IDC Names Securiti a Worldwide Leader in Data PrivacyView
Tennessee has become the latest state in the United States of America (US) to have enacted a comprehensive data privacy regulation. The Tennessee Information Protection Act (TIPA) contains several provisions that have become a staple of state data privacy laws within the US.
However, there are instances where TIPA stands apart from some of its sister data privacy regulations owing to its emphasis on ensuring an affirmative defense for organizations that demonstrate a willingness to inculcate strict data privacy measures via the National Institute of Standards and Technology (NIST) privacy framework.
It shares various other provisions with other state data privacy regulations passed recently in Virginia and Indiana while being stricter in other instances, such as giving Tennessee courts the right to award treble damages for willful or knowing violations.
The legislation received unanimous support in both houses of the State General Assembly, with Governor Bill Lee signing it into law on May 11, 2023.
The Tennessee Information Protection Act (TIPA) will come into effect on July 1, 2024.
The law applies to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee and that:
The TIPA exempts the following entities from its application:
The law also does not have any application to the following types of data:
Biometric data means data generated by automatic measurement of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics that are used to identify a specific individual; but does not include a physical or digital photograph, video recording, or audio recording or data generated from a photograph or video or audio recording; or information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA.
Consent means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer; and includes a written statement, including a statement written by electronic means, or an unambiguous affirmative action.
Consumer means a natural person who is a resident of this state, acting only in a personal context.
Controller means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information.
Personal information means information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer, including the following:
Personal information does not include information that is publicly available or de-identified or aggregate consumer information.
Processing means an operation or set of operations performed, whether by manual or automated means, on personal information or on sets of personal information, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal information.
A processor is a natural or legal entity that processes personal information on behalf of a controller.
Sensitive data means a category of personal information that includes:
Under TIPA, a controller must limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed. Further, the controller must not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes, unless the controller obtains the consumer's consent.
TIPA requires the controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal information. The data security practices must be appropriate to the volume and nature of the personal information at issue.
A controller is barred from discriminating against the consumers for exercising their rights under the provisions of TIPA or processing their personal data in violation of state and federal laws that prohibit unlawful discrimination. However, the law allows the controllers to offer different prices, rates, levels, quality, or selection of goods or services to a consumer if the consumer has exercised his/her right to opt-out of the sale of personal data or the offer is based on the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
Under the provisions of TIPA, a controller must not process sensitive data concerning a consumer without obtaining the consumer's consent. In the case of the processing of sensitive data concerning a known child, the controller must process the data in accordance with the federal Children's Online Privacy Protection Act.
Further, a controller must seek the consumer’s express consent for processing the personal data for a purpose that is not reasonably necessary or compatible with the purposes for which the data was originally collected.
Upon receipt of an authenticated consumer request, a controller must provide the consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:
If a controller sells personal information to third parties or processes personal information for targeted advertising, the controller must clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.
A controller must provide and describe in the privacy notice, at least one of the following methods for consumers to submit a request to exercise consumer rights under this part:
Regardless of the method, the controller must ensure the method is capable of authenticating the identity of the consumer making the request. The controller must not require a consumer to create a new account in order to exercise consumer rights under TIPA, but may require a consumer to use an existing account.
A controller must conduct and document a data protection assessment (DPA) of each of the following processing activities involving personal information:
A DPA must appropriately identify the benefits resulting, directly and indirectly, from the processing activities to the data controller, consumer, and other stakeholders such as the public and should also identify relevant risks that may arise to the rights of consumers provided under TIPA, that may be reduced by the safeguards employed by the controller. While conducting a DPA, the controller must also take into account the use of de-identified data, the expectations of consumers, and the context of the data processing activities.
The Attorney General and Reporter may request any data controller to disclose a DPA that is relevant to an investigation. The Attorney General and Reporter may also use a DPA to evaluate a controller's compliance with their responsibilities under TIPA.
Furthermore, the controllers may conduct a single DPA to address a comparable set of processing operations that include similar activities. Moreover, a DPA carried out by the controller to comply with other regulations may also be used for the purposes of TIPA if the DPA has a reasonably comparable scope and effect to a DPA conducted under the provisions of TIPA.
Requirements for DPAs are not retroactive and are only applicable to processing operations created or generated on or after July 1, 2024.
A controller in possession of de-identified data must:
Under the provisions of TIPA, a controller or processor must create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0."
In case of a subsequent revision to the NIST privacy framework, a controller or processor must reasonably conform its privacy program to the revised framework not later than one (1) year after the publication date stated in the most recent revision.
The scale and scope of a controller or processor's privacy program is appropriate if it is based on all of the following factors:
In addition to a privacy program, a controller may be certified pursuant to the Asia Pacific Economic Cooperation's Cross Border Privacy Rules system. A processor may be certified pursuant to the Asia Pacific Economic Cooperation's Privacy Recognition for Processors system.
Lastly, a controller or processor, who creates, maintains, and complies with a written privacy program, has an affirmative defense to a cause of action for a violation of the provisions of TIPA.
