Scope, applicability, and key definitions

Who does the TIPA apply to?

The TIPA applies to a person that conducts business in Tennessee producing products or services that target residents of Tennessee, exceed $25 million in revenue, and:

• control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information; or
• during a calendar year, control or process personal information of at least 175,000 consumers.

However, the TIPA does not apply to:

• a body, authority, board, bureau, commission, district, or agency of Tennessee or a political subdivision of it;
• a financial institution or an affiliate of a financial institution subject to the Gramm-Leach Bliley Act (GLBA);
• a person or other entity that is licensed in Tennessee under Tennessee Code Title 56 as an insurance company and transacts insurance business;
• a covered entity or business associate governed by the Privacy, Security, and Breach Notification Rules pursuant to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act;
• a non-profit organization; or
• an institution of higher education.

Are certain data exempted from the application of the TIPA?

The TIPA does not apply to certain types of information, including:

• protected health information under the HIPAA;
• data subject to the GLBA;
• health records under Tennessee Code Title 68;
• patient identifying records for purposes of § 290dd–2 Part D, Subchapter III-A, Chapter 6A, Title 42, U.S. Code, relating to confidential records;
• personal information processed or sold for the purposes of research;
• information and documents created for purposes of the federal Health Care Quality Improvement Act;
• patient safety work product under the federal Patient Safety and Quality Improvement Act; and
• data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.

In addition, the TIPA does not require a controller, processor, third party, or consumer to disclose trade secrets.

How does the TIPA define 'consumer'?

The TIPA defines 'consumer' as a natural person who is a resident of Tennessee acting only in a personal context. The TIPA expressly excludes from the definition of a consumer a natural person acting in a commercial or employment context.

How does the TIPA define 'consent'?

Under the TIPA, 'consent' means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal information relating to them, and may include a written statement, including by electronic means, or an unambiguous affirmative action.

How does the TIPA define a 'controller'?

The TIPA defines 'controller' as a natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information.

How does the TIPA define a 'processor'?

The TIPA refers to a 'processor' as a natural or legal entity that processes personal information on behalf of a controller.

Determining whether a person is acting as a controller or processor with respect to the specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. To this end, a processor that continues to adhere to a controller's instructions with respect to the specific processing of personal data remains a processor.

How does the TIPA define 'personal data'?

The TIPA defines 'personal data' as information linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data, aggregate data, or publicly available information.

How does the TIPA define 'sensitive data'?

The TIPA specifies that 'sensitive data' is a category of personal data that includes:

• personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
• the personal information collected from a known child; or
• precise geolocation data.

How does the TIPA define 'processing'?

The TIPA defines 'processing' as an operation or set of operations performed, whether by manual or automated means, on personal information or sets of personal information, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal information.

How does the TIPA define 'sale' of personal data?

The TIPA defines the 'sale of personal information' as the exchange of personal information for valuable monetary consideration by the controller to a third party. However, the term does not include:

• the disclosure of personal information to a processor that processes the personal information on behalf of the controller;
• the disclosure of personal information to a third party for purposes of providing a product or service requested by the consumer;
• the disclosure or transfer of personal information to an affiliate of the controller;
• the disclosure of information that the consumer:
  • intentionally made available to the general public via a channel of mass media; and
  • did not restrict to a specific audience; or
• the disclosure or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

Key provisions and requirements

Does the TIPA provide for consumer rights?

The TIPA provides several consumer rights, including the right to:

• confirm whether or not the controller is processing the consumer's personal data, as well as accessing such personal data;
• correct inaccuracies in the consumer's personal information, taking into account the nature of the personal information and the purposes of the processing of the consumer's personal information;
• delete personal information provided by or obtained about the consumer in certain circumstances;
• obtain a copy or summary of their personal data that they previously provided to the controller, in a portable, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
• opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Are there obligations in relation to sensitive data?

Controllers are prohibited from processing sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing the data in accordance with the Children's Online Privacy Protection Act (COPPA), and its implementing regulations.

Moreover, a controller must conduct and document a data protection assessment (DPAs) when processing sensitive data.

What are the main obligations for data controllers?

In addition to the aforementioned requirements in relation to the processing of personal data, the TIPA requires data controllers to adhere to the following requirements:

• limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer;
• except as otherwise provided, not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal information is processed, as disclosed to the consumer unless the controller obtains the consumer's consent;
• establish, implement, and maintain reasonable administrative, technical, and physical data security practices, appropriate to the volume and nature of the personal information at issue, to protect the confidentiality, integrity, and accessibility of personal information;
• not be required to delete information that it maintains or uses as aggregate or de-identified data, provided that such data in the possession of the business is not linked to a specific consumer;
• not process personal information in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer; and
• not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing the data in accordance with COPPA and its implementing regulations.

