November 2022

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION

The Constitution of the State of Tennessee does not expressly grant a right of privacy. Section 7 of the Constitution guarantees '[t]hat the people shall be secure in their persons, houses, papers and possessions, from unreasonable searches and seizures'. This provision closely mirrors the Fourth Amendment of the United States Constitution.

2. KEY PRIVACY LAWS

Unlike several other states in the US, Tennessee has not attempted to enact a comprehensive privacy and data protection statute. Instead, in a piecemeal fashion, Tennessee law addresses some of the issues surrounding both personal privacy and the obligations of businesses to protect data. The following Guidance Note will provide an overview of the ways in which Tennessee law address these issues.

Common Law

Since 1956, the Tennessee Supreme Court ('the Supreme Court') has recognised a right of privacy as the 'right to be let alone; the right of a person to be free of unwarranted publicity' (Langford v. Vanderbilt University, 287 S.W. 2d 32 (Tenn 1956)). In the case of West v. Gen. Media Svcs., 53 S.W.3d 640 (Tenn 2001), the Supreme Court recognised the claim of 'false light' invasion of privacy and adopted Restatement (Second) of Torts, as many other states have done, to recognise the four possible types of common law invasion of privacy (see West at 643):

"One who invades the right of privacy of another is subject to liability for the resulting harm to the interests of the other. 

The right of privacy is invaded by: unreasonable intrusion upon the seclusion of another; unreasonable publicity given to the other's private life; appropriation of the other's name or likeness; and publicity that unreasonably places the other in a false light before the public."

This is the common law on privacy in Tennessee today. The false light cause of action, which is similar to defamation, is based on protecting the interest of the individual from publication of false or misleading information about them. 

Two of these remedies - 'appropriation of the other's name or likeness' and 'publicity that unreasonably places the other in a false light before the public' - have been used mainly when the likeness was obtained without invading someone's privacy but are not limited to those situations. In fact, these two remedies need not involve private matters at all. The appropriation remedy allows for recovery against a person who appropriates to their own use or benefit the name or likeness of another. Tennessee law defines 'unreasonable intrusion upon seclusion' as intentionally intruding, physically or otherwise, upon the solitude or seclusion of another or their private affairs or concerns, and liability occurs if the intrusion would be highly offensive to a reasonable person. Unlike the other remedies, this remedy does not require that the private material have been made public. It does, however, require 'a reasonable expectation of privacy', a phrase that is not defined in any Tennessee civil case.

The ID Law

Tennessee's Identity Theft Deterrence Act of 1999 ('the ID Law'), under §47-18-2101 et seq. of Part 21 of Chapter 18 of Title 47 of the Tennessee Code ('Tenn. Code') (see the Tennessee General Assembly), is Tennessee's primary data protection law, which provides in part that it is unlawful to obtain, possess, or use a person's personal identification documents (including credit card numbers, driver's licence and passport numbers, and licensure numbers, for example), for unlawful economic benefit.

The ID Law also addresses a company's obligation in the event of a data breach. All 50 states have enacted laws about how a business must respond to a breach of security that involves the unauthorised disclosure of personal information.. Tennessee has updated its data breach notification statute three times in the last ten years. Currently, Tenn. Code §47-18-2107(a)(1) provides that 'breach of system security' means unauthorised acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. 'Personal Information' is defined as a first name or first initial and last name in combination with a social security number, driver's license or financial account information that would allow access to a financial account. This definition is common among many state data breach statutes. Good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder is not a breach of the security of the system, provided, that the personal information is not used or subject to further unauthorised disclosure.

Many states, including Tennessee, have limited the obligation of an 'information holder' to notify affected persons if the data that was subject to the breach is unencrypted. Tennessee also requires that in order for notification be necessary, the breach must 'materially compromise the security, confidentiality, or integrity' of the business's systems. Under Tenn. Code §47-18-2107(d), the business must notify affected Tennessee residents 'in the most expedient time possible', although notification may be delayed for purposes of a law enforcement investigation. 

Unlike many other states, Tennessee does allow for a private right of action for violations of the ID Law. A violation of this act is subject to the Tennessee Consumer Protection Act of 1977 (under §47-18-101 et seq. of Part 1 of Chapter 18 of Title 47 of the Tenn. Code), which allows for a plaintiff to recover triple damages and attorneys' fees (Tenn. Code §47-18-2102), if the plaintiff can prove actual damages stemming from the violation.

Personal Privacy Protection Act

The Personal Privacy Protection Act, under §39-13-612 of Part 6 of Chapter 13 of Title 39 of the Tenn. Code, was recently enacted through House Bill 159. The title of this law suggestions a broad application, but the Act is quite narrow in purpose and effect. It prohibits state agencies that collect information about donors or volunteers to non-profit organisations from releasing that information to anyone. It protects personal information only to the extent it relates to a person's involvement in a charitable or political organisation. 

Criminal Invasion of Privacy

Tennessee criminal statutes prohibit invasion of privacy by wiretap, unauthorised photography, electronic tracking of vehicles, or spying, found under §39-13-601 et seq. of Part 6 of Chapter 13 of Title 39 of the Tenn. Code. 

