Background Brief: Tennessee Information Protection Act

Tennessee legislators gave businesses more than two years to prepare for compliance with the Tennessee Information Protection Act in one of the longest lead times between a comprehensive consumer data privacy law passing and becoming enforceable. Governor Bill Lee signed the Act into law on May 11, 2023, and it is effective from July 1, 2025.

The name of the Act offers a clue-by-omission of the word ‘consumer’, indicating this privacy law, compared to other privacy laws in states such as California and Colorado, is more business-friendly. It doesn’t cover fairly common consumer data rights, such as support of universal opt-out mechanisms (e.g. Global Privacy Control) and where it does offer opt-out from sale or targeted advertising the caveats allow companies to continue serving most cookies used for targeted ads.

Key Dates: Tennessee Data Privacy Law

• January 4, 2023 – Senate Bill 73, “Tennessee Information Protection Act”, is introduced to the Tennessee Senate and passed on First Consideration.
• January 31, 2023 – House Bill 1181, a cross-filing of SB73, is introduced in Tennessee’s House of Representatives. It is then assigned to the subcommittee for Banking & Commerce on February 7, 2023.
• March 10, 2023 – SB73 is sent to the Senate Committee for Commerce and Law.
• March 21, 2023 – Tennessee’s Senators vote 9-0 to recommend passage of the Information Protection Act.
• April 10, 2023 – Tennessee’s Representatives unanimously vote 90-0 in favor of the bill.
• May 5, 2023 – Tennessee’s House of Representatives transmits the bill to the Governor for signing.
• May 11, 2023 – Governor Bill Lee signs the Tennessee Information Protection Act into law.
• May 12, 2023 – Consumer Reports, a consumer rights advocacy group headquartered in New York, issues a media release calling on Tennessee to improve the new privacy law for consumers, claiming the law “includes numerous loopholes that undercut its protections”. Matt Schwartz, policy analyst at Consumer Reports, is quoted as saying: “The definitions of sale and targeted advertising, as well as the pseudonymous data exemption and enforcement framework, should all be reworked to provide Tennessee consumers the protections they deserve. Aside from that, privacy legislation, at a minimum, should include an easy way to opt-out of data sales and tracking, such as through a universal opt-out mechanism.”
• May 2, 2024 – Governor Lee signs the state’s Protecting Children from Social Media Act, which requires social media companies to prohibit children from becoming or continuing as account holders unless they get verified and express consent from their parents.
• July 1, 2025 – The Tennessee Information Protection Act becomes enforceable.

Tennessee Consumer Rights: Personal Data

The Tennessee Information Protection Act defines a consumer as “a natural person who is a resident of this state acting only in a personal context”. Like several other U.S. States’ data privacy laws, the definition excludes “a natural person acting in a commercial or employment context”.

Personal information is also similarly defined as it is in other states’ data privacy laws as “information that is linked or reasonably linkable to an identified or identifiable natural person”. The text of the Act notes it “does not cover publicly available information or de-identified or aggregate consumer information”.

Tennessee’s data privacy law does not support a universal opt-out mechanism. It also requires consumers to contact each controller individually to exercise their rights. Parents and legal guardians can exercise these rights on behalf of their children. In each case, the person making the request must be authenticated by the controller.

The personal information rights of consumers in Tennessee are:

• Right to confirm (right to know) whether a controller is processing their personal information.
• Right to access the personal information about them held by a controller.
• Right to correct inaccuracies in their personal information. When processing such requests controllers are required to consider the nature of the personal information and the purposes of the processing of the consumer’s personal information.
• Right to delete personal information they have provided or has been obtained about them. The Act states a controller is “not required to delete information that it maintains or uses as aggregate or de-identified data; provided, that such data in the possession of the controller is not linked to a specific consumer”.
• Right to obtain a copy (portability) of the personal information that the consumer previously provided to the controller. When honoring these requests controllers must provide a copy of the data in a “portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means”.
• Right to opt-out from having their personal information processed by a controller to sell that information to a third party, targeted advertising or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer”.

