A Guide to the Tennessee Information Protection Act

This year, Tennessee joined 13 other US state data privacy laws by taking an important step towards safeguarding digital rights. The Tennessee Information Protection Act, passed in May 2023, enshrines consumer data privacy rights into state law and places new responsibilities on data controllers. Like the other US states that have passed data privacy laws recently, Tennessee’s legislation can be seen as a response to the lack of a comprehensive federal data protection regulation.

In this blog post, we’ll cover the key provisions of the Tennessee Information Protection Act, its implications for individuals and businesses, and its timeline and enforcement. We’ll also explore how the law stacks up against other state data privacy laws, and we’ll offer some suggestions for organizations to strengthen their data privacy measures.

What are the main elements of the Tennessee Information Protection Act?

As the eighth US state data privacy law, the Tennessee Information Protection Act (TIPA) is in good company. It was passed within two months of three other state privacy laws, the Iowa Act Relating to Consumer Data Protection (ICDPA), the Indiana Data Privacy Law (IDPL), and the Montana Consumer Data Privacy Act (MTCDPA). We’ll discuss the exact provisions of the Tennessee legislation below.

Consumer rights under the TIPA

The Tennessee Information Protection Act establishes a number of consumer rights to give individuals more control over how their personal data is collected, processed, and stored. These rights include:

The right to access personal information.
The right to confirm and/or correct inaccuracies in personal data.
The right to request deletion of personal information.
The right to obtain a copy of data being processed in a usable and portable format (portability).
The right to opt out of data processing for the purposes of sale, profiling, or targeted advertising.

Like most other states with data privacy laws, Tennessee specifically defines categories of sensitive data in its legislation. For the TIPA, sensitive data includes information regarding a person’s:

Mental or physical health diagnoses
Identifiable genetic and biometric data
Racial or ethnic origins
Religious beliefs
Sexual orientation
Citizenship and immigration status
Precise geolocation data

The TIPA also considers information about a known child to be sensitive data, and that data must be processed in accordance with the Children’s Online Privacy Protection Act (COPPA).

Data controller obligations under the TIPA

The good news first: many businesses that have built data privacy programs to comply with laws in other states will likely find that those programs are also sufficient in Tennessee. Regardless, every organization subject to the TIPA will need to have a comprehensive understanding of their new obligations toward data subjects.

Tennessee defines data controllers as entities determining the purpose and means of processing personal data, and data processors as entities that actually process the data on behalf of a controller. The TIPA requires both data processors and controllers to:

Obtain consumer consent through a “clear affirmative act” before processing sensitive data.
Limit the collection of personal data to what is relevant and reasonably necessary.
Implement reasonable organizational and technical security measures to safeguard personal data.
Provide clear privacy notices that explain the categories of personal information being processed, the purpose for processing that information, and the consumer’s rights in relation to that personal information.
Process consumers’ personal information in a non-discriminatory manner.
Respond to consumer requests within 45 days and establish an appeals process for requests that are denied.
Allow consumers to opt out of the use of their personal information for targeted advertising and for sale to third parties.
Practice data minimization practices.

Notably, the TIPA also requires that data controls conduct well-documented data protection assessments for certain types of processing, including the processing of personal information for purposes of targeted advertising or profiling, the sale of personal information, and the processing of sensitive data.

Timeline and enforcement of the TIPA

The Tennessee Information Protection Act, formerly SB 73, was passed by the Tennessee State Senate in April 2023 and signed into law by Tennessee Governor Bill Lee in May 2023. It won’t go into effect until July 2025, giving businesses over two years to prepare to meet compliance.

Once the TIPA does go into effect, it will be enforced by the Tennessee Attorney General. In the case of alleged violations, data processors and controllers will have a 60-day cure period to rectify the issue. After that cure period, businesses that remain in violation of the law will be liable for civil penalties of up to $7,500 per violation.

The TIPA does not contain a private right of action, meaning that individual consumers cannot sue businesses for violating their rights under the law. However, the attorney general’s office may assign treble damages, a.k.a. triple the penalties, in the case of willful violations.

Who must comply with the TIPA, and who is exempt?

The TIPA generally applies to large organizations that conduct business in Tennessee or produce products or services targeted to residents of Tennessee. The threshold for applicability is fairly high, with businesses needing to make more than $25 million in annual revenue and either a) control/process the personal information of 175,000+ consumers, or b) control/process the personal information of 25,000+ consumers and derive more than 50% of their gross revenue from the sale of that information.

