.svg)
On May 11, 2023, the Tennessee Governor signed the Tennessee Information Protection Act (TIPA) into law, making Tennessee the eighth US state to adopt its comprehensive consumer privacy law at the time.
While the TIPA bears some similarities to other US state privacy laws such as California’s CCPA and CPRA, it contains some of the most unique privacy law provisions compared to other US state data privacy laws, such as compliance with the NIST Framework.
In this article, we help you understand if the TIPA applies to you and how you can comply with the TIPA’s main requirements such as obtaining consent for collecting sensitive data, implementing appropriate consent mechanisms, and honoring opt-out requests by your website/app users.
What is the Tennessee Information Protection Act 2023?
The Tennessee Information Protection Act 2023 or TIPA for short is a comprehensive consumer privacy law that was signed into law on May 11, 2023. If you are an organization that targets Tennessee residents to sell your products/services and if you collect and process Tennessee residents’ personal information such as name, email address, purchase details, or browsing activities on your website, the new data privacy law may apply to you.
Given that the Tennessee Information Protection Act will become enforceable in July 2025, you only have a few months to get familiar with the new law’s requirements for obtaining consent, implementing consent mechanisms, and opt-out mechanisms such as opt-out of the sale of personal information.
Does the Tennessee Information Protection Act apply to you?
If you target Tennessee consumers, it might. Section 3202 of the new Act states that you will be subject to the new law if you fulfill the following two criteria simultaneously:
- Your revenue exceeds twenty-five million dollars ($25,000,000); and
- You satisfy one of the following conditions.
- You control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information; or
- During a calendar year, you control or process personal information of at least one hundred seventy-five thousand (175,000) consumers.
As you can see, the new law imposes both a revenue and a data processing threshold for its applicability to organizations. These cumulative thresholds are more restrictive compared to other US state privacy laws such as Iowa, Connecticut, and Colorado. However, it is quite similar to California’s CCPA as it also imposes both a revenue and processing threshold for its applicability.
What are the exemptions from the scope of the Tennessee Information Protection Act?
If you target Tennessee consumers and if you satisfy the criteria we defined above, the new Act will apply to you. However, certain categories of data and organizations are exempt from the scope of the Act.
What categories of data are exempt from the Act?
Section 3210 of the Act lists the categories of personal information that are exempt from the scope of the Act. Exempted personal information includes health information subject to HIPAA and personal information processed in compliance with the Fair Credit Reporting Act, Federal Farm Credit Act, and the federal Family Educational Rights and Privacy Act.
Furthermore, de-identified data, aggregated data, and personal information processed in commercial or employment context are excluded from the scope of the Act.
What organizations are exempt from the scope of the Act?
Section 3210 of the Act provides a long list of organizations that are exempt from the Act. Exempted organizations include state bodies, financial institutions subject to the Gramm-Leach-Bliley Act, insurance companies licensed under state laws, higher education institutions, and non-profit organizations.
What are the main obligations of data controllers under the Tennessee Information Protection Act?
Section 3204 of the Act requires that a data controller comply with the following obligations:
Comply with data limitation and purpose limitation principles
You can collect and process a type of personal information only if it is strictly necessary, adequate, and relevant to the purpose for which you want to process it. For instance, if you do not need your customers’ date of birth to process their online orders on your website, you should not collect this type of personal information.
Do not process personal information for unrelated secondary purposes
If you collect personal information for a specific purpose, you cannot process the same data for an incompatible, unnecessary purpose unless you obtain consent from the consumer. For instance, if you collect a certain type of personal information to provide your services to your customers, you may not be able to use the same data for machine learning algorithm training purposes.
Protect personal data
You need to establish and put in place appropriate organizational, technical, and physical data security practices to ensure the ongoing availability, integrity, and accessibility of personal data.
Obtain consent before collecting and processing sensitive data
You must obtain a consumer’s consent before collecting and processing his/her sensitive personal information. Under the Act, sensitive data includes data related to information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status precise geo-location data, and genetic or biometric data. Furthermore, personal information collected from a known child is also classified as sensitive data.
Didomi can help, thanks to our multi-regulation consent collection capabilities and support for multiple U.S. state privacy laws:
{{cmp-start-collecting-consent-today}}
Provide a detailed privacy notice to consumers
Section 3204 of the Act requires that organizations provide consumers with a reasonably accessible, meaningful, and clear privacy notice. This privacy notice must explain what categories of personal information are processed, for what purposes data is collected and used, and the categories of third parties with whom data is shared or sold. Furthermore, the privacy notice must explain how consumers may exercise their rights under the Act.