From July 1, 2025, when Tennessee’s data privacy law goes into force, controllers must respond to authenticated consumers’ requests within 45 days, although this timeframe can be extended by another 45 days ‘when reasonably necessary’, based on the complexity and number of the consumer’s personal information rights requests.

A controller must still inform the consumer of the extension within the initial 45-day period and provide them with a reason for the extension.

A consumer can make requests to exercise their personal information rights up to twice each year for each controller and a controller cannot charge them to provide this information on these two occasions each year.

However, a controller can charge an administrative fee to process these requests from a consumer, or deny these requests, if the controller can show the requests are “manifestly unfounded, technically infeasible, excessive, or repetitive”. The burden of proof in these cases is on the controller.

The Act also prohibits controllers from discriminating against consumers for exercising their personal information rights protected in the law, which means controllers cannot deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods and services to the consumer.

However, the Act states it “does not require a controller to provide a product or service that requires the personal information of a consumer that the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee”.

Sensitive Personal Information

Although not directly listed under consumers’ rights in the text of the Act, sensitive personal information is protected under ‘data controller responsibilities’, which restricts controllers from processing “sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing the data in accordance with the federal Children’s Online Privacy Protection Act (COPPA) and its implementing regulations”.

The Tennessee Information Protection Act defines ‘sensitive data’ as a category of information that includes personal information revealing:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status

The definition also covers:

• Processing of genetic or biometric data that is processed for the purpose of uniquely identifying a natural person
• Personal information collected from a known child
• Precise geolocation data (defined as “information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 fifty feet and not include the content of communications or data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility”.)

Does the Tennessee Information Protection Law Apply to Your Organization?

The scope of the Tennessee Information Protection Act covers anyone that conducts business in the state by “producing products or services that target residents” of Tennessee and:

• Earns more than $25 million in revenue

AND

• Controls or processes personal information of at least 25,000 consumers and derives more than 50% of gross revenue from the sale of personal information

OR

• During a calendar year controls or processes personal information of at least 175,000 consumers.

Exempted Organizations Under Tennessee’s Information Protection Act

Tennessee’s data protection law does not apply to the following types of organizations:

• A body, authority, board, bureau, commission, district or agency of Tennessee or a political subdivision of the state;
• Financial institutions, their affiliates or data subject to the Gramm-Leach-Bliley Act;
• Insurance businesses, including individuals, firms, associations, corporations or other entities licensed in Tennessee under Title 56;
• Covered entities or business associates governed by the privacy, security and breach notification rules of the federal Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH);
• Nonprofit organizations;
• Institutions of higher education;
• Controllers and processors that comply with the verifiable parental consent requirements of the federal Children’s Online Privacy Protection Act 1998 (COPPA) are deemed compliant with an obligation to obtain parental consent.

Data Exempted From Provisions of Tennessee Information Protection Act

Tennessee’s data protection law also includes exemptions from its provisions for the following categories of data:

• Protected health information under HIPAA, including deidentified information;
• Health records for purposes of title 68;
• Patient identifying information for purposes of 42 U.S.C. (Health Care Quality Improvement Act);
• Personal information processed or sold as part of research conducted in accordance with the federal policy for the protection of human subjects (45 CFR 46); human subjects research conducted in accordance with good clinical practice guidelines issued by The International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use; or research conducted in accordance with the protection of human subjects (21 CFR 50 and 21 CFR 56);
• Information and documents created for purposes of the federal Health Care Quality Improvement Act;
• Patient safety work product for purposes of the federal federal Patient Safety and Quality Improvement Act;
• Information collected, maintained, disclosed, sold, communicated or use of personal information under the regulations of the federal Fair Credit Reporting Act;
• Personal information collected, processed, sold or disclosed in compliance with the federal Driver’s Privacy Protection Act;
• Personal information or educational information regulated by the federal Family Educational Rights and Privacy Act;
• Personal information collected, processed, sold or disclosed in compliance with the federal Farm Credit Act;
• Personal data used in accordance with the federal Children’s Online Privacy Protection Act 1998 (COPPA);
• Personal data that is processed or maintained within an employment or business content, including emergency contact information and administering their benefits for another person;
• Information collected as part of public-reviewed or peer-reviewed scientific or statistical research in the public interest;
  Personal information maintained or used for purposes of compliance with the regulation of listed chemicals under the federal Controlled Substances Act.