Tennessee is a 'one-party state' for purposes of wiretapping laws – it is not a violation of the statute for a party to the communication to record or intercept a wire, oral, or electronic communication without authorisation of the other party. Also, communications that are generally available to the public are not subject to the criminal statutes.

Tenn. Code §§39-13-605 and 608 prohibit unauthorised photography or spying for purposes that would embarrass the victim or is performed for the sexual gratification of the defendant.

Tenn. Code §39-13-606 prohibits placing electronic tracking devices on vehicles without the consent of all owners. Parents and guardians are exempted from prosecution under this law if they are tracking vehicles driven by a child under the age of 18. 

Violation of any of the provisions above is a felony, resulting in imprisonment and loss of voting rights. 

3. HEALTH DATA

Tennessee has a limited law that protects health information from being used by solicitors of legal services to patients. §47-18-3001 et seq. of Part 30 of Chapter 18 of Title 47 of the Tenn. Code prohibits the use of protected health information to offer legal services to the subject of that information without the subject's authorisation. A wilful violation of this Section may result in a Class A misdemeanour or a Class C felony, punishable by fines and imprisonment, under Tenn. Code §47-18-3003.

4. FINANCIAL DATA

Tennessee recently passed an Insurance Data Security Act, under §56-2-1001 et seq. of Part 10 Chapter 2 of Title 56 of the Tenn. Code, that requires insurance carriers to take steps to protect consumers' financial information, as well as their medical and personal information. Under the new law, insurance carriers must:

• identify internal or external threats that could result in unauthorised access, transmission, disclosure, misuse, or destruction of consumers' private information;
• develop, implement, and maintain an information security program based on its individual risk assessment with a designated employee in charge of the information security program; and 
• investigate any cybersecurity breach and notify the Insurance Commissioner of the Department of Commerce and Insurance of a cybersecurity event if the licensee is a domiciled insurer or if more than 250 Tennesseans are impacted.

Currently, this is the only state law that expressly protects financial information, and it applies only to insurance carriers. Banks in Tennessee are subject to the Gramm-Leach-Bliley Act of 1999 and other federal regulations regarding the confidentiality of banking information. 

5. EMPLOYMENT DATA

Currently there is no law in Tennessee that requires employers to keep employee data private. The Americans with Disability Act of 1990 and other federal statutes impose certain obligations on employers, but there are no state-specific obligations.

6. ONLINE PRIVACY

Currently there is no law in Tennessee that relates to online privacy or data protection or regulates online advertising. The Children's Online Privacy Protection Act of 1998, requires certain website and online service providers to obtain verifiable parental consent before collecting, using, or disclosing personal information from minors under the age of 13, but no law currently protects the information of those over 13 in Tennessee.

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

Tennessee law prohibits the use of automatic dialling devices to telemarket to Tennessee residents, as per §47-18-1501 et seq. of Part 15 of Chapter 18 of Title 47 of the Tenn. Code. A violation of this law can result in a Class A misdemeanour charge, which carries fines, or civil penalties of up to $1,000 per call made in violation of the law. It further prohibits sending advertising emails to Tennessee residents that do not include an email and telephone number which the receiver can use to opt out of further communication. 

§47-18-2501 et seq. of Part 25 of Chapter 18 of Title 47 of the Tenn. Code also requires for certain characters to be included in every advertising email, and notes in §47-18-2501(d) that if an email consists of unsolicited advertising material for the lease, sale, rental, gift offer or other disposition of any realty, goods, services or extension of credit, the subject line of each and every message must include 'ADV:' as the first four characters. If these messages contain information that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, that may only be viewed, purchased, rented, leased, or held in possession by an individual 18 years of age or older, the subject line of each and every message must include 'ADV:ADLT' as the first eight characters.

A violation of any provision of this law can result in damages to the receiver of the email of $10 per email or $5,000 per day. Electronic service providers who merely transmit emails are not held liable under this law. 

8. PRIVACY POLICIES

Currently, no Tennessee law addresses requirements for privacy policies for businesses operating in the state. Tennessee businesses are subject to the Federal Trade Commission prohibitions against unfair or deceptive practices in security or privacy notices, but there are no additional obligations imposed by Tennessee law.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

Tennessee law, at §47-18-2901 of Part 29 of Chapter 18 of Title 47 of the Tenn. Code requires state, county and municipal agencies to 'create safeguards and procedures' to secure information about Tennessee citizens stored on laptops used by their employees. A Tennessee citizen will have a private right of action and claim of damages against the state if he or she proves 'by clear and convincing evidence' that the state's failure to safeguard the information resulted in the citizen being a victim of identity theft.

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

Video Consumer Privacy

Although consumer video rental stores are more and more difficult to find in Tennessee every year, Tennessee still has a law in effect protecting any information as to whether a consumer rented or requested 'specific videos or services' from unauthorised disclosure (see §47-18-2201 et seq. of Part 22 of Chapter 18 of Title 47 of Tenn. Code).