Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Tennessee - Sectoral Privacy Overview
Back

Tennessee - Sectoral Privacy Overview

October 2023

1. Right to Privacy/Constitutional Protection

The Constitution of the State of Tennessee does not expressly grant a right to privacy. Section 7 of the Constitution guarantees '[t]hat the people shall be secure in their persons, houses, papers, and possessions, from unreasonable searches and seizures'. This provision closely mirrors the Fourth Amendment of the United States Constitution.

2. Key Privacy Laws 

TIPA

The Tennessee Information Protection Act ('TIPA') codified at 47-18-3201 et seq. is Tennessee's 2023 implementation of explicit consumer rights with respect to the use of personal information.

Only businesses with $25 million or more in revenue and one of the following are required to comply:

  • control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information; or
  • during a calendar year, control or process personal information of at least 175,000 consumers.

Under the TIPA, Tennessee consumers have rights to access, correct, delete (in limited circumstances), obtain a copy of, or opt out of the sale of, their personal information. Like most of the other state laws, the TIPA prescribes the elements of a public-facing privacy notice with specificity. Consumers also have the right to transparency regarding the use of their data.

The TIPA also mandates privacy by design. Under the TIPA, it is a consumer right:

  • for data collection to be minimized to the particular purpose for which it is being collected;
  • for data to be protected with administrative, technical, and physical safeguards;
  • to not be discriminated against for exercising their rights; and
  • to not have sensitive information about race, religious beliefs, children, or precise geolocation processed without consent.

Notably, the TIPA provides that consumer rights are not waivable by contract.

The TIPA also creates a blanket exception to these rights for pseudonymous data, as long as the controller of the information can demonstrate that 'the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.'

The TIPA also exempts all businesses that are subject to the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') Privacy and Security Rules or other health record regulations, or to the Gramm-Leach-Bliley Act of 1999 ('GLBA'). The TIPA further exempts non-profits and institutions of higher education among others, which is common in similar state laws, and also insurance producers, which is less common.

Much like the California Consumer Protection Act of 2018 (last amended) in 2020) ('CCPA') by the California Privacy Rights Act of 2020 ('CPRA'), in Tennessee under the TIPA, controllers of personal information are now required to conduct data protection assessments and to have adequate records of those assessments to respond to an inquiry from the Tennessee Attorney General ('AG') if necessary.

Like most states, the TIPA does not allow for a private right of action. It is the AG's purview to bring enforcement actions, and in line with other states, the initial cap on civil penalties of $7,500 per violation. However, Tennessee's historically strong consumer protection laws allow for the tripling of damages for willful violations.

Finally, and most notably, the TIPA introduces the first 'safe harbor' based on a business's privacy practices. A business may avoid liability under the TIPA by 'reasonably conforming' to the National Institute of Standards and Technology ('NIST') Privacy Framework. (An alarming earlier version of the bill would have made it a deceptive practice to not conform to the NIST Privacy Framework.) The TIPA sets forth a number of factors for determining whether or not a business's privacy framework is appropriate relative to the company's size, complexity, and breadth of data processing.

Common Law

Since 1956, the Tennessee Supreme Court ('the Supreme Court') has recognized a right of privacy as the 'right to be let alone; the right of a person to be free of unwarranted publicity' (Langford v. Vanderbilt University, 287 S.W. 2d 32 (Tenn 1956)). In the case of West v. Gen. Media Svcs., 53 S.W.3d 640 (Tenn 2001), the Supreme Court recognized the claim of 'false light' invasion of privacy and adopted Restatement (Second) of Torts, as many other states have done, to recognize the four possible types of common law invasion of privacy (see West at 643):

"One who invades the right of privacy of another is subject to liability for the resulting harm to the interests of the other.

The right of privacy is invaded by: unreasonable intrusion upon the seclusion of another; unreasonable publicity given to the other's private life; appropriation of the other's name or likeness; and publicity that unreasonably places the other in a false light before the public."

This is the common law on privacy in Tennessee today. The false light cause of action, which is similar to defamation, is based on protecting the interest of the individual from publication of false or misleading information about them.

