Tennessee Information Protection Act (TIPA): What You Need to Know

I. Introduction

Tennessee has become the latest state in the United States of America (US) to have enacted a comprehensive data privacy regulation. The Tennessee Information Protection Act (TIPA) contains several provisions that have become a staple of state data privacy laws within the US.

However, there are instances where TIPA stands apart from some of its sister data privacy regulations owing to its emphasis on ensuring an affirmative defense for organizations that demonstrate a willingness to inculcate strict data privacy measures via the National Institute of Standards and Technology (NIST) privacy framework.

It shares various other provisions with other state data privacy regulations passed recently in Virginia and Indiana while being stricter in other instances, such as giving Tennessee courts the right to award treble damages for willful or knowing violations.

The legislation received unanimous support in both houses of the State General Assembly, with Governor Bill Lee signing it into law on May 11, 2023.

The Tennessee Information Protection Act (TIPA) will come into effect on July 1, 2024.

II. Who Needs to Comply with the Law

A. Material Scope

The law applies to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee and that:

1. Control or process the personal information of at least one hundred thousand (100,000) consumers during a calendar year;
2. Control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information.

 B.Exemptions

The TIPA exempts the following entities from its application:

• A body, authority, board, bureau, commission, district, or agency of Tennessee or of a political subdivision of Tennessee;
• A financial institution, an affiliate of a financial institution subject to Title V of the federal Gramm-Leach-Bliley Act;
• An individual, firm, association, corporation, or other entity that is licensed in Tennessee as an insurance company and transacts insurance business;
• A covered entity or business associate governed by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the federal Health Information Technology for Economic and Clinical Health Act (HITECH);
• A non-profit organization; and
• An institution of higher education.

The law also does not have any application to the following types of data:

• Medical data covered under any medical laws:
  Many forms of health information, records, data, and documents protected and covered under HIPAA or other federal or state medical/healthcare laws;
• Personal data used for research:
  Identifiable private information collected, used, or shared in research conducted in accordance with applicable laws;
• FCRA-covered data:
  Any personal information of consumers collected or used for consumer credit scoring and reporting to the extent the activity is authorized and regulated by the federal Fair Credit Report Act (FCRA);
• GLBA data:
  Financial data subject to Title V of the federal Gramm-Leach-Bliley Act;
• Driver data:
  Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
• FERPA data:
  Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
• FCA data:
  Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (FCA);
• Employment data:
  Personal data maintained for employment records.

III. Definition of Key Terms

a) Biometric Data

Biometric data means data generated by automatic measurement of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics that are used to identify a specific individual; but does not include a physical or digital photograph, video recording, or audio recording or data generated from a photograph or video or audio recording; or information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA.

b) Consent

Consent means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer; and includes a written statement, including a statement written by electronic means, or an unambiguous affirmative action.

c) Consumer

Consumer means a natural person who is a resident of this state, acting only in a personal context.

d) Controller

Controller means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information.

e) Personal Information

Personal information means information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer, including the following:

1. Identifiers such as a real name, alias, unique identifier, online identifier, internet protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers;
2. Information that identifies, relates to, describes, or could be associated with, a particular individual, including, but not limited to, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or other financial, medical, or health insurance information;
3. Characteristics of protected classifications under state or federal law;
4. Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
5. Biometric data;
6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement;
7. Geolocation data;
8. Audio, electronic, visual, thermal, olfactory, or similar information;
9. Professional or employment-related information;
10. Education information that is not publicly available information; and
11. Inferences drawn from the information identified in (i) to (x) above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Personal information does not include information that is publicly available or de-identified or aggregate consumer information.

f) Processing

Processing means an operation or set of operations performed, whether by manual or automated means, on personal information or on sets of personal information, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal information.

g) Processor

A processor is a natural or legal entity that processes personal information on behalf of a controller.

h) Sensitive Data

Sensitive data means a category of personal information that includes:

• Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
• The personal information collected from a known child; or
• Precise geolocation data.

IV. Obligations for Organizations Under the Tennessee Information Protection Act (TIPA)

A. Purpose Limitation

Under TIPA, a controller must limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed. Further, the controller must not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes, unless the controller obtains the consumer's consent.

B. Security Measures

TIPA requires the controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal information. The data security practices must be appropriate to the volume and nature of the personal information at issue.

