Tennessee became the eighth American state to enact consumer privacy legislation, which will take effect on July 1, 2025. This law was passed on May 11, 2023, giving organizations just over two years from then to prepare for compliance with the Tennessee Information Protection Act (TIPA).
In 2023, there has been an accelerating trend of passing comprehensive privacy laws at the state level in the United States. More privacy regulations were passed between March and July than have been passed in the country prior to 2023. Eight laws have been passed and signed by state governors, with a ninth passed in Delaware and awaiting signing as of August. The passage of Tennessee’s law is the result of ongoing efforts to strengthen consumer data privacy within the state.
The TIPA is considered to be “business-friendly”, similar to some other states’ acts, such as Virginia’s Consumer Data Protection Act (VCDPA) and Iowa’s Consumer Data Protection Act (ICDPA). Meanwhile, at the federal level in the US there is still uncertainty around a data privacy regulation.
What is the Tennessee Information Protection Act?
The Tennessee Information Protection Act (TIPA) was drafted as bill HB 1181, which aims to safeguard the privacy and personal information rights of approximately seven million residents in Tennessee.
It also establishes data privacy obligations for companies operating within the state or offering products and services to its residents. These organizations handle the personal information of consumers as part of their business activities. Similar to California and other states with data privacy laws, Tennessee defines a consumer as a resident who is not engaged in commercial or employment-related activities.
TIPA follows an opt-out approach, which aligns with the comprehensive data privacy regulations enacted in all other states thus far where data privacy laws have been passed. Under this model, businesses that must comply with TIPA are required to inform consumers about their data collection and processing practices, like what specific types of data are being collected, for what purposes it will be used, any third parties involved in sharing this data, etc.
Companies must also provide consumers with an opportunity to opt out of data collection and processing activities. Businesses and any third-party entities they engage for handling customer data (“processors”) also need to implement reasonable security measures and safeguards. Organizations do not have to obtain consumer consent prior to collecting personal data in most cases, however.
The TIPA serves as a protective measure aimed at preserving Tennessee residents’ privacy rights and giving them control over their personal information. It places responsibilities on businesses operating within the state’s jurisdiction or targeting its residents by providing guidelines to inform consumers about how their personal information is collected and processed while giving people the option to decline consent for data processing in various ways if desired. Additionally, the law emphasizes implementing adequate security protocols when handling consumer data both internally within these organizations and externally through third-party partnerships.
Important definitions in the Tennessee Information Protection Act
Tennessee’s law, like other states that have passed privacy legislation, focuses on key principles of data privacy and protection and the related duties of various organizations accessing personal data. It is important to establish definitions that strike a balance between being clear and comprehensive, while also being flexible enough to adapt to technological advancements for efficient implementation and enforcement of regulations into the future.
How TIPA defines personal information
TIPA refers to personal information, which is also called personal data in some other laws, as: “information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with a particular consumer”. The law provides a fairly lengthy list of examples, which some other states’ laws don’t. It does exclude publicly available information, aggregated data, or de-identified data, which are common exemptions in US privacy laws.
The Tennessee data protection law lists these specific identifers:
- real name, alias, or unique identifier
- online identifier
- IP address
- email address
- account name
- Social Security Number (SSN)
- driver’s license number
- passport number
- “or other similar identifiers”
It also mentions “information that identifies, relates to, describes, or could be associated with, a particular individual, including, but not limited to”:
- physical characteristics or description
- telephone number
- insurance policy number
- employment or employment history
- bank account number
- credit card number or debit card number
- other financial, medical, or health insurance information
Also included are:
- commercial information, including purchase records and similar
- biometric data
- Internet or other electronic network activity information
- geolocation data (within 1.750 feet/533.5 meters)
- audio, electronic, visual, thermal, olfactory, or similar information
- professional or employment-related information
- education information that is not publicly available
- inferences drawn from the information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
The definition for consumer profiling is of note as that is becoming increasingly relevant and explicitly addressed in data privacy laws, and is likely to increase in relevance with the spread of AI-based tools.
How the TIPA defines consent
The General Data Protection Regulation (GDPR) in the European Union established the benchmark for defining consent, which has been adopted by many subsequent regulations.
According to TIPA, consent is “an explicit and voluntary action indicating a consumer’s informed and unequivocal agreement to process personal information related to the consumer.” This includes written statements, whether in electronic form or otherwise, as well as clear affirmative actions.
