Tennessee has joined the growing number of states that have enacted comprehensive data privacy laws. On the final day of this year’s legislative session, the Tennessee legislature passed the Tennessee Information Protection Act (TIPA), and Governor Bill Lee signed TIPA into law on May 11, 2023.  

TIPA marks a significant development in data privacy for businesses operating in the state. This comprehensive legislation grants consumers enhanced control over their personal information while establishing stringent responsibilities for businesses and service providers. Navigating TIPA’s extensive requirements is crucial for maintaining your company’s compliance and reputation.

Here are key takeaways from the bill passed by the legislature:

  • Entities Affected: The law affects entities that conduct business in Tennessee or provide products or services to Tennessee residents, exceed $25 million in revenue, and meet one of these criteria:
    • Control or process information of 25,000 or more Tennessee consumers per year and derive more than 50% of gross revenue from the sale of personal information; or
    • Control or process information of at least 175,000 Tennessee consumers.
  • Consumer Rights: TIPA creates consumer rights to confirm, access, correct, delete, or obtain a copy of their personal information, or opt out of specific uses of their data. Controllers must respond to authenticated consumer requests within 45 days, with a possible 45-day extension, and establish an appeal process for refusals to take action on requests. If the controller cannot authenticate the consumer’s request, they can ask for additional information to do so.
  • Data Controller Responsibilities: Controllers must limit data collection and processing to what is necessary, maintain data security practices, avoid discrimination, and obtain consent for processing sensitive data. Controllers must provide a clear and accessible privacy notice detailing their practices, and, if selling personal information or using it for targeted advertising, disclose these practices and provide an opt-out option. Controllers must also offer a secure and reliable means for consumers to exercise their rights without requiring consumers to create a new account.
  • Controller–Processor Requirements: Processors must adhere to controllers’ instructions and assist them in meeting their obligations, including responding to consumer rights requests and providing necessary information for data protection assessments. Contracts between controllers and processors must outline data processing procedures, including confidentiality, data deletion or return, compliance demonstration, assessments, and subcontractor engagement. The determination of whether a person is acting as a controller or processor depends on the context and specific processing of personal information.
  • Data Protection Assessments: Controllers must conduct and document data protection assessments for specific data processing activities involving personal information. These assessments must weigh the benefits and risks of processing, with certain factors considered. Assessments are confidential, exempt from public disclosure, and not retroactive.
  • De-Identified Data Exemptions: Controllers must take measures to ensure that de-identified data cannot be associated with a natural person, publicly commit to not reidentifying data, and contractually obligate recipients to comply with the law. Consumer rights do not apply to pseudonymous data under certain conditions, and controllers must exercise oversight of disclosed pseudonymous or de-identified data.
  • Major Similarities to CCPA: TIPA shares many similarities with the CCPA, including (but not limited to):
    • Granting consumers the right to access, delete, and opt out of the sale of their personal information, and requiring businesses to provide notice of their data collection and usage practice;
    • Requiring controllers and processors to enter into contracts outlining the terms and conditions of data processing and obligating subcontractors to meet the obligations of the processor; and
    • Requiring data protection assessments for certain processing activities, weighing the benefits and risks associated with the processing.
  • Affirmative Defense: TIPA provides for an “affirmative defense” against violations of the law by adhering to a written privacy policy that conforms to the NIST privacy framework or comparable standards. The privacy program’s scale and scope must be appropriate based on factors such as business size, activities, personal information sensitivity, available tools, and compliance with other laws. In addition, certifications from the Asia Pacific Economic Cooperation’s Cross-Border Privacy Rules and Privacy Recognition for Processors systems may be considered in evaluating the program.
  • Enforcement: The Tennessee Attorney General retains exclusive enforcement authority for TIPA;the law expressly states that there is no private right of action. The Tennessee Attorney General must provide 60 days’ written notice and an opportunity to cure before initiating enforcement action. If the alleged violations are not cured, the Tennessee Attorney General may file an action and seek declaratory and/or injunctive relief, civil penalties up to $7,500.00 for each violation, reasonable attorney’s fees and investigative costs, and treble damages in the case of a willful or knowing violation.
  • Dates and Deadlines: TIPA becomes effective on July 1, 2025.
  • Exemptions: The law includes numerous exemptions, including (but not limited to):
    • Government entities;
    • Financial institutions, their affiliates, and data subject to the Gramm-Leach-Bliley Act (GLBA);
    • Insurance companies;
    • Covered entities, business associates, and protected health information governed by the Health Insurance Portability and Accountability Act (HIPAA) and/or the Health Information Technology for Economic and Clinical Health Act (HITECH);
    • Nonprofit organizations;
    • Higher education institutions; and
    • Personal information that is subject to other laws such as the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and the Fair Credit Reporting Act (FCRA).

Despite having extensive carve-outs, TIPA grants consumers extensive rights over their personal information, and places stringent compliance obligations on businesses (controllers) and service providers (processors). Businesses should start planning for compliance now to avoid costly enforcement actions down the road.

For more information and other updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog, Online and On Point.

Photo of Junaid Odubeko Junaid Odubeko

Junaid Odubeko is a litigator whose practice focuses on advising and representing clients in complex commercial and business disputes and real estate litigation. Businesses turn to Junaid for assistance with matters involving contract disputes and business torts. Junaid also represents clients in litigation…

Junaid Odubeko is a litigator whose practice focuses on advising and representing clients in complex commercial and business disputes and real estate litigation. Businesses turn to Junaid for assistance with matters involving contract disputes and business torts. Junaid also represents clients in litigation involving real estate contracts and condemnation actions. He is known as a hard working and dedicated attorney, and his clients rely on him for his thoughtful, effective, and efficient resolution of their legal needs. Junaid has represented clients in many industries, including healthcare, financial services, transportation, lodging and entertainment and insurance.

Photo of Benjamin William Perry Benjamin William Perry

Ben Perry’s practice spans the spectrum of legal services. On the litigation side, Ben represents clients at the trial and appellate level against a wide variety of claims in state and federal courts. His practice primarily concentrates on complex civil litigation, products liability…

Ben Perry’s practice spans the spectrum of legal services. On the litigation side, Ben represents clients at the trial and appellate level against a wide variety of claims in state and federal courts. His practice primarily concentrates on complex civil litigation, products liability defense, and representing financial institutions and mortgage companies in civil litigation. As part of the Banking and Financial Services Practice Group, he defends mortgage servicers, investors, and related entities against numerous state and federal law claims arising out of lending and loan servicing practices, including alleged violations of the Telephone Consumer Protection Act (TCPA) and various claims relating to the sale of bank-owned real estate. Ben also has substantial experience defending banks and investors in hundreds of cases related to homeowner’s association (HOA) superpriority liens, and he has represented a company’s founder and CEO facing claims brought by the SEC for alleged embezzlement of company funds.

Photo of Eric Setterlund Eric Setterlund

Eric Setterlund serves as counsel in Bradley’s Healthcare and Cybersecurity and Privacy practice groups. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and…

Eric Setterlund serves as counsel in Bradley’s Healthcare and Cybersecurity and Privacy practice groups. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and data counsel for BlueCross BlueShield of Tennessee. He draws upon his real-world business and program management experience to provide his clients practical advice for complex regulatory and transactional matters.