As discussed in related articles on our website, in May 2023, Tennessee enacted its version of a consumer data/information protection statute called the Tennessee Information Protection Act (“TIPA”). As of late 2023, about eleven States have enacted consumer data/information privacy statutes, and about a dozen more are contemplating such statutes. Revision Legal has written a number of articles related to those statutes. In this article, the Internet and Consumer Privacy Compliance lawyers at Revision Legal provide a summary of what consumer rights are protected by the TIPA.

To offer a brief summary, the TIPA is typical of similar statutes in this respect. The general framework is about providing various rights to consumers, requiring that consumers receive various notices and requiring the obtaining of consumer consent for various actions by data controllers and processors, including the use of personal data for targeted advertising and profiling.

What Rights are Protected?

The list of consumer data/information rights that are protected by the TIPA are typical of those protected by similar statutes. These include the right to know, to delete and correct information, the right to consent and portability. In particular, the TIPA gives consumers the right to:

• Know whether a controller is processing the consumer’s data — “processing” includes the idea of “collecting”
• Know what data is currently held by a controller/processor
• Know why data is collected and processed — that is, to know the “business purposes” for which the data is being processed
• To access that data and to obtain a portable copy of said data
• To request correction of inaccuracies in the personal data
• To require the deletion of personal data
• To “opt out” of having personal data collected and processed for purposes of the sale/sharing of said data, targeting advertising, or profiling — note that the TIPA does not require controllers to recognize or obey universal opt-out mechanisms.
• To not be retaliated against for exercising one’s rights

This is the standard list with nothing notable added or omitted. In addition, the TIPA mandates an appeal procedure if data controllers refuse requests by consumers such as the request to correct or delete data/information.

What are the Exceptions and Carve-Outs?

The “wiggle-room” for these consumer privacy statutes is found in the definitions of what “data” is covered and the various exceptions, carve-outs and what type of entities are exempt.

As we noted in another article related to the TIPA, the TIPA can be deemed a “business-friendly” version of these consumer rights statutes. Consistent with this, excluded data includes any collection/processing of data where the “consumer” is engaged in business or employment-related activity. Thus, no data protection for your job application, for example. The TIPA also excludes any data that is considered pseudonymous. This is data that can be recombined with other data, with minimal processing, to specifically identify natural persons. This means that, under the TIPA, a set of pseudonymous data can be sold (without notice or consent) to a third party, which can be combined with other data sets to reveal the customer’s identity. This is a notable divergence from similar statutes. Other exclusions related to data are standard, such as the exclusion of data that is collected and processed pursuant to various federal statutes, health data, etc.

The TIPA also has an exemption for state-licensed insurance companies (another notable diversion from similar statutes). Other entity exemptions are the typical ones like those for government agencies, financial institutions, not-for-profit organizations, those engaged in research, etc.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.