Definitions

The TIPA contains definitions for new terms, including 'covered entity,' 'personal data,' 'sensitive data,' 'biometric data,' 'consent,' 'processing,' 'profiling,' and 'sale of personal data.' Among the notable definitions are those of 'controller,' which means a person that, alone or jointly with others, determines the purpose and means of processing personal data, and 'processor,' which means a person that processes personal data on behalf of a controller.

The TIPA also defines 'personal data' as information linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data, aggregate data, or publicly available information. Deidentified data, on the other hand, refers to data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to that individual (see the section on deidentified data below).

Further to the above, the TIPA defines 'consumer' as a natural person who is a resident of Tennessee acting only in a personal context and does not include a natural person acting in a commercial or employment context. Moreover, 'consent' is defined as a clear affirmative act that signifies a consumer's freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer, which may include a written statement, including one written by electronic means, or any other unambiguous affirmative action.

With regard to 'sensitive data,' the TIPA specifies that this will include:

• personal information revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a healthcare provider, sexual orientation, citizenship, or immigration status;
• the processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual;
• personal data collected from a known child; and
• precise geolocation data.

Scope

The TIPA is applicable to a person that conducts business in Tennessee or produces products or services that are targeted to residents of Tennessee and exceed $25,000,000 in revenue, and that:

• control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information; or
• during a calendar year, control or process personal information of at least 175,000 consumers.

However, the TIPA clarifies that it does not apply to a body, authority, board, bureau, commission, district, or political subdivisions of the state, as well as financial institutions, affiliates of financial institutions, or data subject to the Gramm-Leach Bliley Act (GLBA), and an individual, firm, association, corporation, or other entity that is licensed in Tennessee under Tennessee Code Title 56 as an insurance company and transacts insurance business.

Covered entities or business associates governed by the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act (HIPAA) are exempt from the TIPA. This exemption extends to covered entities and business associates under the HIPAA Privacy and Security Rules, as well as the federal Health Information Technology for Economic and Clinical Health Act (HITECH Act).

The TIPA will also not apply to, among others:

• non-profit organizations;
• institutions of higher education;
• protected health information under HIPAA;
• health records for the purposes of Tennessee Code Title 68; and
• patient identifying information for purposes of §§290dd-2 of Title 42 of the U.S. Code (U.S.C).

The TIPA also provides exemptions for personal information:

• processed for purposes of:
  • research conducted in accordance with the federal policy for the protection of human subjects under Title 45 Code of Federal Regulations (C.F.R), Part 46;
  • human subjects research conducted in accordance with good clinical practice guidelines issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use; or
  • research conducted in accordance with the protection of human subjects under Title 21 CFR, Parts 6, 50, and 56; or
• processed or sold in connection with research conducted in accordance with the requirements set forth in this part, or other research conducted in accordance with applicable law.

Information and documents created for purposes of the federal Health Care Quality Improvement Act and patient safety work product under the federal Patient Safety and Quality Improvement Act are exempt from the provisions of the TIPA.

Derived information from healthcare-related information that has been de-identified in accordance with the requirements of HIPAA, as well as information included in limited data sets as described in Title 45 CFR §164.514(e) to the extent that the information is used, disclosed, and maintained in the manner specified in Title 45 CFR §164.514(e), are exempt from the TIPA.

In addition, the TIPA does not require a controller, processor, third party, or consumer to disclose trade secrets.

Furthermore, the TIPA clarifies that it does not impose an obligation on controllers and processors that adversely affects the rights or freedoms of a person, such as exercising the right of free speech pursuant to the First Amendment to the U.S. Constitution or applies to the processing of personal information by a person in the course of a purely personal activity.

Data subject rights

The TIPA establishes consumer rights that may be invoked at any time by submitting a request to the controller. These rights can also be invoked by a known child's parent or legal guardian on behalf of the known child regarding the processing of data belonging to the child. Subsequently, a controller must comply with an authenticated consumer request to exercise any such rights.

