The Tennessee Information Protection Act (TIPA) (HB 1181) was signed into law by Governor Bill Lee on May 11, 2023. As of the publication of this Insight article, Tennessee is one of 11 states that have passed 'comprehensive' privacy laws (laws that protect an individual's general right to privacy, instead of only regulating certain data processing contexts), joining California, Colorado, Virginia, Utah, Connecticut, Iowa, Indiana, Montana, Texas, and Oregon.

In this Insight article, Kirk Nahra, Ali Jessani, Genesis Ruano, and Samuel Kane, from Wilmer Cutler Pickering Hale and Dorr LLP, provide a detailed breakdown of TIPA's applicability, exemptions, key definitions, substantive requirements, and enforcement provisions.

Background

TIPA shares many elements frequently found in comprehensive privacy laws, including, for example, data processing obligations applicable to data controllers and data processors, data subject rights for consumers, and certain contracting obligations. Further, like most of the other comprehensive privacy laws, TIPA does not include a private right of action. However, TIPA also contains a unique provision that creates a safe harbor for entities that implement a privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) Privacy Framework. TIPA will go into effect on July 1, 2025, after which it will be exclusively enforced by the Tennessee Attorney General and Reporter (AG).

Applicability and exemptions

TIPA applies to entities that conduct business in Tennessee, produce products or services that target Tennessee residents, exceed $25 million in revenue, and:

  • control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information; or
  • control or process the personal information of at least 175,000 consumers during a calendar year.

However, like all of the state comprehensive privacy laws, TIPA includes broad exemptions, including for the following types of entities:

  • state government entities and political subdivisions of the state;
  • financial institutions subject to the Gramm-Leach-Bliley Act (GLBA);
  • any licensed insurance company under Title 56 of the Tennessee Code;
  • covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA);
  • non-profit organizations; and
  • institutions of higher education.

In addition, entities that comply with the Children's Online Privacy Protection Act (COPPA) parental consent requirements will be deemed compliant with TIPA's parental consent requirements.

Additionally, certain types of information are exempt under TIPA, including:

  • data subject to the GLBA;
  • information governed by HIPAA;
  • information governed by the Fair Credit Reporting Act (FCRA);
  • information governed by the Driver's Privacy Protection Act;
  • personal information or educational information governed by the Family Educational Rights and Privacy Act (FERPA);
  • information governed by the Farm Credit Act; and
  • specified employee-related information, including, for example, any data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.

These exemptions are consistent with what other states have implemented, although they are broader in some cases. For example, California only exempts information that is regulated by the GLBA and HIPAA, while TIPA technically creates an entity-wide exemption for entities that are covered under these laws.

Key definitions

TIPA applies to 'controllers,' which are defined as the natural or legal person that, alone or jointly with others, determine the purpose and means of processing personal information, as well as to 'processors,' defined as natural or legal entities that process personal information on behalf of a controller. Additional key definitions in TIPA include the following terms:

  • Consent: TIPA defines 'consent' as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer. Consent may include a written statement, including one sent by electronic means, as well as an unambiguous affirmative action.
  • Consumer: TIPA defines a 'consumer' as a natural person who is a resident of Tennessee acting only in a personal context. TIPA's definition excludes a natural person acting in a commercial or employment context.
  • Decisions that produce legal or similarly significant effects concerning the consumer: TIPA defines these decisions as decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, healthcare services, or access to basic necessities, such as food and water.
  • Personal information: TIPA defines 'personal information' as information that is linked or reasonably linkable to an identified or identifiable natural person. TIPA excludes publicly available information and de-identified or aggregated consumer information from its definition of 'personal information.'
  • Profiling: TIPA defines 'profiling' as a form of solely automated processing performed on personal information to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
  • Sale: TIPA defines a 'sale' of personal information as the exchange of personal information for valuable monetary consideration by the controller to a third party. TIPA excludes specific instances of disclosure of personal information, including:
    • disclosure to a processor that processes information on behalf of the controller;
    • disclosure of personal information to a third party for purposes of providing a product or service requested by the consumer;
    • disclosure or transfer of personal information to an affiliate of the controller;
    • disclosure of information that the consumer has intentionally made publicly available;
    • disclosures in relation to a merger, acquisition, bankruptcy, or other transaction where a third party assumes control of the controller's assets.
  • Sensitive data: TIPA defines 'sensitive data' as a category of personal information that includes:
    • personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, or immigration status;
    • the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
    • the personal information collected from a known child; or
    • precise geolocation data.
    • Targeted advertising: TIPA defines 'targeted advertising' as an advertisement that is selected based on personal information obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests. TIPA excludes certain types of advertisements, including:
      • advertisements based on activities within a controller's own websites or online applications;
      • advertisements based on the context of a consumer's current search query, visit to a website, or online application;
      • advertisements directed to a consumer in response to the consumer's request for information or feedback; or
      • personal information processed solely for measuring or reporting advertising performance, reach, or frequency.

