Lawmakers unanimously approve Tennessee Information Protection Act
On April 21, 2023, Tennessee lawmakers unanimously approved the Tennessee Information Protection Act (TIPA), joining four other states in 2023 passing broader consumer data privacy protection legislation. TIPA was modeled on the Virginia Consumer Data Protect Act (VCDPA) and imposes a number of similar provisions including the requirement to obtain consent to process sensitive personal data and allowing consumers to opt out of targeted advertising, sale of personal data, and significant profiling decisions.
Specifically, under TIPA, consumers are granted the right to access their personal information (including the right to confirm whether a controller is processing their personal information), the right to delete information provided by or obtained about them, the right to obtain a copy of their personal information in a portable format, right to correct inaccuracies in their personal information and the right to appeal any denial of a consumer request relating to these rights.
However, Tennessee diverges from VCDPA in three significant respects, including:
- Constricting the threshold for application to companies that make more than $25 million in revenue and (a) either control or process personal information of 175,000 or more Tennessee residents or (b) control or process data on at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.
- Extending the pseudonymous information carve-out to consumer right to opt-out of targeting advertising, sale of personal data and significant profiling decisions.
- Establishing a blanket entity-level exemption for licensed insurance companies.
In a departure from other state data privacy laws, TIPA establishes an affirmative defense against enforcement for businesses that “creates, maintains, and complies with a written privacy program” that conforms to the federal National Institute of Standards and Technology (NIST) privacy framework. The bill explicitly references NIST, but also recognizes “other documented policies, standards, and procedures designed to safeguard consumer privacy.”
TIPA does not include a private right of action. It may only be enforced by the Tennessee Attorney General following a 60-day cure period for alleged violations. If businesses do not remediate within the cure period, the Attorney General may pursue civil penalties of up to $7,500 per violation.
For more legislative updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications. You can also click here to find another recent article on Iowa’s recent legislative update.