On May 11, 2023, Tennessee’s Governor signed Senate Bill 0073, the Tennessee Information Protection Act, making the state the eighth state to pass consumer privacy legislation. Tennessee joins  California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia which have previously passed consumer privacy statutes.

Tennessee’s law will take effect July 1, 2024.

When does this law apply?

The law will apply to persons that conduct business in the state of Tennessee or produce products or services that are targeted to Tennessee residents and that:

• During the calendar year, control or process personal information of at least 100,000 consumers; or,
• Control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.

Covered persons hereafter are referred to as controllers.

Are there exemptions?

Among the entities not subject to the Act include Tennessee and state agencies, financial institutions, HIPAA-covered entities and business associates, not-for-profit organizations, and institutions of higher education.

There also are several categories of personal information exempted from the Act, including without limitation personal information protected by the Family Educational Rights and Privacy Act (FERPA) and the Driver’s Privacy Protection Act.

Who is protected by the law?

Under the statute, individuals referred to as “consumers” are protected. A consumer is defined as a natural person who is a resident of the state of Tennessee and acts only in a personal context.

What personal information is protected by law?

Under the statute, personal information is protected, which includes:

• Identifiers such as a real name, alias, unique identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
• Information that identifies, relates to, describes, or could be associated with, a particular individual, including, but not limited to, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or other financial, medical, or health insurance information
• Characteristics of protected classifications under state or federal law;
• Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
• Biometric data;
• Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
• Geolocation data
• Audio, electronic, visual, thermal, olfactory, or similar information
• Professional or employment-related information;
• Education information that is not publicly available information

Personal information also includes “sensitive data” which means:

• Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
• The personal information collected from a known child; or
• Precise geolocation data.

Personal information does not include information that is:

• Publicly available
• De-identified or aggregate consumer information

What are the rights of consumers?

Under the statute, consumers have the right to:

• Confirm whether a controller is processing the consumer’s personal information and to access the personal information.
• Correct inaccuracies in the consumer’s personal information.
• Delete personal information provided by or obtained about the consumer.
• Obtain a copy of the consumer’s personal information that the consumer previously provided to the controller.
• Request information about personal information the controller sold or disclosed to third parties.
• Opt-out of the controller selling the personal information of the consumer.

What obligations do controllers and processors have?

Under the statute, a controller shall respond to requests from a consumer without undue delay, but no later than 45 days from the date of receipt of the request. If the controller declines to take action upon a consumer’s request, the controller shall inform the consumer without undue delay but no later than 45 days from receipt.

The controller is required to take certain steps to ensure transparency of its processing including:

• Limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purpose for which the data is processed
• Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
• Not process “sensitive data” without obtaining the consumer’s consent, provided that in the case of a child, the controller does so in accordance with the federal Children’s Online Privacy Protection Act.  

Controllers shall conduct and document a data protection assessment of each of the following processing activities:

• The processing of personal information for purposes of targeted advertising
• The sale of personal information
• The processing of personal information for purposes of profiling where the profiling presents a foreseeable risk
• The processing of sensitive data
• The processing of personal information presents a heightened risk of harm to consumers.

Upon receipt of an authenticated consumer request, a controller must provide a “reasonably accessible, clear, and meaningful privacy notice” the contents of which are similar to but not as expansive as the California Consumer Privacy Act (CCPA).

With respect to processors, the Act requires they adhere to the instructions of controllers, such as assisting the controller with responding to consumer requests. Contracts between controllers and processors are required and must include certain provisions, such as (i) instructions for processing personal information, (ii) the nature, purpose, and duration of the processing, and (iii) the type of data subject to the processing. Other required provisions include (i) a requirement for processors to make available all information in the processor’s possession to demonstrate the processor’s compliance with the Act, (ii) cooperating with reasonable assessments of compliance by the controller (or arrange for a qualified and independent assessor), and (iii) obligating the processor to push the Act’s required provisions down to the processor’s subcontractors.

How is the law enforced?

The attorney general and reporter have exclusive authority to enforce the statute, which may include bringing an action in a court of competent jurisdiction.

The Act requires controllers or processors to create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” Among the requirements for a privacy, program is that it discloses the commercial purposes for which the controller or processor collects, controls, or processes personal information. Maintaining such a program is not only important for compliance purposes, but it also provides an affirmative defense to a cause of action for a violation of the law.