C. Non-discrimination

A controller is barred from discriminating against the consumers for exercising their rights under the provisions of TIPA or processing their personal data in violation of state and federal laws that prohibit unlawful discrimination. However, the law allows the controllers to offer different prices, rates, levels, quality, or selection of goods or services to a consumer if the consumer has exercised his/her right to opt-out of the sale of personal data or the offer is based on the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

D. Consent Requirements

Under the provisions of TIPA, a controller must not process sensitive data concerning a consumer without obtaining the consumer's consent. In the case of the processing of sensitive data concerning a known child, the controller must process the data in accordance with the federal Children's Online Privacy Protection Act.

Further, a controller must seek the consumer’s express consent for processing the personal data for a purpose that is not reasonably necessary or compatible with the purposes for which the data was originally collected.

E. Privacy Notice Requirements

Upon receipt of an authenticated consumer request, a controller must provide the consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:

• The categories of personal information processed by the controller;
• The purpose for processing personal information;
• How consumers may exercise their consumer rights under TIPA, including how a consumer may appeal a controller's decision with regard to the consumer's request;
• The categories of personal information that the controller sells to third parties, if any;
• The categories of third parties, if any, to whom the controller sells personal information; and
• The right to opt out of the sale of personal information to third parties and the ability to request deletion or correction of certain personal information.

If a controller sells personal information to third parties or processes personal information for targeted advertising, the controller must clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.

F. Methods for Submission of DSR Requests

A controller must  provide and describe in the privacy notice, at least one of the following methods for consumers to submit a request to exercise consumer rights under this part:

1. A toll-free telephone number;
2. An email address;
3. A web form; or
4. A clear and conspicuous link on the controller's main internet homepage to an internet webpage that enables a consumer to exercise the rights provided under TIPA.

Regardless of the method, the controller must ensure the method is capable of authenticating the identity of the consumer making the request. The controller must not require a consumer to create a new account in order to exercise consumer rights under TIPA, but may require a consumer to use an existing account.

G. Data Protection Assessment

A controller must conduct and document a data protection assessment (DPA) of each of the following processing activities involving personal information:

1. Processing of personal information for purposes of targeted advertising;
2. Sale of personal information;
3. Processing of personal information for purposes of profiling, where the profiling presents a reasonably foreseeable risk of:
   1. Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
   2. Financial, physical, or reputational injury to consumers;
   3. Physical or other intrusions upon the solitude or seclusion, or the private affairs or concerns, of consumers;
   4. Other substantial injury to consumers;
4. Processing of sensitive data;
5. Processing activities that involve personal information pose a potential risk of harm to consumers.

A DPA must appropriately identify the benefits resulting, directly and indirectly, from the processing activities to the data controller, consumer, and other stakeholders such as the public and should also identify relevant risks that may arise to the rights of consumers provided under TIPA, that may be reduced by the safeguards employed by the controller. While conducting a DPA, the controller must also take into account the use of de-identified data, the expectations of consumers, and the context of the data processing activities.

The Attorney General and Reporter may request any data controller to disclose a DPA that is relevant to an investigation. The Attorney General and Reporter may also use a DPA to evaluate a controller's compliance with their responsibilities under TIPA.

Furthermore, the controllers may conduct a single DPA to address a comparable set of processing operations that include similar activities. Moreover, a DPA carried out by the controller to comply with other regulations may also be used for the purposes of TIPA if the DPA has a reasonably comparable scope and effect to a DPA conducted under the provisions of TIPA.

Requirements for DPAs are not retroactive and are only applicable to processing operations created or generated on or after July 1, 2024.

H. Processing De-identified Data

A controller in possession of de-identified data must:

1. Take reasonable measures to ensure that the data cannot be associated with a natural person;
2. Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
3. Contractually obligate recipients of the de-identified data to comply with the requirements (a) and (b) above.

I. Privacy Program

Under the provisions of TIPA, a controller or processor must create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0."

In case of a subsequent revision to the NIST privacy framework, a controller or processor must reasonably conform its privacy program to the revised framework not later than one (1) year after the publication date stated in the most recent revision.

The scale and scope of a controller or processor's privacy program is appropriate if it is based on all of the following factors:

• The size and complexity of the controller or processor's business;
• The nature and scope of the activities of the controller or processor;
• The sensitivity of the personal information processed;
• The cost and availability of tools to improve privacy protections and data governance; and
• Compliance with a comparable state or federal law.

