On May 11, 2023, Tennessee’s governor signed the Tennessee Information Privacy Act (“TIPA”), the eighth U.S. state comprehensive privacy law. TIPA is very similar to the privacy laws of Virginia, Connecticut, and Indiana, which in turn drew inspiration from the California Consumer Privacy Act (“CCPA”), so compliance programs modeled on current state privacy laws will likely go a long way toward satisfying TIPA.
Scope
TIPA applies to a person that conducts business in Tennessee or produces products or services targeted at the state’s residents (“consumers”) and that, during a calendar year, either:
- Exceeds $25 million in revenue; and
- (a) Controls or processes the personal information of at least 25,000 consumers and derives 50% or more of its gross revenue from the sale of personal information; or
(b) Controls or processes the personal information of at least 175,000 consumers.
Like most other state privacy laws, TIPA exempts employee and B2B data (individuals acting in an employment or commercial context are not “consumers”), nonprofits, and data and entities covered by various federal privacy laws such as HIPAA and GLBA.
Obligations
TIPA imposes familiar obligations, requiring a controller to:
- State in its privacy policy the categories of personal information it processes and the processing purposes, the categories of personal information it “sells,” the categories of entities to which it sells personal information, and how to exercise consumer rights under TIPA;
- Clearly and conspicuously disclose that it “sells” personal information or processes personal information for targeted advertising (if true) and explain how to opt out;
- Only collect personal information that is adequate, relevant, and reasonably necessary for the processing purposes as disclosed to consumers;
- Maintain reasonable security;
- Obtain consent to process sensitive data and to process personal information in ways that are not reasonably necessary to and compatible with the disclosed processing purposes; and
- Conduct a data protection impact assessment (“DPIA”) for personal information “sales,” processing for targeted advertising, processing sensitive data, certain profiling activities, or processing with a heightened risk of harm to consumers.
Controllers and processors must enter into contracts that contain provisions required by most other state privacy laws (e.g., the processor must follow the controller’s instructions and ensure that anyone who processes personal data is subject to a duty of confidentiality).
Consumer Rights
Consumers have access, correction, and deletion rights, and the right to opt out of sales of personal information, processing for targeted advertising purposes, and profiling that produces certain legal or similarly significant effects. Access rights include the right to know certain information (including the categories of personal information sold and the categories of third parties to which it was sold). Controllers must respond to requests in 45 days (with the possibility of a 45-day extension), and consumers have the right to appeal denials of their requests.
Enforcement and Effective Date
TIPA takes effect July 1, 2025. It provides no private right of action and is enforceable only by the state Attorney General (“AG”). The AG must notify a business of alleged violations sixty days before bringing an enforcement action, providing a cure period. The AG may recover up to $7,500 per violation of TIPA, as well as reasonable attorney’s fees and injunctive relief. Courts may impose treble damages for willful or knowing violations.
Businesses have an affirmative defense under TIPA if they have a privacy program that reasonably conforms to Version 1.0 of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, tracks any updates to this framework, and provides consumers with the rights conferred by TIPA.
