Tennessee Information Protection Act (Part Four) — Obligations Imposed on Businesses featured image

Tennessee Information Protection Act (Part Four) — Obligations Imposed on Businesses

by John DiGiacomo

Partner

Internet Law

In May 2023, Tennessee enacted a consumer data/information protection statute called the Tennessee Information Protection Act (“TIPA”). See here. In this article, the consumer privacy and compliance lawyers here at Revision Legal briefly survey the obligations imposed by the TIPA on businesses collecting and processing data related to Tennessee consumers. The focus of the TIPA is consumer data and, thus, for example, data related to employment and business-to-business data is excluded from coverage.

With respect to obligations imposed on businesses, the TIPA is standard for these types of data protection statutes. Broadly speaking, there are two sets of obligations: one set related to consumers and another set for the data processing procedures.

With respect to consumers, businesses must give prominent and clear notice to consumers of what data is collected/processed, the business purpose of the data processing, with whom the data is shared, whether the data is sold (and to whom), etc. Businesses are also obligated to obtain prior and informed consent from consumers under certain circumstances and for certain types of particularly sensitive data when data is sold when it is used for targeted advertising, and when it is used for profiling. Businesses must also obtain consent if the data is to be processed for uses other than those disclosed.

Businesses are also obligated to provide an “opt-out” mechanism for consumers who do not want their data processed for the above three purposes — that is, data to be sold, data to be used for targeted advertising, or for profiling. So, there is no general “opt-out” for having data collected/processed. Further, there is nothing in the TIPA that requires businesses to recognize some sort of universal instructions from consumers — like through a browser setting or add-on.

Businesses must also provide mechanisms for correcting data, deleting data, allowing consumers to access their data, and allowing consumers to have possession of their data (for portability purposes).

With respect to data processing obligations, the TIPA is, again, quite standard in the requirements imposed. As with similar consumer data protection statutes, most of these obligations are imposed on the data “controllers” (although there are a few obligations imposed on data “processors”). Controllers must, for example, only process data to the extent that such processing is “adequate, relevant, and reasonably necessary” for the business purpose. As noted above, to go beyond the business purpose, consent must be obtained from the consumer.

Controllers must also have policies and procedures in place to address and respond to consumers who are exercising their rights under the TIPA. Likewise, there must be an internal appeal available if a consumer disagrees with a decision made by the processor. For example, if the consumer requests a correction of data stored and the request is denied, then there must be an appeal process for the consumer to challenge the denial. Controllers must also have policies in place that prevent discrimination and/or retaliation against consumers who exercise their rights under the TIPA.

In addition, Controllers must

  • Have reasonable data security protocols appropriate to the volume and sensitivity of the data collected, held, and processed
  • Have appropriate contractual agreements with processes, vendors, and others who will have access to the consumer data
  • Prepare data protection assessments on a regular basis, evaluating, among other things, risks of various harms to consumers
  • And more

Contact The Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Internet Law

In May 2024, Minnesota enacted the Minnesota Consumer Data Privacy Act (“MCDPA”). In Part One of this two-part article, the Consumer Data Protection Attorneys at Revision Legal discussed the consumer rights and consumer-facing business obligations imposed by the MCDPA, including additional consumer rights related to automated decisions that utilize profiling data. The MCDPA allows consumers […]

Read more about The Minnesota Consumer Data Privacy Law: What Businesses Should Know (Part Two)

Advantages of Forming Corporate Entities for Operating Your Business

Advantages of Forming Corporate Entities for Operating Your Business

Corporate

Under most circumstances, the experienced Business Lawyers at Revision Legal deem it prudent for clients to operate their businesses through a corporate entity like a standard corporation or a limited liability company. Of course, there are some circumstances where a partnership of some type might be the better option, but it would be a rare […]

Read more about Advantages of Forming Corporate Entities for Operating Your Business

The Minnesota Consumer Data Privacy Law: Summary For Consumers

The Minnesota Consumer Data Privacy Law: Summary For Consumers

Internet Law

In May 2024, Minnesota enacted a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). About 20 States have enacted consumer data privacy statutes similar to the MCDPA, and the MCDPA follows the general template of those statutes. However, there are some unique and additional features of the MCDPA that are very […]

Read more about The Minnesota Consumer Data Privacy Law: Summary For Consumers

Put Revision Legal on your side

Let's Discuss Your Case