Partner
In May 2023, Tennessee enacted a consumer data/information protection statute called the Tennessee Information Protection Act (“TIPA”). See here. In this article, the consumer privacy and compliance lawyers here at Revision Legal briefly survey the obligations imposed by the TIPA on businesses collecting and processing data related to Tennessee consumers. The focus of the TIPA is consumer data and, thus, for example, data related to employment and business-to-business data is excluded from coverage.
With respect to obligations imposed on businesses, the TIPA is standard for these types of data protection statutes. Broadly speaking, there are two sets of obligations: one set related to consumers and another set for the data processing procedures.
With respect to consumers, businesses must give prominent and clear notice to consumers of what data is collected/processed, the business purpose of the data processing, with whom the data is shared, whether the data is sold (and to whom), etc. Businesses are also obligated to obtain prior and informed consent from consumers under certain circumstances and for certain types of particularly sensitive data when data is sold when it is used for targeted advertising, and when it is used for profiling. Businesses must also obtain consent if the data is to be processed for uses other than those disclosed.
Businesses are also obligated to provide an “opt-out” mechanism for consumers who do not want their data processed for the above three purposes — that is, data to be sold, data to be used for targeted advertising, or for profiling. So, there is no general “opt-out” for having data collected/processed. Further, there is nothing in the TIPA that requires businesses to recognize some sort of universal instructions from consumers — like through a browser setting or add-on.
Businesses must also provide mechanisms for correcting data, deleting data, allowing consumers to access their data, and allowing consumers to have possession of their data (for portability purposes).
With respect to data processing obligations, the TIPA is, again, quite standard in the requirements imposed. As with similar consumer data protection statutes, most of these obligations are imposed on the data “controllers” (although there are a few obligations imposed on data “processors”). Controllers must, for example, only process data to the extent that such processing is “adequate, relevant, and reasonably necessary” for the business purpose. As noted above, to go beyond the business purpose, consent must be obtained from the consumer.
Controllers must also have policies and procedures in place to address and respond to consumers who are exercising their rights under the TIPA. Likewise, there must be an internal appeal available if a consumer disagrees with a decision made by the processor. For example, if the consumer requests a correction of data stored and the request is denied, then there must be an appeal process for the consumer to challenge the denial. Controllers must also have policies in place that prevent discrimination and/or retaliation against consumers who exercise their rights under the TIPA.
In addition, Controllers must
Contact The Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Not every business that interacts with Tennessee consumers is subject to the TIPA. The statute applies to entities that conduct business in Tennessee or produce products or services targeted to Tennessee residents and that, during a calendar year, either: (1) control or process the personal data of at least 100,000 consumers; or (2) control or process the personal data of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data. These thresholds are consistent with Virginia (VCDPA) and Colorado (CPA) and are designed to exempt small businesses from the compliance burden.
The TIPA defines “consumer” to mean a Tennessee resident acting in an individual or household context. It excludes individuals acting in a commercial or employment context — meaning data of Tennessee residents interacting as business customers or as employees of a vendor is outside the TIPA’s scope. This business-to-business and employee carve-out distinguishes the TIPA from California’s CPRA, which extends protections to both employee and B2B data.
The TIPA requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, specifically: (1) targeted advertising; (2) the sale of personal data; (3) certain profiling; and (4) processing of sensitive data. Assessments must evaluate the benefits of processing against the risks, considering the likelihood and severity of potential harm and the safeguards available to mitigate those risks.
Best practice — consistent with Colorado’s CPA and GDPR’s DPIA requirements — is to document: the purpose of the processing; the categories of personal data involved; the parties with access to the data; the identified risks; the mitigating safeguards; and the conclusion regarding whether the processing is proportionate to the risk. Assessments must be made available to the Tennessee Attorney General upon request and are generally protected from third-party disclosure as confidential commercial information.
The TIPA defines “sensitive data” to include data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed for identification, personal data of a known child under 13, and precise geolocation data. Processing sensitive data requires affirmative opt-in consent — not merely an opportunity to opt out. Practical compliance requires a clear consent mechanism at the point of collection, records of consent sufficient to demonstrate compliance in an enforcement proceeding, and a process for honoring consent revocation within a reasonable period.
When a controller engages a processor to process personal data on its behalf, the arrangement must be governed by a written contract that: (1) sets forth the instructions for processing; (2) specifies the nature and purpose of the processing; (3) identifies the type of personal data and duration of processing; (4) requires processor compliance with applicable TIPA provisions; (5) requires deletion or return of personal data upon termination; and (6) requires cooperation with audits by the controller.
Many businesses use the same vendor for data processing across multiple state privacy law regimes. A single data processing addendum (DPA) can often be structured to satisfy the TIPA, VCDPA, CPA, CTDPA, and other state requirements simultaneously, reducing the administrative burden of managing multiple vendor agreements.
The TIPA is enforced exclusively by the Tennessee Attorney General — consumers have no private right of action. The AG may bring a civil action seeking injunctive relief and civil penalties of up to $7,500 per violation. Before initiating enforcement, the AG must provide written notice and a 60-day cure period. If the controller or processor cures the violation within 60 days and provides a written certification of the cure, no suit may be brought for that violation. A business that discovers a compliance gap, self-remediates promptly, and documents its remediation substantially reduces its enforcement exposure. Contact Revision Legal’s privacy compliance attorneys at (855) 473-8474 to implement a TIPA-compliant data processing program.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?