A controller or processor's privacy program must also disclose the commercial purposes for which the controller or processor collects, controls, or processes personal information.

In addition to a privacy program, a controller may be certified pursuant to the Asia Pacific Economic Cooperation's Cross Border Privacy Rules system. A processor may be certified pursuant to the Asia Pacific Economic Cooperation's Privacy Recognition for Processors system.

Lastly, ​​a controller or processor, who creates, maintains, and complies with a written privacy program, has an affirmative defense to a cause of action for a violation of the provisions of TIPA.

V. Data Processor Responsibilities

1. Assistance to Controller

The TIPA requires the processors to assist the controllers by adopting appropriate technical and organizational measures to fulfill the controllers’ obligations to respond to DSR requests and provide the necessary information to conduct DPAs.

2. Processing under Contract

The processor shall be required to process the personal data on behalf of the controller in accordance with the terms of the contract between the controller and the processor (contract), setting forth the instruction for processing, nature, and purposes of the processing, the type of data processed, the duration of the processing and the rights and duties of both the parties. The contract shall also require the processor to:

• ensure the confidentiality of the personal data;
• delete or return the personal data to the collector on the direction of the controller, unless retention of personal data is required by the law;
• upon reasonable request from the controller, make available all the information in possession necessary to demonstrate compliance with its obligations;
• allow the controller to conduct an assessment, or arrange for a qualified and independent assessor to conduct an assessment, of the processor's policies and technical and organizational measures in support of the processor's obligations; and
• engage any subcontractor or agent through a written instrument requiring them to fulfill obligations towards the personal data.

VI. Data Subject Rights

The following data rights are afforded to consumers under TIPA:

A. Right to Access

Consumers have the right to confirm whether a controller is processing their personal information and to access that personal information.

B. Right to Correction

Consumers have the right to correct inaccuracies in their personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information;

C. Right to Deletion

Consumers have the right to delete personal information provided by or obtained about them. However, this right does not extend to de-identified data, provided that such data is not linked to a specific consumer.

D. Right to Portability

Consumers have the right to request a copy of the personal data that they previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.

E. Right to Disclosure

Consumers have the right to request a controller that has sold or shared their personal information with third parties to disclose the following:

• Categories of personal information sold;
• Categories of third parties to which the personal information was sold by category of personal information for each category of third parties to which the personal information was sold;
• Categories of personal information about the consumer that the business disclosed for a business purpose.

F. Right to Opt-Out

Consumers have the right to opt-out of the sale of their personal information.

Response Period of DSR Requests

A controller must respond to all DSR requests within forty-five (45) days after receiving them. A further extension of forty-five (45) days is possible when reasonably necessary, considering the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial forty-five (45) days period.

Denial of DSR Requests

In case the controller declines to take action related to a consumer's request, it must inform the consumer of such denial without undue delay and within forty-five (45) days of receiving the request, in addition to the justification for declining to take action and detailed instructions on how consumers may appeal the decision.

The process established for the consumer to appeal the controller's refusal to take action must be available in a conspicuous manner, without causing additional cost to the consumer, while also being similar to the process of making other consumer requests. The controller must inform the consumer of any action taken or not taken concerning their appeal within sixty (60) days of receiving the appeal, alongside a written explanation of the reasons behind the decision. If the appeal is denied, the controller shall ensure they communicate an online mechanism to the consumer allowing them to contact the Attorney General's office to submit an official complaint.

Charges for DSR Request Fulfillment

Any information provided to the consumer as a result of a DSR request must be provided free of charge twice annually per consumer. In case a DSR request is manifestly unfounded, technically infeasible, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. However, the burden of proof of demonstrating the manifestly unfounded, technically infeasible, excessive, or repetitive nature of the request rests on the controller.

If the controller cannot authenticate a DSR request via commercially reasonable efforts, they may decline to take action and seek additional information reasonably necessary from the consumer to authenticate the request.

VII. Limitations

The obligations imposed under TIPA do not restrict a controller’s or a processor's ability to:

• Comply with federal, state, or local laws, rules, or regulations;
• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
• Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor believes may violate federal, state, or local laws, rules, or regulations;
• Investigate, establish, exercise, prepare for, or defend legal claims;
• Provide a product/service specifically requested by a consumer, perform a contract, fulfill the terms of a written warranty, or take steps at the request of the consumer before entering into a contract;
• Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another natural person;
• Assist another controller, processor, or third party with their obligations under TIPA;
• Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity, preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such action;
• Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines if:
  • Deletion of the information is likely to provide substantial benefits to the controller;
  • The expected benefits of the research outweigh the privacy risks;
  • The controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including risks associated with reidentification.