The TIPA requires the processors to assist the controllers by adopting appropriate technical and organizational measures to fulfill the controllers’ obligations to respond to DSR requests and provide the necessary information to conduct DPAs.
The processor shall be required to process the personal data on behalf of the controller in accordance with the terms of the contract between the controller and the processor (contract), setting forth the instruction for processing, nature, and purposes of the processing, the type of data processed, the duration of the processing and the rights and duties of both the parties. The contract shall also require the processor to:
The following data rights are afforded to consumers under TIPA:
Consumers have the right to confirm whether a controller is processing their personal information and to access that personal information.
Consumers have the right to correct inaccuracies in their personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information;
Consumers have the right to delete personal information provided by or obtained about them. However, this right does not extend to de-identified data, provided that such data is not linked to a specific consumer.
Consumers have the right to request a copy of the personal data that they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
Consumers have the right to request a controller that has sold or shared their personal information with third parties to disclose the following:
Consumers have the right to opt-out of the sale of their personal information.
A controller must respond to all DSR requests within forty-five (45) days after receiving them. A further extension of forty-five (45) days is possible when reasonably necessary, considering the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial forty-five (45) days period.
In case the controller declines to take action related to a consumer's request, it must inform the consumer of such denial without undue delay and within forty-five (45) days of receiving the request, in addition to the justification for declining to take action and detailed instructions on how consumers may appeal the decision.
The process established for the consumer to appeal the controller's refusal to take action must be available in a conspicuous manner, without causing additional cost to the consumer, while also being similar to the process of making other consumer requests. The controller must inform the consumer of any action taken or not taken concerning their appeal within sixty (60) days of receiving the appeal, alongside a written explanation of the reasons behind the decision. If the appeal is denied, the controller shall ensure they communicate an online mechanism to the consumer allowing them to contact the Attorney General's office to submit an official complaint.
Any information provided to the consumer as a result of a DSR request must be provided free of charge twice annually per consumer. In case a DSR request is manifestly unfounded, technically infeasible, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. However, the burden of proof of demonstrating the manifestly unfounded, technically infeasible, excessive, or repetitive nature of the request rests on the controller.
If the controller cannot authenticate a DSR request via commercially reasonable efforts, they may decline to take action and seek additional information reasonably necessary from the consumer to authenticate the request.
The obligations imposed under TIPA do not restrict a controller’s or a processor's ability to:
Nothing under TIPA may restrict a controller or processor's ability to collect, use, or retain data to:
Similarly, any obligations placed on a controller or a processor under TIPA do not apply:
The Tennessee Attorney General & Reporter (AGR) has the exclusive authority to enforce the provisions of TIPA.
The AGR may develop reasonable cause to believe that a controller or processor is in violation of this part, based on the AGR's own inquiry or on consumer or public complaints, and may issue a civil investigative demand. However, prior to initiating any action, the AGR must provide a controller or processor sixty-days' written notice identifying the specific provisions of TIPA that the AGR alleges have been violated. If, within the sixty-day period, the controller or processor cures the noticed violation and provides the AGR an express written statement that the alleged violations have been cured and that no further violations shall occur, then the AGR shall not initiate an action against the controller or processor.
However, if the controller or processor continues their violation following the remedy period or if it violates any of the claims made in the written statement, then the AGR may bring an action in a court of law seeking any of the following relief:
A court may impose a civil penalty of up to fifteen thousand dollars ($15,000) for each violation of the provisions of TIPA that must be assessed per the following criteria:
The court must also consider the following when determining the civil penalty:
Similarly, appropriate relief may also be awarded to each affected consumer. In exceptional circumstances where the court determines a controller or processor intentionally violated a provision of TIPA, they may award treble damages.
However, a violation of TIPA cannot serve as the basis for, or be subject to, a private right of action, including a class action lawsuit, under TIPA or other law.
Here are some practical steps an organization can take to operationalize compliance with TIPA within their daily operations:
While Tennessee may be the latest US state to enact its own data privacy regulation, several more are likely to follow. And while most of them contain several similar fundamentals, they have distinct requirements and obligations on organizations.
Naturally, an organization may have to adapt its data privacy practices depending on the state where it sells its product/service. Manually attempting to do this would be a colossus strain on resources.
And that is where Securiti can help.
Securiti is a global leader in data privacy, security, compliance, and governance solutions. It enables organizations to streamline their compliance practices, optimize data security, and strengthen governance.
With its AI-driven robotic automation, Securiti helps you automate your data protection impact assessments, real-time data mapping, DSR fulfillment, privacy notice management, breach notification management, and universal consent management from a centralized dashboard, allowing for complete oversight of your real-time compliance with multiple regulations.
Request a demo to see Securiti in action and learn more about how the solution can assist you in meeting compliance with TIPA and any other US state with a data privacy law in effect.
Tennessee Information Protection Act (TIPA) is a data privacy regulation that applies to persons who conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee and that control or process the personal information of at least 100,000 consumers during a calendar year; control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
Tennessee enacted a comprehensive data privacy regulation - the Tennessee Information Protection Act (TIPA). It will come into effect on July 1, 2024.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.