There are a number of exemptions for organizations under the TIPA, including:

Nonprofit organizations
Government agencies
Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
Institutions of higher education

The TIPA also includes several exemptions specific to healthcare data, including an exemption for insurance companies that is the first of its kind. Other health-related exemptions include entities governed by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

Finally, the TIPA excludes categories of data, including publicly available data, aggregated or otherwise de-identified data, and data governed by the Family Educational Rights and Privacy Act (FERPA), the federal Farm Credit Act, and the Fair Credit Reporting Act (FCRA).

How does the TIPA compare to other state-level data privacy laws?

The more state privacy laws there are, the more difficult it becomes to compare and contrast them. While the majority of these laws share a core focus on safeguarding personal data and mandating transparency in data processing activities, the nuances in enforcement, exemptions, and qualifying thresholds vary from state to state. Let’s see where Tennessee fits in.

The NIST Privacy Framework defense. The TIPA allows businesses a unique affirmative defense against legal action if they voluntarily create, maintain, and comply with a written privacy program that follows the National Institute of Standards and Technology’s (NIST) Privacy Framework. Although Utah and Connecticut offer similar NIST-based safe harbors, Tennessee’s is the most explicit.

Relatively business-friendly. With the exception of outliers like the Florida Digital Bill of Rights, most state data privacy laws can be sorted into two camps. There’s the more consumer-friendly bunch, like the California Consumer Privacy Act (CCPA), its amending California Privacy Rights Act (CPRA) and the Colorado Privacy Act (CPA). Then there’s the more business-friendly group, which includes the Virginia Consumer Data Protection Act (VCDPA) and the Utah Consumer Privacy Act (UCPA). Data privacy experts place Tennessee’s law squarely in the latter group.

Opposition from consumer advocates. As one of the more business-friendly state data protection laws, the TIPA has faced resistance from consumer rights organizations. According to these advocates, the legislation has too many loopholes to provide individuals with meaningful control over their data. The TIPA also offers no universal opt-out mechanism, meaning that consumers have no easy way to stop data sales and tracking, and no private right of action. And its consumer rights do not extend to pseudonymous information, which the advocacy group Consumer Reports says renders the right to opt-out of targeted advertising “largely meaningless.” As a result, privacy advocates have urged the state to pass amendments that strengthen its protections for individuals.

How to prepare for compliance with the Tennessee Information Protection Act

In the absence of a comprehensive federal law for data protection in the United States, compliance can feel like a hodgepodge of competing efforts. Luckily, there are some basic steps that every organization can take to mitigate privacy risks and minimize liability under the TIPA.

Update privacy policies. Businesses will need to create or update a written privacy notice that discloses the categories of personal information processed by the controller, the purpose for processing that information, and how consumers can exercise their TIPA rights. The privacy notice should also include at least one method — email, web form, toll-free telephone number, etc. — for consumers to submit requests about their TIPA rights, and it should describe the process by which consumers can opt out of profiling, targeted advertising, and the sale of their personal information. Additionally, if businesses plan to use the NIST safe harbor, they will need their privacy policies to reasonably conform to the NIST Privacy Framework.

Conduct data processing assessments. Companies should conduct DPAs that weigh the direct and indirect benefits and risks of their data processing for the controller, the consumer, and other stakeholders. These assessments must describe the nature, purpose, and duration of data processing; the categories of personal data to be processed; provisions on confidentiality and on hiring subcontractors; and more. Separate DPAs must be conducted for each category of data processing.

Adopt a data minimization framework. To aid compliance with the TIPA, organizations should implement data minimization and purpose limitation principles. In other words, they should limit the collection and processing of personal information to what is adequate, relevant, and reasonably necessary. True data minimization will require a thorough assessment of how data is collected, stored, and processed as well as how long it’s retained and whether it is safely deleted.

Implement robust data security practices and technologies. Finally, businesses should be sure that they are protecting consumer data from unauthorized access, public breaches, ransomware attacks, and other cyberthreats. This will require implementing both organizational safeguards (e.g. employee training) and technologies (e.g. SaaS solutions for ensuring strong data security and privacy).

Enhance your data privacy with ShardSecure

Adhering to new data protection laws poses compliance challenges for even the most seasoned privacy experts. ShardSecure has a solution.

The ShardSecure platform offers an innovative and agentless form of end-to-end encryption, strengthening data privacy, security, and resilience. Our technology safeguards data against unauthorized third-party access, including by infrastructure administrators and cloud service providers. As an integral component of a comprehensive cybersecurity strategy, ShardSecure’s platform enables businesses to protect not only consumers’ personal information but also any other critical data you wish to secure.

Explore our resources page here or get in touch with us for additional information.