The number of states with laws governing how businesses can treat consumers’ personal information nearly doubled in this year’s legislative session, jumping from five to nine, with Tennessee, Montana, Indiana, and Iowa all passing bills in 2023. These laws are not uniform of course, and show comparatively weak or strong consumer protections in different areas. This article will highlight the Tennessee law, as it is the author’s home state, and point out differences with some of the others in that context.
The Tennessee Information Protection Act, once signed by Governor Bill Lee, will be codified at 47-18-3201 et seq. Tennessee becomes the ninth state to institute explicit consumer rights with respect to the use of their personal information. The coverage thresholds in this law are significantly higher than in other states. Only businesses with $25 million or more in revenue AND one of the following are required to comply:
(a) information on 175,000 Tennessee residents OR
(b) 25,000 residents’ information and deriving 50% or more of gross revenue from the sale of personal information
The more common threshold in other states is $25 million in revenue OR information on 100,000 consumers. Montana, presumably due to its lower population, has dropped the threshold to 50,000 consumers.
Tennessee consumers will have rights to access, correct, delete (in limited circumstances), obtain a copy of, or opt out of the sale of, their personal information. Like most of the other state laws, the Tennessee Act now prescribes the elements of a public-facing privacy notice with specificity. Consumers now have the right to transparency regarding the use of their data.
The Tennessee law also mandates privacy by design. Under this Act, it is a consumer right for data collection to be minimized to the particular purpose for which it is being collected; for data to be protected with administrative, technical, and physical safeguards; to not be discriminated against for exercising their rights; and to not have sensitive information about race, religious beliefs, children, or precise geolocation processed without consent. Consumer rights are not waivable by contract.
Unlike many of the other state data protection laws, Tennessee has created a blanket exception to these rights for pseudonymous data, as long as the controller of the information can demonstrate that “the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.”
Tennessee exempts from the law all businesses that are subject to HIPAA or other health record regulations, or to Gramm-Leach-Bliley. The Act further exempts non-profits, which is common in similar state laws, and also insurance producers, which is less common.
Controllers of personal information are now required to conduct data protection assessments and to have adequate records of those assessments to respond to an inquiry from the Attorney General if necessary. While burdensome to businesses, these assessments have been required in other states since California passed its first omnibus privacy law in 2018, so the requirement should not come as a surprise.
Like most states, Tennessee does not allow for a private right of action. It is the Attorney General’s purview to bring enforcement actions. Also in line with other states is the initial cap on civil penalties of $7500 per violation. However, Tennessee’s historically strong consumer protection laws allow for the tripling of damages for willful violations.
Finally, and most notably, Tennessee has introduced the first “safe harbor” based on a business’s privacy practices. A business may avoid liability under TIPA by “reasonably conforming” to the National Institute of Standards and Technology (“NIST”) privacy framework. (An alarming earlier version of the bill would have made it a deceptive practice to not conform to NIST.) The legislature has set forth a number of factors for determining whether or not a business’s privacy framework is appropriate relative to the company’s size, complexity, and breadth of data processing. What the legislation does not do, however, is fund the staffing of the AG’s office with people skilled in making the determination whether a particular privacy program fits a particular company’s environment adequately—so how “safe” this harbor really is remains to be seen.
We anticipate the trend will continue in other states with the adoption of comprehensive privacy laws that provide consumers with rights of access and opting out of processing, while protecting businesses from private rights of action and potentially instituting new and different safe harbors. As always, both legacy and emerging businesses should institute privacy by design by implementing principles of data minimization, security, accountability, fairness, and transparency from the very beginning of each new project.
If you have any further questions regarding Tennessee’s recent data privacy law or how your business can comply with consumer data protection requirements in various states, please contact Tara Aaron-Stelluto.
