Mintz May Madness: Tennessee’s Information Protection Act Gets Us Thinking About NIST(y) Safe Harbors
The Volunteer State became the eighth state to enact a comprehensive data privacy law after Gov. Bill Lee (R) signed the Tennessee Information Protection Act (“TIPA”) into law yesterday, May 11.
Tennessee joins a growing list of states codifying consumer data privacy rights, and several others have now passed legislation waiting on a Governor’s signature such as Montana, and Texas and Florida just earlier this week. What the TIPA brings to the table, and to the national discussion, is a unique safe harbor: it offers an affirmative defense to businesses who create, maintain and comply with a written privacy program that “reasonably conforms” to the National Institute of Standards and Technology (“NIST”) privacy framework or “other documented policies, standards, and procedures designed to safeguard consumer privacy.” Although the original version of the bill made this privacy program a requirement, the amended and adopted version of the bill clearly made this a “voluntary privacy program.” To see the changes from original to amended, see the redline here.
The TIPA is otherwise built much like the business-friendly Virginia law (and the Indiana Consumer Data Privacy Act). To help break down the TIPA, we highlight below the minor distinctions from the frameworks that inspired it – as examples, businesses must receive 60 days to cure alleged violations (rather than 30 days under the Indiana CDPA), and a Tennessee court may award treble damages for willful or knowing violations. We also distinguish key modifications made in the amended and adopted version of the bill.
The TIPA applies to persons that conduct business in Tennessee producing products or services that target Tennessee residents and that: (i) exceed $25,000,000 in revenue and (ii) (A) control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information or (B) during a calendar year, control or process personal information of at least 175,000 consumers. The amended and adopted version of the bill added the $25,000,000 million threshold (the same as in the California Consumer Privacy Act) and increased the number of consumers whose personal information was controlled or processed from 100,000 to 175,000.
A “consumer” for purposes of the TIPA means a resident of Tennessee acting only in a personal context. The amended and adopted version of the bill also clarified that a “consumer” does not include individuals acting in a commercial or employment context.
Safe Harbor Affirmative Defense
Under the TIPA as the Tennessee legislature amended it prior to passage, a controller or processor has an affirmative defense to a cause of action for a TIPA violation if it voluntarily creates, maintains, and complies with a written privacy program that (i) “reasonably conforms” to the NIST privacy framework entitled A Tool for Improving Privacy through Enterprise Risk Management Version 1.0 or “other documented policies, standards, and procedures designed to safeguard consumer privacy,” (ii) is updated regularly, and (iii) provides an individual with the substantive rights under the TIPA.
The amended and adopted version of the bill emphasizes the voluntary nature of this affirmative defense and provides businesses with flexibility by adding that the privacy program could also reasonably conform to “other documented policies, standards, and procedures designed to safeguard consumer privacy” (rather than only reasonably conforming to the NIST privacy framework). It also lengthened the time when such a privacy program should be revised to conform with subsequent revisions of the implemented privacy framework. Businesses adopting a written privacy program must now make sure to update it as needed within two years (rather than one year) of the publication date stated in the most recent revision of their privacy framework.
The scale and scope of this privacy program is appropriate if it is based on all of the following factors: (i) the size and complexity of the controller’s or processor’s business, (ii) the nature and scope of the activities of the controller or processor, (iii) the sensitivity of the personal information processed, (iv) the cost and availability of tools to improve privacy protections and data governance, and (v) compliance with a comparable state or federal law. The TIPA also extends considerations for adequacy of a privacy program to certification pursuant to the APEC Cross Border Privacy Rules system or the APEC Privacy Recognition for Processors, if applicable.
The amended and adopted version of the bill removed the requirement for the privacy program to disclose the commercial purposes for which the business collects, controls, or processes personal information. It also removed language stating that a business’ failure to maintain such a privacy program that reflects the business’ privacy practices to a reasonable degree of accuracy would be considered an unfair and deceptive act or practice under Tennessee’s Consumer Protection Act of 1977.