Pursuant to the above, the consumer rights provided for under the TIPA include the right to:

• confirm whether or not the controller is processing the consumer's personal data, as well as accessing such personal data;
• correct inaccuracies in the consumer's personal information, taking into account the nature of the personal information and the purposes of the processing of the consumer's personal information;
• delete personal information provided by or obtained about the consumer in certain circumstances;
• obtain a copy or summary of their personal data that they previously provided to the controller, in a portable, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
• opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Further, on the right to data deletion, a controller is not required to delete information that it maintains or uses as aggregate or de-identified data provided that such data in the possession of the controller is not linked to a specific consumer. In addition, a controller complies with a consumer's request to delete information obtained by a third party where the controller:

• retains a record of the consumer's request for deletion and the minimum data necessary to ensure that the consumer's personal data remains deleted from the controller's records, and does not use the data retained above for any other purpose; and
• provides an option for the consumer to opt out of the processing of such personal data for any purpose, except those exempted under the TIPA.

Timelines

The TIPA establishes provisions for complying with consumer rights requests, providing that controllers must respond to consumers without undue delay, and in any case no later than 45 days after receipt of a request. The timeframe for a response may be extended once by an additional 45 days when reasonably necessary, considering the complexity and number of consumer requests. However, in such cases, the consumer must be informed of such an extension within the original 45-day timeframe, together with the reason for the extension. Equally, the TIPA stipulates that controllers must inform data subjects without undue delay when declining to take action within the same timeframe, along with the reason for declining to take action, and instructions on how to appeal the decision.

Under the TIPA, information provided to consumers in response to requests must be provided free of charge up to twice annually per consumer. However, a controller may charge a reasonable fee to cover the administrative costs of complying a request that is manifestly unfounded, technically infeasible, excessive, or repetitive, with the request, or decline to act on the request. Importantly, the controller bears the burden of demonstrating the above. Additionally, the controller will not be required to comply with a request where it is unable to authenticate the request using commercially reasonable efforts and may request the consumer to provide additional information to authenticate the consumer and their request.

In addition, a controller must establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process must be:

• made available to the consumer in a conspicuous manner;
• available at no cost to the consumer; and
• similar to the process for submitting requests to initiate action.

Within 60 days of receipt of an appeal, a controller must inform the consumer in writing of the action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, then the controller must also provide the consumer with an online mechanism, if available, or other methods through which the consumer may contact the Attorney General (AG) and reporter to submit a complaint.

Additionally, the TIPA notes that any contractual provision that purports to waive or limit consumers' rights under the TIPA is contrary to public policy, void, and unenforceable.

Controller obligations

Purpose limitation

The TIPA stipulates that controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. The TIPA further notes that controllers must not process personal data for purposes that are neither reasonably necessary for, nor compatible with, the disclosed purposes for which the personal data is processed, unless the controller obtains the consumer's consent.

Privacy notices

The TIPA further notes that controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

• the categories of personal data processed by the controller;
• the purpose for processing personal data;
• how consumers may exercise their consumer rights under the TIPA, including how a consumer may appeal a controller's decision with regard to the consumer's request;
• the categories of personal data that the controller sells to third parties, if any; and
• the categories of third parties, if any, to whom the controller sells personal data.

Specifically, on consumer rights, controllers must establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their rights. Such means must take into account:

• the ways in which consumers normally interact with the controller;
• the need for the secure and reliable communication of such requests; and
• the ability of the controller to authenticate the identity of the consumer making the request.

Importantly, a controller may not require a consumer to create a new account in order to exercise the consumer's rights under the TIPA, but may require a consumer to use an existing account.

Sale of data to third parties

Moreover, the TIPA provides that with regard to the sale of data to third parties by the controller, or uses of a consumer's personal data for targeted advertising, the controller must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.

Data security

Importantly, the TIPA also provides that controllers are required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal information. In this regard, the data security practices must be appropriate to the volume and nature of the personal data at issue.

DPIAs

Notably, controllers must conduct and document Data Protection Assessments (DPAs) for the following processing activities involving personal data:

• the processing of personal data for targeted advertising;
• the sale of personal data;
• the processing of personal data for purposes of profiling, if such profiling presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • financial, physical, or reputational injury to consumers;
  • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, if such intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers;
• the processing of sensitive data; and
• processing activities involving personal data that present a heightened risk of harm to consumers.

The TIPA specifies that this requirement is applicable to processing activities created or generated on or after July 1, 2024, and are not retroactive. Importantly, DPAs conducted by a controller for the purpose of compliance with other laws, rules, or regulations may comply with the TIPA if the assessments have a reasonably comparable scope and effect.

