September 11, 2023
In May, Tennessee unanimously passed the Tennessee Information Protection Act (TIPA), outlining new data privacy protections businesses operating in the state must follow. It is similar to regulations already in effect in Utah, Virginia, Iowa, and Colorado. The legislation requires certain protections of personal information including genetic or biometric, demographic, immigration status, sexual orientation, information about minors (under 13), and precise geolocation information. Due to the comprehensive nature of the changes impacted businesses will have two years to achieve compliance. To help clients, prospects, and others, Wilson Lewis has provided a summary of the key details below.
Companies that do business in or target the state through the sale of products generating more than $25 million per year in revenue and either:
It is important to remember, the regulations apply to consumers that are “acting only in a personal context,” not ones that are acting in an employment or commercial context. This application is not as strict as other states. for example, Virginia’s thresholds don’t have requirements for annual revenue and apply to companies that process or control personal data of 100,000 residents in a calendar year instead of 175,000.
If controllers and processors have a written privacy program that they’ve created, managed, and comply with, and if that program “reasonably conforms” with the National Institute of Standards and Practices (NIST) privacy framework, or “other documented policies, standards, and procedures designed to safeguard consumer privacy,” TIPA offers a safe harbor against violation claims.
One thing many businesses will have to wait for is what reasonably conforming means under TIPA, particularly because the NIST privacy framework is flexible and voluntary. TIPA is likewise flexible with its guidelines on how a privacy program should be run in a company based on its complexity and size, types of company activities, sensitivity of data involved, availability of resources, and more.
The statute will be enforced by the State Attorney General, and claims cannot be made by private citizens. For entities that violate TIPA, penalties may include $7,500 per violation if a company doesn’t remedy the situation during the given cure period. There is an opportunity to cure violations within 60 days of receiving a notice.
The list of organizations and types of data that are exempt from TIPA is lengthy, but includes government entities, certain insurance companies, nonprofit organizations, higher education institutions, entities governed by HIPAA and HITECH, and financial institutions that fall under Title V of the Gramm-Leach-Bliley Act (GLBA).
Data that is exempt includes information governed by other regulations, such as FCRA, HIPAA, COPPA, FERPA, and more. Of note for many businesses, information that applies to employees and applicants that is “collected and used within the context of that role” is also exempt, e.g., benefits and emergency contact information.
It’s important to point out the legislation doesn’t define a “sale” merely in financial terms. If personal information is being exchanged for “other valuable consideration” outside of money, it is considered a sale under this rule. Consumers may have the ability to opt out of more data processing due to this broader definition.
TIPA follows in the footsteps of many other state privacy laws by separating the controller from the processor. A controller will set the instructions for how data is processed, and a processor must agree to specific guidelines via a contract with the controller.
While the State Attorney General will be enforcing TIPA, consumers do have the ability to opt in or out of certain personal information processing, including when it involves selling personal information or creating targeted advertising. A consumer has the right to access their personal information, receive data in a “portable and readily usable format,” ask for data to be deleted, and request corrections in data that is inaccurate. Controllers will need to respond to requests within 45 days, and businesses can request an additional 45-day extension as long as they provide “proper notice” to the consumer who made the request.
Privacy notices shared with consumers need to make it clear why personal information is being processed, what’s being processed, what gets sent to third parties, and what consumers regarding their rights to data and opting out.
If companies are processing sensitive data, which can reveal personal data, geolocation data that is precise within 1,750 feet, individually identifying biometric/genetic data, or data that is collected from someone under 13, they need to obtain consent. It needs to be a “freely given, specific, informed, and unambiguous agreement.” In addition, processing data for children means a company also needs to meet COPPA requirements.
Before controllers’ process data for specific activities, such as targeted marketing, or process certain kinds of data, such as information that is considered sensitive, they need to conduct and document an impact assessment. These assessments do not have to start until after the date when TIPA goes into effect.
Businesses that are looking to be compliant with TIPA prior to 2025 can look to existing state privacy laws, as it’s expected that Tennessee will be implementing their privacy laws like those enacted in Iowa, Virginia, and Utah. Many of the regulations in TIPA are more “business-friendly” compared to other states – the longer time to cure and narrower scope of organizations that need to comply. However, consumer rights are broader, especially when it comes to opting out of the “sale” of their information.
Contact Us
The new rules are certain to impact many Georgia and Atlanta companies that conduct business with the state. It is essential to become familiar with the new regulations and begin determining how your company will be impacted. If you have questions about the information outlined above or need assistance with tax or compliance issues, Wilson Lewis can help. For additional information call 770-476-1004 or click here to contact us. We look forward to speaking with you soon.