Compliance With Tennessee Data Protection Act

Data controllers have the following responsibilities under the Act:

• Limit collection – the collection of personal information must be limited to what is “adequate, relevant and reasonably necessary” in relation to the purposes disclosed to the consumer;
• Limit processing – personal information cannot be processed for any purpose “beyond what is reasonably necessary to and compatible with the purposes” disclosed to the consumer unless the consumer gives consent to these other purposes;
• Data security – “establish, implement and maintain reasonable administrative, technical and physical data security practices” to protect the confidentiality, integrity, and accessibility of personal information. These security practices must be appropriate to the volume and nature of the personal information processed.
  Controllers must also conduct and document data protection assessments for processing activities where personal information is sold, or used for targeted advertising or profiling;
• Comply with state and federal discrimination laws – personal information cannot be processed in violation of state and federal laws that prohibit unlawful discrimination against consumers (see the Consumer Rights section about non-discrimination above);
• Sensitive personal information – such information cannot be processed without a consumer’s consent (see the Sensitive Personal Information section above);
• Privacy Notice – the Privacy Notice must be reasonably accessible, clear and meaningful (see below).

Privacy Notice Requirements Under Tennessee Law

Controllers must provide a Privacy Notice that includes the following information:

• Categories of personal information processed by the controller;
• Purpose/s for processing personal information;
• How consumers can exercise their consumer rights, including instructions on submitting a request to exercise these rights via a secure and reliable method that allows the controller to authenticate the identity of the consumer;
• How a consumer can appeal a controller’s decision to their personal information rights request;
• Categories of personal information the controller sells to third parties (if any), and the categories of those third parties;
• Clear disclosure if the controller sells personal information to third parties or processes personal information for targeted advertising, along with instructions on how a consumer can exercise their right to opt out from such processing.

Processor Responsibilities

Controllers and processors must enter binding contracts that include clear instructions for:

• Processing personal data;
• Nature and purpose of the processing;
• Type of data subject to processing;
• Duration of the processing; and
• Rights and responsibilities of both parties.

Processors must also:

• Adhere to the controller’s instructions;
• Assist the controller in meeting its obligations, including responding to consumer rights requests;
• Ensure each person processing personal data is subject to a duty of confidentiality concerning the data, and engage subcontractors under written contracts that ensure they meet the processor’s obligations concerning personal information;
• Comply with the controller’s direction to delete or return all personal information to the controller at the end of the provision of services, unless retention of the personal information is required by law;
• Comply with a reasonable request from the controller to prove compliance with the Act by making available to the controller all necessary information in its possession;
• Cooperate with reasonable compliance assessments by the controller or a designated assessor, or a qualified and independent assessor arranged by the processor.

Tennessee Information Protection Act Enforcement

The Tennessee Attorney General and reporter have the exclusive authority to enforce the Act. Consumers do not have a private right of action.

The AG and reporter can initiate action if a controller or processor is suspected to have violated or is about to violate the Tennessee Information Protection Act, either through the AG and reporter’s own inquiry or based on consumer or public complaints.

Before initiating action, the AG must give a controller or processor 60 days’ written notice, which specifies the violation/s. Action will not proceed if the alleged violator cures the noticed violation and provides the AG with a written statement detailing how it is achieved compliance.

If the violation isn’t satisfactorily cured after 60 days the AG can bring a court action for preliminary or permanent injunctions to prevent further violation/s and compel compliance, and the AG can seek civil penalties. A court can impose a civil penalty of up to $15,000 for each violation.