cause of action for violations of the law.
There are further requirements that must be worked into a TIPA-compliant privacy program which we will look at in more detail below.
Consumer rights
The TIPA introduces a range of consumer rights, referred to as personal information rights, that are similar to those found under other US state privacy laws.
Consumer rights under the TIPA include:
- The right to know
- The right to access
- The right to correction
- The right to deletion
- The right to data portability
- The right to opt out of:
- Sale
- Targeted advertising
- Profiling
Although not listed as a personal information right, consumers will have the right to not be discriminated against including denying goods or services, charging different prices or rates. Businesses will have a 45-day period respond to consumer requests with the possibility of a 45-day extension.
Controller responsibilities
There are several responsibilities placed upon the controller under the TIPA. These are requirements that are commonplace among many privacy laws in the US and that will form a key part of any TIPA-compliant privacy program.
- Data minimization and purpose limitation - Controllers under the TIPA will be required to limit the collection of personal information to what is adequate, relevant, and reasonably necessary for the purposes of the processing activity and must not process personal information for purposes other than those outlined in the controller’s privacy notice unless further consent is obtained.
- Security measures – Controllers will be required to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices.”
- Opt-in consent for processing sensitive personal information – Controllers are prohibited from processing sensitive data without first obtaining the consumer's consent. Additionally, processing the personal data of a known child should be done in line with the Children's Online Privacy Protection Act (COPPA)
- Privacy notices – Controllers must present the consumer with “a reasonably accessible, clear, and meaningful privacy notice” this should include:
- The categories of personal information
- The purposes for processing
- How consumers may exercise their consumer rights
- The categories of personal information sold to third parties
- The categories of third parties that personal information is sold
Data protection assessments
Under the TIPA, there is a requirement for controllers to conduct and document a data protection assessment for certain processing activities that identifies and balances the benefits and risks of the processing activity. Activities that require a data protection assessment include:
- The processing of personal information for purposes of targeted advertising
- The sale of personal information
- The processing of personal information for purposes of profiling
- The processing of sensitive data
- Processing activities involving personal information that present a heightened risk of harm to consumers
Similar to the risk assessments requirements found in Virginia, the TIPA allows a single data protection assessment for similar processing operations that include similar activities as well as data protection assessments that have been conducted in compliance with other laws for comparable processing activities.
Enforcement
The TIPA will be enforced by the Tennessee Attorney General and controllers found to be in violation of the law will be granted a 60-day cure period. Controllers that do not remediate violations within 60 days are liable for civil penalties of up to $7,500 per violation. There is no private right of action.
How businesses can prepare for the TIPA
The TIPA will still need to be signed into law by the Governor of Tennessee before officially becoming part of the US privacy landscape, however this looks to be a formality. OneTrust DataGuidance Research can help you to keep up to date with the status of the law as well as further amendments and developments to privacy laws right across the US.
For businesses that want to get a head start on TIPA compliance, OneTrust Data Mapping Automation can help you to create a central view of your organizations data so you can understand what you have, where it is stored, and what rules will apply once TIPA comes into effect.
Request a demo to see how the OneTrust Privacy & Data Governance Cloud can help you prepare for the new era of US privacy laws or stay up to date on all the latest updates with the OneTrust DataGuidance Research US Privacy Law tracker.
