As discussed in related articles on our website, in May 2023, Tennessee enacted its version of a consumer data/information protection statute called the Tennessee Information Protection Act (“TIPA”). As of late 2023, about eleven States have enacted consumer data/information privacy statutes, and about a dozen more are contemplating such statutes. Revision Legal has written a number of articles related to those statutes. In this article, the Internet and Consumer Privacy Compliance lawyers at Revision Legal provide a summary of what consumer rights are protected by the TIPA.

To offer a brief summary, the TIPA is typical of similar statutes in this respect. The general framework is about providing various rights to consumers, requiring that consumers receive various notices and requiring the obtaining of consumer consent for various actions by data controllers and processors, including the use of personal data for targeted advertising and profiling.

What Rights are Protected?

The list of consumer data/information rights that are protected by the TIPA are typical of those protected by similar statutes. These include the right to know, to delete and correct information, the right to consent and portability. In particular, the TIPA gives consumers the right to:

• Know whether a controller is processing the consumer’s data — “processing” includes the idea of “collecting”
• Know what data is currently held by a controller/processor
• Know why data is collected and processed — that is, to know the “business purposes” for which the data is being processed
• To access that data and to obtain a portable copy of said data
• To request correction of inaccuracies in the personal data
• To require the deletion of personal data
• To “opt out” of having personal data collected and processed for purposes of the sale/sharing of said data, targeting advertising, or profiling — note that the TIPA does not require controllers to recognize or obey universal opt-out mechanisms.
• To not be retaliated against for exercising one’s rights

This is the standard list with nothing notable added or omitted. In addition, the TIPA mandates an appeal procedure if data controllers refuse requests by consumers such as the request to correct or delete data/information.

What are the Exceptions and Carve-Outs?

The “wiggle-room” for these consumer privacy statutes is found in the definitions of what “data” is covered and the various exceptions, carve-outs and what type of entities are exempt.

As we noted in another article related to the TIPA, the TIPA can be deemed a “business-friendly” version of these consumer rights statutes. Consistent with this, excluded data includes any collection/processing of data where the “consumer” is engaged in business or employment-related activity. Thus, no data protection for your job application, for example. The TIPA also excludes any data that is considered pseudonymous. This is data that can be recombined with other data, with minimal processing, to specifically identify natural persons. This means that, under the TIPA, a set of pseudonymous data can be sold (without notice or consent) to a third party, which can be combined with other data sets to reveal the customer’s identity. This is a notable divergence from similar statutes. Other exclusions related to data are standard, such as the exclusion of data that is collected and processed pursuant to various federal statutes, health data, etc.

The TIPA also has an exemption for state-licensed insurance companies (another notable diversion from similar statutes). Other entity exemptions are the typical ones like those for government agencies, financial institutions, not-for-profit organizations, those engaged in research, etc.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

How Consumers Exercise Their TIPA Rights: Verification and Response Timelines

The TIPA grants consumers a suite of rights, but controllers may — and in practice, should — require consumers to verify their identities before responding to rights requests. Without identity verification, a controller responding to every unverified request risks disclosing personal information to unauthorized requesters. Acceptable verification mechanisms under comparable statutes and industry practice include: email confirmation (clicking a link sent to the consumer’s registered email address); account login verification; or for sensitive requests, government ID submission. Controllers must balance the security interest in verification against the obligation not to create a process so burdensome that it effectively denies consumers access to their rights — an approach regulators have found to be a de facto statutory violation.

Upon receiving a verified request, the TIPA requires controllers to respond within 45 days. This window can be extended by an additional 45 days when reasonably necessary due to the complexity or volume of requests, provided the controller notifies the consumer of the extension within the initial 45-day period. Best practice is to implement a ticketed request management system that timestamps each incoming request, routes the request for verification, and triggers automated reminders as the response deadline approaches.

The TIPA’s Mandatory Appeal Requirement

One distinctive procedural requirement of the TIPA is the mandatory internal appeal process. If a controller denies a consumer’s rights request — for example, declining to delete data because it is necessary for the performance of a contract — the controller must establish an appeal procedure by which the consumer can challenge that denial. The controller must respond to the appeal within a reasonable period and must inform the consumer of any further avenues for redress, including the right to contact the Tennessee Attorney General if the consumer believes the appeal decision violates the TIPA. Denials and appeal decisions must be documented and legally supportable — a blanket denial without a legal basis creates both regulatory and reputational risk.

Cross-State Compliance: Aligning TIPA With Other State Privacy Laws

Most businesses subject to the TIPA are also subject to the consumer privacy laws of other states. As of 2024, approximately twenty states have enacted comprehensive consumer data privacy statutes. For businesses operating nationally, the practical challenge is building a compliance program that satisfies all applicable statutes simultaneously.

The TIPA was modeled substantially on Virginia’s Consumer Data Protection Act (VCDPA) and is broadly compatible with the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Texas Data Privacy and Security Act (TDPSA). A compliance framework built around the VCDPA/CPA baseline — with specific accommodations for California’s CPRA, which is more demanding in several respects — can be designed to satisfy TIPA obligations without requiring a separate TIPA-specific compliance track.

Key areas where the TIPA diverges from CPRA and requires specific attention include: the absence of a universal opt-out mechanism requirement; the exclusion of pseudonymous data from the scope of consumer rights; and the exemption for state-licensed insurance companies. Revision Legal’s privacy compliance attorneys design, implement, and audit multi-state consumer data privacy compliance programs. Contact us at (855) 473-8474.