Two of these remedies - 'appropriation of the other's name or likeness' and 'publicity that unreasonably places the other in a false light before the public' - have been used mainly when the likeness was obtained without invading someone's privacy but are not limited to those situations. In fact, these two remedies need not involve private matters at all. The appropriation remedy allows for recovery against a person who appropriates to their own use or benefit the name or likeness of another. Tennessee law defines 'unreasonable intrusion upon seclusion' as intentionally intruding, physically or otherwise, upon the solitude or seclusion of another or their private affairs or concerns, and liability occurs if the intrusion would be highly offensive to a reasonable person. Unlike the other remedies, this remedy does not require that the private material has been made public. It does, however, require 'a reasonable expectation of privacy', a phrase that is not defined in any Tennessee civil case.

The ID Law

Tennessee's Identity Theft Deterrence Act of 1999 ('the ID Law'), under §47-18-2101 et seq. of Part 21 of Chapter 18 of Title 47 of the Tennessee Code ('Tenn. Code') (see the Tennessee General Assembly), provides in part that it is unlawful to obtain, possess, or use a person's personal identification documents (including credit card numbers, driver's license and passport numbers, and licensure numbers, for example), for unlawful economic benefit.

The ID Law also addresses a company's obligation in the event of a data breach. All 50 states have enacted laws about how a business must respond to a breach of security that involves the unauthorized disclosure of personal information. Tennessee has updated its data breach notification statute three times in the last ten years. Currently, Tenn. Code §47-18-2107(a)(1) provides that 'breach of system security' means unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. 'Personal Information' is defined as a first name or first initial and last name in combination with a social security number, driver's license or financial account information that would allow access to a financial account. This definition is common among many state data breach statutes. Good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder is not a breach of the security of the system, provided, that the personal information is not used or subject to further unauthorized disclosure.

Many states, including Tennessee, have limited the obligation of an 'information holder' to notify affected persons if the data that was subject to the breach is unencrypted. Tennessee also requires that for notification to be necessary, the breach must 'materially compromise the security, confidentiality, or integrity' of the business's systems. Under Tenn. Code §47-18-2107(d), the business must notify affected Tennessee residents 'in the most expedient time possible', although notification may be delayed for purposes of a law enforcement investigation.

Unlike many other states, Tennessee does allow for a private right of action for violations of the ID Law. A violation of this act is subject to the Tennessee Consumer Protection Act of 1977 (under §47-18-101 et seq. of Part 1 of Chapter 18 of Title 47 of the Tenn. Code), which allows for a plaintiff to recover triple damages and attorneys' fees (Tenn. Code §47-18-2102), if the plaintiff can prove actual damages stemming from the violation.

Personal Privacy Protection Act

The Personal Privacy Protection Act, under §39-13-612 of Part 6 of Chapter 13 of Title 39 of the Tenn. Code. The title of this law suggests a broad application, but the Act is quite narrow in purpose and effect. It prohibits state agencies that collect information about donors or volunteers to non-profit organizations from releasing that information to anyone. It protects personal information only to the extent it relates to a person's involvement in a charitable or political organization.

Criminal Invasion of Privacy

Tennessee criminal statutes prohibit invasion of privacy by wiretap, unauthorized photography, electronic tracking of vehicles, or spying, found under §39-13-601 et seq. of Part 6 of Chapter 13 of Title 39 of the Tenn. Code.

Tennessee is a 'one-party state' for purposes of wiretapping laws – it is not a violation of the statute for a party to the communication to record or intercept a wire, oral, or electronic communication without authorization of the other party. Also, communications that are generally available to the public are not subject to the criminal statutes.

Tenn. Code §§39-13-605 and 608 prohibit unauthorized photography or spying for purposes that would embarrass the victim or is performed for the sexual gratification of the defendant.

Tenn. Code §39-13-606 prohibits placing electronic tracking devices on vehicles without the consent of all owners. Parents and guardians are exempted from prosecution under this law if they are tracking vehicles driven by a child under the age of 18.

Violation of any of the provisions above is a felony, resulting in imprisonment and loss of voting rights.