Nothing under TIPA may restrict a controller or processor's ability to collect, use, or retain data to:

• Conduct internal research to develop, improve, or repair products, services, or technology;
• Initiate a product recall;
• Identify and repair technical errors that impair existing or intended functionality; or
• Perform internal operations that are reasonably aligned with the consumer's expectations or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

Similarly, any obligations placed on a controller or a processor under TIPA do not apply:

• If compliance by the controller or processor would violate an evidentiary privilege under Tennessee law or adversely affect the rights or freedoms of a person;
• To the processing of personal information by a person in the course of a purely personal activity.

VIII. Regulatory Authority

The Tennessee Attorney General & Reporter (AGR) has the exclusive authority to enforce the provisions of TIPA.

The AGR may develop reasonable cause to believe that a controller or processor is in violation of this part, based on the AGR's own inquiry or on consumer or public complaints, and may issue a civil investigative demand. However, prior to initiating any action, the AGR must provide a controller or processor sixty-days' written notice identifying the specific provisions of TIPA that the AGR alleges have been violated. If, within the sixty-day period, the controller or processor cures the noticed violation and provides the AGR an express written statement that the alleged violations have been cured and that no further violations shall occur, then the AGR shall not initiate an action against the controller or processor.

However, if the controller or processor continues their violation following the remedy period or if it violates any of the claims made in the written statement, then the AGR may bring an action in a court of law seeking any of the following relief:

• A declaratory judgment that the act or practice violates TIPA;
• Injunctive relief, including preliminary and permanent injunctions;
• Civil penalties;
• Reasonable attorney's fees and investigative costs;
• Other relief the court determines to be appropriate.

IX. Penalties for Non-compliance

A court may impose a civil penalty of up to fifteen thousand dollars ($15,000) for each violation of the provisions of TIPA that must be assessed per the following criteria:

• Each provision of TIPA is a separate violation; and
• Each consumer affected is a separate violation.

The court must also consider the following when determining the civil penalty:

• Number of affected consumers;
• The severity of the violation;
• Sensitivity of the data in question;
• Size, nature, and complexity of the controller or processor's business;
• Any precautions taken by the controller or processor to prevent the violation.

Similarly, appropriate relief may also be awarded to each affected consumer. In exceptional circumstances where the court determines a controller or processor intentionally violated a provision of TIPA, they may award treble damages.

However, a violation of TIPA cannot serve as the basis for, or be subject to, a private right of action, including a class action lawsuit, under TIPA or other law.

X. How an Organization Can Operationalize TIPA

Here are some practical steps an organization can take to operationalize compliance with TIPA within their daily operations:

• Conduct and document regular data protection impact assessments while ensuring appropriate maintenance of records in case these assessments are requested by the Attorney General & Reporter;
• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes;
• Implement, maintain, and monitor strict data security practices;
• Ensure all data processing activities are conducted per the disclosed purposes or purposes compatible with disclosures unless expressly consented to by the consumer;
• Have appropriate measures in place to collect and record consumer consent related to all major data processing activities, especially the sensitive data concerning a known child;
• Adopt measures that allow for prompt responses to any consumer rights requests.

XI. How Can Securiti Help

While Tennessee may be the latest US state to enact its own data privacy regulation, several more are likely to follow. And while most of them contain several similar fundamentals, they have distinct requirements and obligations on organizations.

Naturally, an organization may have to adapt its data privacy practices depending on the state where it sells its product/service. Manually attempting to do this would be a colossus strain on resources.

And that is where Securiti can help.

Securiti is a global leader in data privacy, security, compliance, and governance solutions. It enables organizations to streamline their compliance practices, optimize data security, and strengthen governance.

With its AI-driven robotic automation, Securiti helps you automate your data protection impact assessments, real-time data mapping, DSR fulfillment, privacy notice management, breach notification management, and universal consent management from a centralized dashboard, allowing for complete oversight of your real-time compliance with multiple regulations.

Request a demo to see Securiti in action and learn more about how the solution can assist you in meeting compliance with TIPA and any other US state with a data privacy law in effect.