Law: The Tennessee Information Protection Act ('TIPA')
Regulator: The Tennessee Attorney General ('AG')
Summary: On 11 May 2023, the Tennessee Governor signed the TIPA into law, which shall enter into force on 1 July 2025. The TIPA sets out obligations for businesses covered by its scope, such as risk assessments, data minimisation requirements, and obtaining opt-in consent for processing sensitive personal information, and establishes consumer rights, including the right to know, access, correction, deletion, and data portability, as well as a right to opt out of the sale of personal information, targeted advertising, and profiling. Moreover, the TIPA provides the AG with exclusive authority to bring actions, while also recognising that a controller or processor that complies with a privacy program that reasonably conforms to the National Institute of Standards of Technology ('NIST') or other documented policies, standards, and procedures designed to safeguard consumer privacy, has an affirmative defence to a cause of action for a violation of the TIPA.
Furthermore, Tennessee has recognised the common law tort of invasions of privacy, and like all US States, it has enacted a data breach notification law under §47-18-2107 of the Tennessee Code, as amended in 2017. Notably, Tennessee was the first State in the US requiring notification of a breach of both encrypted and unencrypted information. In addition, the Tennessee legislature, in 2017, amended the definition of a breach of system security to not include the good faith acquisition of personal information by an employee if the personal information is not used or subject to further unauthorised disclosure. Other Tennessee privacy laws tend to focus on consumer protection, including laws governing the privacy of consumer reports, security freeze requests, identity theft, and the protection of personally identifiable information of consumers of video tape sellers or service providers. In addition, Tennessee has sector-specific laws limiting the disclosure or redisclosure and reuse of non-public personal information by insurers and agents.
In addition, on 28 April 2023, the Tennessee Governor signed into law the Genetic Information Privacy Act, which shall enter into effect on 1 July 2023.
You can track other US State bills through our US State Law Tracker.