Key provisions

Key provisions of TIPA include the following:

Consumer data rights

TIPA creates individual rights for consumers, including:

  • the right to confirm whether the controller is processing the consumer's personal information and to access it;
  • the right to correct inaccuracies in the consumer's personal information;
  • the right to delete personal information provided by the consumer or obtained by the controller about the consumer;
  • the right to obtain a copy of the personal information in a portable and readily usable format; and
  • the right to opt out of the controller's processing of personal information for the purposes of selling personal information about the consumer, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Privacy by Design

TIPA incorporates Privacy by Design principles, such as purpose limitation and reasonable data security practices.

Consent for sensitive data processing

TIPA requires that controllers obtain consumer consent before processing sensitive data. When processing the sensitive data of a known child, the controller must process said data in accordance with COPPA and its implementing regulations.

Privacy notice

TIPA requires that a controller provides an accessible, clear, and meaningful privacy notice that, among other requirements, describes:

  • the categories of personal information processed;
  • the purpose of such processing;
  • how consumers can exercise their data rights;
  • the categories of personal information sold to third parties; and
  • the categories of third parties to which personal information is sold.

Processor duties

TIPA imposes a range of requirements on processors, including requiring that a contract govern a processor's execution of data processing activities on behalf of the controller. That contract must require that the processor:

  • ensures that individuals handling personal information are subject to a duty of confidentiality;
  • deletes personal information or returns personal information to the controller at the conclusion of the processor's provision of services;
  • provides compliance documentation to the controller as requested;
  • cooperates with assessments conducted by the controller (or provides for an independent assessment); and
  • engages any subcontractors only pursuant to a contract compliant with TIPA.

Data protection assessments

TIPA requires that controllers conduct data protection assessments for the following activities:

  • the processing of information for purposes of targeted advertising;
  • the sale of personal information;
  • the processing of data for purposes of profiling if the profiling presents certain reasonably foreseeable risks;
  • the processing of sensitive data; and
  • any processing activities that present a heightened risk of harm to consumers.

Enforcement

TIPA will go into effect on July 1, 2025. TIPA outlines that the AG has exclusive authority to enforce TIPA's provisions. TIPA creates a sixty-day cure period that requires the AG to provide written notice of a violation to the controller or processor prior to initiating any action. After the AG provides written notice, if an entity cures the violation and provides the AG with an express written statement that the alleged violations have been cured, no action will be initiated. Should violations persist, TIPA imposes civil penalties of up to $7,500 for each violation (with treble damages available for willful or knowing violations). The AG may also seek declaratory relief, injunctive relief, reasonable attorney's fees, and investigative costs, or other relief the court determines appropriate. TIPA does not create a private right of action.

Crucially, TIPA also creates an affirmative defense to a cause of action for a violation if the controller or processor creates, maintains, and complies with a written privacy program that reasonably conforms to the NIST Privacy Framework. Companies who are thinking about compliance should pay close attention to this provision, as compliance with this framework could help to protect them from liability under TIPA.

Originally published by OneTrust Data Guidance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.