Data controllers must also provide a reasonably accessible, clear, and meaningful privacy notice. With regard to the sale of data to third parties by the controller or the use of a consumer's personal data for targeted advertising, the controller must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.

What are the main obligations for data processors?

Under the TIPA, processors must adhere to the instructions of the controller and must assist a controller in meeting their obligations, including:

• taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests; and
• providing necessary information to enable the controller to conduct and document DPAs.

Are vendor privacy relationships regulated under the TIPA?

The TIPA provides that controller/processor relationships must be governed by a binding contract that must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract under the TIPA must also include certain requirements for data processors, such as to make available to the controller, upon request, all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations in the TIPA.

Are Data Protection Impact Assessments regulated under the TIPA?

Notably, controllers must conduct and document DPAs for the following processing activities involving personal data:

• the processing of personal data for targeted advertising;
• the sale of personal data;
• the processing of personal data for purposes of profiling, if such profiling presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • financial, physical, or reputational injury to consumers;
  • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, if such intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers;
• the processing of sensitive data; and
• processing activities involving personal data that present a heightened risk of harm to consumers.

The TIPA specifies that the obligation to conduct a DPA applies to processing activities created or generated on or after July 1, 2024, and are not retroactive. Moreover, DPAs conducted by a data controller for the purpose of compliance with other laws, rules, or regulations may comply with the TIPA if the assessments have a reasonably comparable scope and effect.

Who is empowered to enforce violations of the TIPA?

The Attorney General (AG) and the reporter have exclusive authority to enforce the TIPA and they may initiate an investigation if they have reasonable cause to believe that a data controller or data processor has violated the TIPA, which can be based on their own inquiry or complaints from consumers or the public.

However, before taking action under the TIPA, the AG and reporter must provide a controller or processor 60 days' written notice identifying the specific provisions of the TIPA that the AG and reporter allege have been or are being violated. The notice will specify the particular provisions of the TIPA that have been or are being violated. If within the 60-day period, the data controller or data processor cures the noticed violation and provides the AG and reporter with an express written statement that the alleged violations have been cured and that no such further violations shall occur, then the AG and reporter shall not initiate an action against them.

However, if a controller or processor continues to violate the TIPA following the cure period or breaches an express written statement provided to the AG and reporter, then the AG and reporter may bring an action in a court of competent jurisdiction seeking any of the following relief:

• declaratory judgment that the act or practice violates the TIPA;
• injunctive relief, including preliminary and permanent injunctions, to prevent an additional violation of, and compel compliance with, the TIPA;
• civil penalties as described in the TIPA (please see the section below);
• reasonable attorney's fees and investigative costs; or
• other relief the court determines appropriate.

Unlike other US State privacy laws, the TIPA allows a data controller or processor charged with a violation to raise an affirmative defense through voluntary privacy program adherence, such as conformity with the National Institute of Standards and Technology (NIST) privacy framework titled 'A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.' or other documented policies, standards, and procedures designed to safeguard consumer privacy. However, the TIPA takes into consideration whether the aforementioned privacy program is appropriate based on, among other things:

• the size and complexity of the controller or processor's business;
• the nature and scope of the activities of the controller or processor;
• the sensitivity of the personal information processed;
• the cost and availability of tools to improve privacy protections and data governance; and
• compliance with a comparable state or federal law.

What penalties are controllers and processors facing under the TIPA?

If the AG and reporter bring an action to court, then the court may impose a civil penalty of up to $7,500 for each violation of the TIPA. If the court finds that the data controller or data processor willfully or knowingly violated the TIPA, then the court may, at its discretion, award treble damages.

Moreover, the TIPA provides that a violation of the TIPA shall not serve as the basis for, or be subject to, a private right of action, including a class action lawsuit. Furthermore, the AG and reporter may recover reasonable expenses incurred in investigating and preparing a case, including attorney fees, in an action initiated under the TIPA.

Next stages

What is the legislative status of the TIPA?

The TIPA was signed by the Tennessee Governor on May 11, 2023.

When will the TIPA come into force?

The TIPA will go into effect on July 1, 2025.

Anna Baldin Senior Privacy Analyst
[email protected]