How the TIPA defines sensitive data or sensitive personal information
Sensitive data includes specific categories of personally identifiable information, which could cause harm if misused. They include data that would reveal:
- personal information collected from a known child under 13 years of age
- racial or ethnic origin
- religious beliefs
- mental or physical health diagnoses
- sexual orientation
- citizenship or immigration status
- genetic or biometric data processed for the purpose of uniquely identifying an individual
- personal information collected from a known child
- precise geolocation data (within a radius of 1,750 feet / 533.4 meters)
How the TIPA defines a controller
Companies or other organizations that collect and process personal data are generally considered the controllers, which the TIPA defines as “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information”.
How the TIPA defines a processor
For companies or other organizations that contract third parties for data processing and share personal data with them for those purposes, the originating company will be the controller and the third party would be the processor, defined as “a natural or legal entity that processes personal information on behalf of a controller”.
How the TIPA defines a sale
A sale is the “exchange of personal information for monetary or other valuable consideration by the controller to a third party”. There are a number of exclusions to his definition, including:
- disclosure of personal data to a processor that processes the personal data on the controller’s behalf
- disclosure of personal data to a third party for purposes of providing a product or service the consumer has requested
- disclosure or transfer of personal data to an affiliate of the controller
- disclosure of information that the consumer intentionally made available publicly available via a mass media channel, without restricting it to a specific audience
- disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets
- disclosure of personal data to a third party at the consumer’s direction and with their consent
How the TIPA defines targeted advertising
This activity involves presenting ads to individuals that are tailored to insights from their personal information and online behavior. The information is gathered from the individuals themselves or through monitoring their activities on various websites and apps. The objective is to use this data in order to anticipate the interests and preferences of consumers, resulting in more accurately targeted and personalized advertising.
Which companies have to comply with the Tennessee Information Protection Act?
The TIPA applies to organizations doing business in Tennessee, and any company providing products or services targeted to Tennessee residents. There are two primary threshold criteria for organizations (“controllers”):
- control or process the personal information of at least 100,000 Tennessee residents during a calendar year,
- control or process the personal information of at least 25,000 Tennessee consumers during a calendar year, and derive more than 50% of their gross revenue from the sale of personal information
In contrast to certain state laws such as California’s Consumer Privacy Act (CCPA), Tennessee’s privacy law does not specifically include a revenue threshold. Under that stipulation, companies would be obligated to comply if their annual gross revenues surpass a specific dollar amount, even if they didn’t meet the threshold for the number of consumers whose data is processed.
Without the revenue threshold, businesses of all sizes and values that satisfy the personal information or personal information plus revenue percentage requirements outlined in Tennessee’s privacy law must ensure compliance.
Affirmative defense under the TIPA
One aspect of the TIPA that is unique among the US state-level data privacy laws is the safe harbor provision or “affirmative defense”. What that means is that an organization charged with violating TIPA can raise an affirmative defense to avoid a penalty. This would involve creating, maintaining, and ensuring compliance with a written privacy program. Such a program would need to confirm to one or more accepted standards, including:
- U.S. National Institute of Standards and Technology (NIST) Privacy Framework
- Asia-Pacific Economic Cooperation Cross-Border Privacy Rules
- APEC Privacy Recognition for Processors System
NIST is the most notable framework of note for an affirmative defense. Ohio included a similar provision in its most recent data privacy law bill from 2022, but did not pass that privacy legislation.
Conforming with a privacy framework would depend on:
- size and complexity of the controller or processor’s business
- nature and scope of the activities of the controller or processor
- sensitivity of the personal information processed
- cost and availability of tools to improve privacy protections and data governance
- compliance with a comparable state or federal law
Exemptions to data privacy compliance under the Tennessee privacy law
Tennessee’s data privacy act has fairly standard exemptions compared with other US state-level privacy regulations. Chiefly there is deferral to relevant federal laws, such as:
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act
- Fair Credit Reporting Act (FCRA)
- Children’s Online Privacy Protection Act (COPPA)
- Family Educational Rights and Privacy Act (FERPA)
- Driver’s Privacy Protection Act
- Farm Credit Act (FCA)
- Controlled Substances Act
There are exemptions for human resources data, healthcare records, research data for human subjects covered by other federal laws or standards, and personal data that is processed or maintained for the purposes of employment.