A single DPA may address a comparable set of processing operations that include similar activities. With regard to the manner in which DPAs must be conducted, the TIPA outlines that DPAs must identify and weigh the direct and indirect benefits of the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. In this regard, the use of de-identified data, the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the consumer must be factored into such an assessment.

The AG and reporter may request a controller to disclose a DPA that is relevant to an investigation it is conducting. Upon receipt of such a request, the controller must make the DPA available to the AG and reporter. The AG and reporter may also evaluate the DPA for a controller's compliance with the responsibilities set forth in the TIPA. Nevertheless, the TIPA confirms that DPAs are confidential and exempt from public inspection and copying.

Prohibition against discrimination

The TIPA provides that controllers must not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. In continuation of this requirement, the TIPA specifies that controllers must not discriminate against a consumer for exercising any of the consumer rights in the TIPA, including by way of denying goods or services to consumers, charging different prices or rates for goods and services, or providing a different level or quality of goods or services to the consumer.

Use of de-identified or pseudonymous data

The TIPA specifies that a controller processing de-identified or pseudonymous data must:

• take reasonable measures to ensure the data cannot be associated with an individual;
• publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
• contractually obligate recipients of the de-identified data to comply with all provisions of the TIPA.

However, the TIPA clarifies that that it does not require a controller or processor to:

• re-identify de-identified or pseudonymous data;
• maintain data in identifiable form, or collect, obtain, retain, or access data or technology, in order to be capable of associating an authenticated consumer request with personal information; or
• comply with an authenticated consumer rights request, pursuant to §47-18-3203, if:
  • the controller is not reasonably capable of associating the request with the personal information or it would be unreasonably burdensome for the controller to associate the request with the personal information;
  • the controller does not use the personal information to recognize or respond to the specific consumer who is the subject of the personal information, or associate the personal information with other personal information about the same specific consumer; and
  • the controller does not sell the personal information to a third party or otherwise voluntarily disclose the personal information to a third party other than a processor, except as otherwise permitted in the TIPA.

Furthermore, the TIPA highlights that the consumer rights contained in the TIPA do not apply to pseudonymous data in cases where the controller is able to demonstrate information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing that information.

Furthermore, a controller that discloses pseudonymous or de-identified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous or de-identified data is subject and must take appropriate steps to address any breaches of those contractual commitments.

Sensitive data

With regard to sensitive data, controllers must not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of a known child, without processing such data in accordance with the Children's Online Privacy Protection Act (COPPA).

Processor obligations

Under the TIPA, processors must adhere to the instructions of the controller and must assist a controller in meeting their obligations, including:

• taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests pursuant to §47-18-3203; and
• providing necessary information to enable the controller to conduct and document DPAs pursuant to §47-18-3206.

Notably, the TIPA further provides that a contract between a controller and a processor governs the processor's data processing procedures with respect to processing performed on behalf of the controller. The TIPA highlights that the contract must be binding and must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract under the TIPA must also include requirements that the processor must:

• ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
• at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
• upon the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations in the TIPA;
• allow, and cooperate with, reasonable assessments by the controller or their designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct the assessment of its policies and technical and organizational measures, which must be reported to the controller upon request; and
• engage any subcontractor or agent pursuant to a written contract that requires the subcontractor to meet the duties of the processor with respect to the personal data.

In determining whether a person is acting as a controller or processor with respect to specific processing of data, the TIPA explains that it is a fact-based determination that depends upon the context in which personal data is to be processed. To this end, a processor that continues to adhere to a controller's instructions with respect to the specific processing of personal data remains a processor.

Importantly, the TIPA clarifies that nothing will be construed to relieve a controller or a processor from the liabilities-imposed controller or processor by virtue of its role in the processing relationship.