3. Health Data

Tennessee has a limited law that protects health information from being used by solicitors of legal services to patients. §47-18-3001 et seq. of Part 30 of Chapter 18 of Title 47 of the Tenn. Code prohibits the use of protected health information to offer legal services to the subject of that information without the subject's authorization. A willful violation of this Section may result in a Class A misdemeanor or a Class C felony, punishable by fines and imprisonment, under Tenn. Code §47-18-3003.

4. Financial Data

The Insurance Data Security Law, under §56-2-1001 et seq. of Part 10 Chapter 2 of Title 56 of the Tenn. Code, requires insurance carriers to take steps to protect consumers' financial information, as well as their medical and personal information. Under the law, insurance carriers must:

  • identify internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, or destruction of consumers' private information;
  • develop, implement, and maintain an information security program based on its individual risk assessment with a designated employee in charge of the information security program; and
  • investigate any cybersecurity breach and notify the Insurance Commissioner of the Department of Commerce and Insurance of a cybersecurity event if the licensee is a domiciled insurer or if more than 250 Tennesseans are impacted.

Banks in Tennessee are subject to the GLBA and other federal regulations regarding the confidentiality of banking information.

5. Employment Data

Currently, there is no law in Tennessee that requires employers to keep employee data private. The Americans with Disability Act of 1990 and other federal statutes impose certain obligations on employers, but there are no state-specific obligations.

6. Online Privacy

Currently, there is no law in Tennessee that relates to online privacy or data protection or regulates online advertising. The Children's Online Privacy Protection Act of 1998 ('COPPA'), requires certain websites and online service providers to obtain verifiable parental consent before collecting, using, or disclosing personal information from minors under the age of 13, but no law currently protects the information of those over 13 in Tennessee.

7. Unsolicited Commerical Communications 

Tennessee law prohibits the use of automatic dialing devices to telemarket to Tennessee residents, as per §47-18-1501 et seq. of Part 15 of Chapter 18 of Title 47 of the Tenn. Code. A violation of this law can result in a Class A misdemeanor charge, which carries fines, or civil penalties of up to $1,000 per call made in violation of the law. It further prohibits sending advertising emails to Tennessee residents that do not include an email and telephone number which the receiver can use to opt out of further communication.

§47-18-2501 et seq. of Part 25 of Chapter 18 of Title 47 of the Tenn. Code also requires for certain characters to be included in every advertising email, and notes in §47-18-2501(d) that if an email consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services or extension of credit, the subject line of each and every message must include 'ADV:' as the first four characters. If these messages contain information that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, that may only be viewed, purchased, rented, leased, or held in possession by an individual 18 years of age or older, the subject line of each and every message must include 'ADV: ADLT' as the first eight characters.

A violation of any provision of this law can result in damages to the receiver of the email of $10 per email or $5,000 per day. Electronic service providers who merely transmit emails are not held liable under this law.

8. Privacy Policies

Currently, no Tennessee law addresses requirements for privacy policies for businesses operating in the state. Tennessee businesses are subject to the Federal Trade Commission ('FTC') prohibitions against unfair or deceptive practices in security or privacy notices, but there are no additional obligations imposed by Tennessee law.

9. Data Disposal/Cybersecurity/Data Security

Tennessee law, at §47-18-2901 of Part 29 of Chapter 18 of Title 47 of the Tenn. Code requires state, county, and municipal agencies to 'create safeguards and procedures' to secure information about Tennessee citizens stored on laptops used by their employees. A Tennessee citizen will have a private right of action and claim of damages against the state if he or she proves 'by clear and convincing evidence' that the state's failure to safeguard the information resulted in the citizen being a victim of identity theft.

10. Other Specific Jurisdictional Requirements

Video Consumer Privacy

Although consumer video rental stores are more and more difficult to find in Tennessee every year, Tennessee still has a law in effect protecting any information as to whether a consumer rented or requested 'specific videos or services' from unauthorized disclosure (see §47-18-2201 et seq. of Part 22 of Chapter 18 of Title 47 of Tenn. Code).

Feedback