In May 2023, Tennessee enacted a consumer data/information protection statute called the Tennessee Information Protection Act (“TIPA”). See here. In this article, the consumer privacy and compliance lawyers here at Revision Legal briefly survey the obligations imposed by the TIPA on businesses collecting and processing data related to Tennessee consumers. The focus of the TIPA is consumer data and, thus, for example, data related to employment and business-to-business data is excluded from coverage.

With respect to obligations imposed on businesses, the TIPA is standard for these types of data protection statutes. Broadly speaking, there are two sets of obligations: one set related to consumers and another set for the data processing procedures.

With respect to consumers, businesses must give prominent and clear notice to consumers of what data is collected/processed, the business purpose of the data processing, with whom the data is shared, whether the data is sold (and to whom), etc. Businesses are also obligated to obtain prior and informed consent from consumers under certain circumstances and for certain types of particularly sensitive data when data is sold when it is used for targeted advertising, and when it is used for profiling. Businesses must also obtain consent if the data is to be processed for uses other than those disclosed.

Businesses are also obligated to provide an “opt-out” mechanism for consumers who do not want their data processed for the above three purposes — that is, data to be sold, data to be used for targeted advertising, or for profiling. So, there is no general “opt-out” for having data collected/processed. Further, there is nothing in the TIPA that requires businesses to recognize some sort of universal instructions from consumers — like through a browser setting or add-on.

Businesses must also provide mechanisms for correcting data, deleting data, allowing consumers to access their data, and allowing consumers to have possession of their data (for portability purposes).

With respect to data processing obligations, the TIPA is, again, quite standard in the requirements imposed. As with similar consumer data protection statutes, most of these obligations are imposed on the data “controllers” (although there are a few obligations imposed on data “processors”). Controllers must, for example, only process data to the extent that such processing is “adequate, relevant, and reasonably necessary” for the business purpose. As noted above, to go beyond the business purpose, consent must be obtained from the consumer.

Controllers must also have policies and procedures in place to address and respond to consumers who are exercising their rights under the TIPA. Likewise, there must be an internal appeal available if a consumer disagrees with a decision made by the processor. For example, if the consumer requests a correction of data stored and the request is denied, then there must be an appeal process for the consumer to challenge the denial. Controllers must also have policies in place that prevent discrimination and/or retaliation against consumers who exercise their rights under the TIPA.

In addition, Controllers must

• Have reasonable data security protocols appropriate to the volume and sensitivity of the data collected, held, and processed
• Have appropriate contractual agreements with processes, vendors, and others who will have access to the consumer data
• Prepare data protection assessments on a regular basis, evaluating, among other things, risks of various harms to consumers
• And more

Contact The Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.