Consumer rights under the Act and how to address them
Section 3203 of the Act states that consumers may exercise their information rights such as their right to confirm if their data is processed, the right to access data, the right to correct inaccuracies, the right to deletion of personal information, and the right to opt out of sales of personal information, targeted advertising, and profiling.
Respond to consumer requests within 45 days
If a consumer exercises his/her rights under the Act, the controller must respond to such request within 45 days, which may be further extended for a maximum of 45 days if the request is complicated.
Provide a mechanism for consumers to exercise their rights
The Act requires organizations to provide consumers with one or more reliable and secure ways to exercise their rights. While the Act does not specify the specific methods for the exercise of rights, it states that an organization must consider how consumers usually interact with the organization and also how the request can be authenticated.
To learn everything you need to know about Data Subject Access Rights (DSAR) and how to deal with them, check out our dedicated guide:
{{learn-everything-you-need-to-know-about-dsar}}
Provide a mechanism where consumers can opt out of the sale of their personal information and targeted advertising
If you sell personal information to third parties or if you process personal information for targeted advertising purposes, you must provide consumers with an opportunity to opt out of such processing. However, the Act does not define any rules about this mechanism.
Conduct a Data Protection Assessment
If you collect and process personal data for targeted advertising or profiling or if you sell personal data, you must carry out a data protection assessment.
How does the Tennessee Information Protection Act differ from other US state privacy laws?
The Tennessee Information Protection Act contains certain unique provisions and differs from other US state data privacy laws in important ways.
Firstly, if an organization has a written privacy policy that conforms to the National Institute of Standards and Technology (NIST) privacy framework or other documented policies and standards, it will have an affirmative defense to a cause of action for a violation of the Act.
Secondly, the new Act’s applicability threshold is stricter than most US-state privacy laws. This is because the new law imposes both a revenue and a data processing threshold for its applicability to organizations. These cumulative thresholds are more restrictive compared to other US state privacy laws such as Iowa, Connecticut, and Colorado. However, it is quite similar to California’s CCPA as it also imposes both a revenue and processing threshold for its applicability.
Who enforces the Tennessee Information Protection Act?
Under section 3212 of the Act, the Tennessee Attorney General and Reporter have the exclusive right to take enforcement action against individuals or organizations that violate the Act.
Before taking enforcement action, the Attorney General and Reporter must provide the person/organization with a 60-day cure period to cure the alleged violation. If the violation is not cured, the Attorney General and the Reporter bring an enforcement action in court and seek reliefs such as injunctive relief, and penalties.
Under the Act, a court may impose a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation of the Act. Similar to other US-state privacy laws, the Tennessee Information Protection Act does not provide individuals with a private right of action.
How Didomi can help with TIPA compliance
If you have customers from Tennessee, the Tennessee Information Protection Act’s stringent consent, privacy notice, and consumer rights requirements may apply to you.
Considering that the Act will come into force in July 2025, now is a great time to consider implementing a mechanism to obtain consent before collecting health data, as well as a secure and easy-to-use mechanism for your users to exercise their consumer rights. Our team at Didomi has extensive experience helping global organizations comply with U.S. state laws, integration with key privacy and advertising frameworks such as GPC and GPP, and the expertise required to help you make sense of it all.
Book a call with one of our experts to see how we can help, and check out our comprehensive guide to continue learning about the state of data privacy in the U.S.:
{{us-map-link}}
Frequently Asked Questions (FAQ)
Who enforces the Tennessee Information Protection Act?
The Attorney General and Reporter have the exclusive right to take enforcement action against individuals or organizations that violate the Act.
What is the deadline to respond to consumer requests?
If a consumer exercises his/her rights under the Act, the controller must respond to such request within 45 days, which may be further extended for a maximum of 45 days if the request is complicated.
Do consumers have the right to opt out of the sale of personal information under the Tennessee Information Protection Act?
Yes, consumers have the right to opt out of the sale of their personal information.
Do I need to obtain consent before processing personal information?
If you are processing sensitive data such as personal information revealing racial origin, citizenship, immigration status, ethnic origin, or data related to a known child, you must obtain consent from consumers.
-%20Everything%20you%20need%20to%20know.avif)
.avif)
.png){kind=tracking}
.png)
.png)