Limitations

The TIPA outlines a list of items that the obligations imposed on controllers or processors under the TIPA must not restrict, including:

• complying with federal, state, or local laws, rules, or regulations;
• complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
• cooperating with law enforcement agencies concerning the conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
• investigating, establishing, exercising, preparing, or defending legal claims;
• providing a product or service specifically requested by a consumer, parent, or guardian of a child, performing a contract to which the consumer, parent, or guardian of a child is a party, including fulfilling the terms of a written warranty, or taking steps at the request of the consumer, parent, or guardian of a child prior to entering into a contract;
• prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems;
• engage in public- or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entity that determines whether:
  • deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
  • the expected benefits of the research outweigh the privacy risks; and
  • the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including risks associated with reidentification; or
• assist another controller, processor, or third party with the obligations under the TIPA.

In addition, the TIPA clarifies that the obligations imposed on a controller or processor will not restrict their ability to collect, use, or retain data to:

• conduct internal research to develop, improve, or repair products, services, or technology;
• effectuate a product recall; or
• perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

In line with the above, the TIPA also highlights instances in which controller or processor obligations do not apply, namely where it would violate an evidentiary privilege under Tennessee law. However, the TIPA does not prevent a controller or processor from providing personal information concerning a consumer to a person covered by an evidentiary privilege under the laws of this state as part of a privileged communication.

Correspondingly, where a controller or processor discloses personal data to a third-party controller or processor, in compliance with the requirements of the TIPA, it is not in violation of the TIPA if:

• the third-party controller or processor that receives and processes the personal information is in violation of the TIPA; and
• at the time of disclosing the personal information, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.

A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of the TIPA is likewise not liable for the offenses of the controller or processor from which it receives such personal data.

Further to the above, the TIPA provides that personal data processed by a controller pursuant to the TIPA (i.e., the limitations section) can be processed to the extent that such processing is as follows:

• reasonably necessary and proportionate to the purposes listed;
• adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section;
• personal information collected, used, or retained pursuant to the TIPA shall, where applicable, take into account the nature and purpose or purposes of the collection, use, or retention; and
• the data is subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal information and reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal information.

Importantly, if a controller processes personal data pursuant to an exemption (i.e., the limitations section), then the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the TIPA.

Enforcement

The TIPA outlines that the AG and reporter have exclusive authority on enforcing the TIPA. In addition, the AG and reporter can initiate an investigation if they have reasonable cause to believe that a controller or processor has violated the relevant laws, which can be based on their own inquiry or complaints from consumers or the public. However, before taking action under the TIPA, the AG and reporter must provide a controller or processor 60 days' written notice identifying the specific provisions of the TIPA the AG and reporter alleges have been or are being violated. The notice will specify the particular provisions of the law that have been or are being violated. If within the 60-day period, the controller or processor cures the noticed violation and provides the AG and reporter with an express written statement that the alleged violations have been cured and that no such further violations shall occur, then the AG and reporter shall not initiate an action against the controller or processor.

If, however, a controller or processor continues to violate this part following the cure period or breaches an express written statement provided to the AG and reporter, then the AG and reporter may bring an action in a court of competent jurisdiction seeking any of the following relief:

• declaratory judgment that the act or practice violates the TIPA;
• injunctive relief, including preliminary and permanent injunctions, to prevent an additional violation of, and compel compliance with, the TIPA;
• civil penalties as described in the TIPA;
• reasonable attorney's fees and investigative costs; or
• other relief the court determines appropriate.

In addition, a court may impose a civil penalty of up to $7,500 for each violation of the TIPA. If the court finds that the controller or processor willfully or knowingly violated this part, then the court may, in its discretion, award treble damages. Moreover, the TIPA provides that a violation of the TIPA shall not serve as the basis for, or be subject to, a private right of action, including a class action lawsuit, under this part or other law. Furthermore, the AG and reporter may recover reasonable expenses incurred in investigating and preparing a case, including attorney fees, in an action initiated under the TIPA.

Interestingly, the TIPA provides affirmative defense through voluntary privacy program adherence, such as conformity with the National Institute of Standards and Technology (NIST) privacy framework titled 'A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.' or other documented policies, standards, and procedures designed to safeguard consumer privacy. However, the TIPA takes into consideration whether the aforementioned privacy program is appropriate based on, among other things:

• the size and complexity of the controller or processor's business;
• the nature and scope of the activities of the controller or processor;
• the sensitivity of the personal information processed;
• the cost and availability of tools to improve privacy protections and data governance; and
• compliance with a comparable state or federal law.

Bahar Toto Privacy Analyst
[email protected]