How this safe harbor will be interpreted by industry and by the courts, and whether it will be viewed as best practice, remain open questions.
The TIPA does not apply to:
- Tennessee government entities
- Financial institutions and affiliates, or data subject to the federal GLBA
- Individuals or licensed insurance companies that transact insurance business (this appears to be a broad industry-wide exemption for the insurance space)
- Covered entities or business associates governed by certain rules under HIPAA
- Nonprofit organizations
- Institutions of higher education
- Certain research data or employment-related information; and information governed by laws such as HIPAA, the Fair Credit Reporting Act, the Farm Credit Act, or the Controlled Substances Act (a new exception under the amended and adopted version of the bill)
Persons covered by the TIPA will be able to exercise the following consumer-oriented rights:
- Right to confirm whether or not their personal data is processed
- Right to access their personal data
- Right to correct their personal data
- Right to deletion of their personal data (for data provided by or about the consumer)
- Right to portability of their personal data (for data the consumer previously provided)
- Right to opt-out of the processing of their personal data for purposes of (i) selling their personal information, (ii) targeted advertising, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
The amended and adopted version of the bill extended the right to opt-out to clauses (ii) and (iii) rather than only to clause (i).
Business Obligations to Consumers
The effective date for the TIPA will be July 1, 2025. Here are some of the compliance obligations on the horizon for businesses subject to the law:
- Respond to consumer requests under the TIPA within 45 days of receipt (may be extended an additional 45 days when reasonably necessary)
- Provide required information to consumers free of charge, up to twice per year
- Authenticate requests using commercially reasonable efforts
- Establish a process for consumers to appeal any refusal to take action on a consumer request
Notices to Consumers
- Businesses must provide consumers with a “reasonably accessible, clear and meaningful” privacy notice that meets requirements under the TIPA, including how consumers may submit requests to exercise their rights under the TIPA
- Businesses must “clearly and conspicuously” disclose the processing of personal data for targeted advertising (and how to opt-out of such processing)
The original version of the bill would have only required businesses to provide this first notice “upon receipt of an authenticated consumer request.” The deletion of that language in the amended and adopted version of the bill means that businesses should be ready to have this notice published come July 1, 2025, the date the TIPA is expected to become effective.
Other Business Obligations
- Conduct and document data protection assessments for data processing activities created or generated on or after July 1, 2024, which include extensive requirements and an obligation to provide assessments to the Tennessee Attorney General upon request
- Limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which such data is processed
- Process personal data solely for disclosed purposes or purposes compatible with disclosures, unless the consumer consents
- Establish, implement, and maintain data security practices
The Do Not’s:
- Do not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers
- Do not discriminate against a consumer for exercising any consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to consumers
- Do not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act
The TIPA notes that a business need not delete information that it maintains or uses as aggregate or de-identified data.
“Sensitive data” includes (1) personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (3) the personal information collected from a known child (under the age of 13); or (4) precise geolocation data (identifying a location within a radius of 1,750 feet).
Impacts on Vendors/Data Processors
Vendors that are data processors have direct obligations under the TIPA, such as adhering to instructions from data controllers, assisting data controllers with their own compliance obligations, assisting data controllers with data protection assessments, and required subcontractor flow-down obligations.
The TIPA also contains specific requirements that must be included in data processing agreements between data controllers and data processors.
Private right of action
The TIPA does not provide for a private right of action. The TIPA will be enforced exclusively by the Tennessee Attorney General and, before initiating an enforcement action, the AG must provide 60 days’ prior written notice of an alleged violation and an opportunity to cure the violation.
Fines and Penalties
Civil penalties up to $7,500 per violation (rather than $15,000 under the original version of the bill), injunctive relief, recoupment of reasonable investigation and case preparation expenses, including attorney fees, incurred by the AG, or other relief a court determines appropriate, such as treble damages if the court finds that the controller or processor willfully or knowingly violated the TIPA.
Effective Date for TIPA
If enacted, the TIPA will become effective July 1, 2025 (rather than July 1, 2024 under the original version of the bill).