Tennessee has passed its own data privacy laws, joining a growing list of U.S. states with similar legislation. While based closely on Virginia’s privacy law, the Tennessee Information Protection Act (TIPA) is not completely identical to any of its counterparts.
Here’s a quick rundown on the most important aspects of the Tennessee privacy law.
When Does It Go Into Effect?
Tennessee’s privacy law will go into effect on July 1, 2024.
What Businesses Must Comply?
For-profit businesses must comply with the TIPA if they do business in Tennessee (or produce products/services that are targeted to Tennessee residents), and meet at least one of the following conditions:
- Control or process the personal data of at least 100,000 Tennessee residents per year, OR
- Control or process the personal data of at least 25,000 Tennessee residents AND derive more than 50% of gross revenue from the sale of personal data
Important Info for Businesses
Violations of the Tennessee Information Protection Act are punishable by fines of up to $15,000 per violation, per consumer, which is double the amount allowed by other laws.
What Rights Do Consumers Have Under the Tennessee Law?
Tennessee consumers now have the following privacy rights:
- Right to Know - Consumers have the right to confirm whether a business is processing their personal data and, if so, to access that data.
- Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.
- Right to Delete - Upon request, businesses must delete personal data provided by or obtained about the consumer.
- Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.
- Right to Opt Out - Consumers can opt out of:
-
- The sale of their personal data
- Targeted advertising (Potentially. The law is ambiguous as to whether businesses must offer an opt-out for targeted advertising)
- Right to Request Privacy Notice - In a somewhat bizarre deviation from every other privacy law, businesses are only required to provide a privacy notice to consumers upon receiving an authenticated request. Given that privacy notices are already required by other states to be readily available and providing one only upon request would add to a business’s compliance burden, it’s difficult to imagine any organization choosing to go with this arrangement.
What Is “Personal Data”?
Tennessee’s definition of personal information closely resembles that of the CCPA, and is defined as “information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer.”
It’s a broad definition that covers everything from IP addresses to shopping habits. However, personal data does not include de-identified data, aggregate data, or publicly available information.
Are Data Protection Impact Assessments Required?
As is the case with several other states, the Tennessee Information Protection Act requires businesses to perform data protection impact assessments for certain types of processing activities. A DPIA is required for:
- Targeted advertising
- Sale of personal data
- Profiling of consumers, where it presents a foreseeable risk of harm
- Processing of sensitive personal data
- Any other processing activity presents a heightened risk of harm to consumers
Can Businesses Be Sued by Consumers?
The TIPA does not grant a private right of action to consumers, meaning they cannot sue a business over alleged violations.
Cross-Country Privacy Compliance
The pace of state privacy legislation is picking up, with many states likely to pass their own laws in the near future. With each new law, compliance becomes a little more complicated to manage, especially for businesses without in-house privacy experts.
TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Designed by attorneys, TrueVault US is a software solution that guides you at every step of the way, from onboarding vendors to responding to consumer privacy requests.
To learn more about how TrueVault US can help your business, contact our team today.
