In May 2023, Tennessee enacted its version of a statute aimed at protecting information and data related to consumers and others. The statute is called the Tennessee Information Protection Act (“TIPA”). To date, about eleven States have enacted consumer data/information privacy statutes. The Tennessee version is the first of such statutes that omits the word “consumer.” One may speculate that this omission was purposeful since many have called the TIPA a “business-friendly” consumer data privacy statute. This is in contrast to less “business-friendly” privacy statutes like the two enacted in California called (originally) the California Consumer Privacy Act and amended to be called the California Privacy Rights Act. In this article, the Internet and Consumer Privacy Compliance lawyers at Revision Legal offer some thoughts on the “business-friendly” nature of the TIPA. In related articles, we’ll discuss what rights are protected and obligations imposed by the TIPA and offer a summary of how providing an affirmative defense related to the National Institute of Standards and Practices might play out in the future.
As one example of the business-friendly nature of the TIPA, the definition of “consent” in the TIPA is quite permissive in favor of business interests. Consumer consent is a large focus of these consumer privacy statutes since these statutes generally impose the obligation to collect consumer consent when businesses collect, process, sell, and share consumer data and personally identifiable information. More recently, consumer consent has been required when businesses collect personal data for purposes of targeted advertising.
Under general American law, there are, of course, many different methods of obtaining consent. So, one method of measuring the strength of these consumer data protection statutes is to examine how “easy” it is for businesses to obtain consumer consent under the statutory regimes. The TIPA, for example, says that “consent”:
(A) Means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer; and
(B) May include a written statement, including a statement written by electronic means or an unambiguous affirmative action
“Unambiguous affirmative action” is often deemed a legal codeword for allowing negative actions to legally be deemed consent. If the pop-up box asks for consent, but the consumer ignores the request, that is often deemed consent by negative conduct.
To understand how this provision in the TIPA is “business-friendly,” let’s compare the same provision in the Montana version of the statute. In that statute, consent has the following definition:
(a) “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. The term may include a written statement, a statement by electronic means, or any other unambiguous affirmative action.
(b) The term does not include:
(i) acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other unrelated information;
(ii) hovering over, muting, pausing, or closing a given piece of content; or
(iii) an agreement obtained using dark patterns.”
As can be seen, the Montana definition of “consent” is much more stringent and consumer-friendly.
In the Tennessee version, the lawmakers used the same language as the Montana version in subsection (a) but omitted the language in subsection (b). This will be used by Tennessee courts to hold that “closing a given piece of content” is a form of negative consent. Montana courts will be denied that option, given the explicit language of the Montana Consumer Data Privacy Act.
There are many other examples of the business-friendly nature of the TIPA. For example, for the first time, a complete exemption is provided for insurance companies and the data that they collect, process, share, and sell. In addition, the TIPA provides a 60-day cure period after a controller or processor is informed of a potential violation. Most statutes of this nature provide a 45-day cure period. Also, quite importantly, an affirmative defense is provided under the TIPA for violations of the Act if the covered business maintains a written privacy program that “reasonably conforms” to the privacy framework established by the National Institute of Standards and Practices (“NIST”). At least three other similar statutes have referenced various privately developed data privacy frameworks (including NIST), but the TIPA is the first to explicitly allow compliance with such to be an affirmative defense. We will discuss this in more detail in a related article.
Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