There are also a number of institutions that are exempt from the law:
- state government entities
- financial institutions (also entities and affiliates subject to the Gramm-Leach-Bliley Act)
- insurance companies
- institutions of higher education
- nonprofit organizations
Individuals acting in an employment or business (B2B) context are exempt from the law’s definition of “consumer”.
Tennessee Information Protection Act and the rights of consumers
The data privacy law gives individuals a number of rights over their privacy and personal data. These are consistent with rights granted by other US states’ privacy laws as well. Children cannot exercise their rights or provide consent, but parents or legal guardians of known children can invoke a child’s rights.
- Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data, with some exceptions
- Right to disclosure: any categories of information about the consumer that have been sold
- Right to delete: any personal information the controller has that was provided by the consumer (with some exceptions)
- Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
- Right to portability: obtain a copy of the consumer’s personal information that the consumer previously provided to the controller, in a readily usable format, with some exceptions
- Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
- Right to opt out: of sale of personal information, targeted advertising, or profiling
Two rights found in some other data privacy laws are not included in the TIPA. These are:
- Right to opt out of automated decision-making (including use of AI tools)
- Private right of action (consumers’ ability to sue the controller in the event of a violation)
How to comply with the Tennessee data privacy act?
Upon receiving a consumer request, the controller must respond within 45 days. There are certain limited circumstances under which they may decline, such as when it is not reasonably possible to verify the consumer’s identity. If a controller denies a request, the consumer can appeal. A company must provide information on how to contact the Attorney General’s office to do so. If a consumer appeals, the controller has 60 days to respond.
If there are exceptional circumstances that prevent fulfilling a consumer request, once notification has been given to the consumer, an extension of up to 45 days may be granted if reasonably necessary.
Purpose limitation under the TIPA
Controllers can process personal data for purpose(s) that they have communicated to consumers, as long as the processing is “reasonably necessary” and “adequate, relevant and limited” to those purposes.
Data security under the TIPA
Controllers must protect personal data by establishing, implementing and maintaining reasonable administrative, technical, and physical security measures. These measures should be appropriate to the nature and volume of personal information being processed.
Data protection assessments (DPA) under the TIPA
Controllers must conduct and document DPAs when processing certain types or information, or for certain purposes:
- categorized as sensitive personal data
- for targeted advertising
- for profiling if there is a reasonably foreseeable or heightened risk of harm to consumers
- for sale
Data protection assessments conducted to comply with other state laws may enable organizations to become TIPA-compliant if the scope and effect is similar.
Consent requirements under the TIPA
Tennessee, like other states in the US that have implemented privacy laws, operates on an opt-out model. This means that in many cases, there is no requirement for user consent before collecting and processing personal data.
However, there is one important exception to this rule: obtaining consent is mandatory when it comes to collecting or processing sensitive personal information. It is required for consumers to receive clear notice about how their data will be processed and they should also have the option to opt out of any sale, targeted advertising, or profiling activities.
When it comes to protecting children’s online privacy, Tennessee follows the guidelines set by the federal Children’s Online Privacy Protection Act (COPPA). According to these regulations, consent from a parent or guardian must be obtained before any known child’s personal information can be processed. This applies to all users who are under 13 years old. In Tennessee specifically, data related to children under 13 is automatically considered “sensitive” by default.
Nondiscrimination under the TIPA
Controllers are strictly prohibited from engaging in any form of discrimination against consumers who wish to exercise their rights under the TIPA, like opting out of processing of their personal data. Companies must also refrain from processing personal information if it would violate any other state or federal laws pertaining to discrimination.
Controllers have the option of offering voluntary incentives as a means of encouraging consumers’ participation in various operations, such as loyalty programs or newsletter sign-ups, that involve the collection and processing of personal data. However, these incentives must be reasonable and proportionate since data protection authorities view disproportionate incentives as potential bribes.
Transparency under the TIPA
- categories of personal data processed by the controller
- purpose(s) for processing personal data
- how consumers may exercise their rights and/or appeal a controller’s decision (e.g. if a request for access is denied)
- categories of personal data that the controller sells to third parties, if any
- categories of third parties to whom the controller sells personal data, if any
- the right to opt out of the sale of personal data to third parties or processing personal data for targeted advertising and how to exercise it
Third party contracts with processors under the TIPA
Controllers must arrange contractual agreements with third-party service providers, like vendors or other partners, that include comprehensive information about:
- duties of confidentiality
- specific data processing procedures
- deletion or return of personal information upon request
- demonstration of the processor’s compliance with obligations
- allowance of a reasonable assessment of the processor’s policies, operations and security measures by the controller or a qualified designated assessor
Global Privacy Control (GPC)
The Tennessee Information Protection Act does not make any reference to the Global Privacy Control (GPC) or “universal opt-out” or similar mechanisms. California’s laws do reference this signal, which is intended to help streamline and standardize users’ expression of consent preferences online.
Individuals can set up their personal data privacy preferences via their web browser, and then those settings will be communicated to the websites or apps that consumers visit. It is no longer necessary to set up new preferences on every site. This mechanism also helps ensure compliance with relevant consumer privacy laws in various jurisdictions.
What happens if you break the Tennessee data protection law?
Like other US states’ privacy laws, enforcement of the TIPA falls under the Attorney General’s office. Enforcement and penalties under the regulation are comparable to those in other states.
Enforcement of the TIPA
The Attorney General is the enforcement authority for Tennessee’s data protection act. While consumers cannot sue alleged violators, they can report alleged violations to the AG’s office, along with complaints about request denials. The AG provides written notice to organizations if there are allegations of violations against them. Such notices must list all violations.
Cure period and controller actions under the TIPA
Organizations have a 60-day window, called a cure period, when they have the opportunity to fix issues that are in violation of the TIPA and prevent future recurrence. In other states, the cure period ranges from 30 to 90 days.
Companies must notify the AG once they have taken action to fix issues, as well as provide a statement attesting that no future issues will occur. Punitive action won’t be taken for the initial violation(s) if they do this and if there are no future violations.
Fines and penalties
The Attorney General’s office can initiate civil proceedings against a controller or any processor they’re contracted with if violations are not “cured”, or if they have submitted a statement of compliance that is found not to be accurate.
A controller or processor found to be in violation of the TIPA can be fined up to US $15,000 per violation. Knowing or willful violations can be penalized at three times the damages, as well as including reasonable investigation and prosecution expenses.
The Tennessee privacy law and consent management
Tennessee’s consumer privacy regulation reflects the opt-out framework, mirroring other state-level data privacy laws in the United States, except when it pertains to sensitive personal information or data belonging to children. Under this model, consent from data subjects is not necessary for collection or processing of personal data.
To facilitate user opt-outs, a cookie banner can be used and displayed as a link or button. A Consent Management Platform (CMP), like the Cookiebot CMP, can also assist in automating the identification of cookies and other tracking technologies utilized by websites and apps. By employing a CMP, organizations can streamline the process of informing users about data categories that are collected and specific services offered by controllers and/or processors. Additionally, it simplifies disclosure regarding third parties with whom data is shared.
The United States only has state-level laws to date and not federal data privacy regulation. This creates complexity for some companies doing business across states or internationally. They may be responsible for compliance with a number of data privacy laws.
A CMP can help streamline compliance by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on where each user is located and in their preferred language.
Tennessee Information Protection Act compliance preparation
Businesses operating in Tennessee have until 2025 to get ready for complying with the TIPA. If they have already met the requirements of other state-level data privacy laws in the United States, a significant amount of that work has already been completed. It is always beneficial for organizations to adopt a privacy by design approach, whether it is specifically for regulatory compliance or overall operational best practices.
Achieving TIPA compliance will primarily involve understanding and meeting the specific requirements outlined in Tennessee’s law, as well as implementing a solution that provides users with the necessary notifications and opt-out options. To assist with cookie and tracking notification and management, businesses can use a consent management platform.
Given that these US regulations are still in their initial versions and both technology and consumer expectations are evolving rapidly, updates to the TIPA can be expected over time. It is advisable to seek advice from qualified legal counsel or your organization’s data privacy expert to ensure that all responsibilities are fulfilled.
Proactive measures to protect user privacy is a valuable endeavor for any business. This not only instills trust and engagement among users, but also enhances their overall experience and strengthens long-term customer relationships. Ultimately, this helps with acquisition of high quality data for marketing operations and an increase in revenue.
Usercentrics A/S (Cookiebot™) does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
monthly user consents