How Your Business Can Prepare For Tennessee’s Information Privacy Act (TIPA)

Introduction 

2023 is seeing a surge of new U.S. state privacy laws passing state legislatures!

Tennessee’s House and Senate voted to pass the Tennessee Information Privacy Act (TIPA) on the same day that Montana’s Consumer Data Protection Act (MCDPA) passed its state legislature.

The governor of Tennessee signed HB 1181 into law on May 11, 2023. The law is now scheduled to go into effect on July 1, 2025, giving businesses approximately two years to get ready. 

If your business has already been preparing for the other state privacy laws that have either passed or are going into effect this year, you already have a great head start getting ready for Tennessee’s privacy law. However, TIPA still has its own unique provisions that businesses must be aware of. 

Let’s go over what your business needs to know about Tennessee’s privacy law.

Does Tennessee’s Privacy Law Apply to My Business?

Tennessee’s privacy law applies to businesses that operate in Tennessee or target its products or services to Tennessee consumers. These businesses must also:

• Earn more than $25,000,000 in yearly revenue, and either
• Control or process the personal data of at least 100,000 consumers, or
• Control or process the personal data of at least 25,000 consumers and generate more than 50% of its gross revenue from the sale of personal data.

Like Iowa, Indiana, and Montana’s privacy laws, Tennessee determines applicability based on the amount of data that businesses are processing. Confirm if your business is processing the minimum amount of Tennesseans’ data to see if TIPA applies to you. 

What Your Business Needs to Know About Tennessee’s Privacy Law

If your business is subject to Tennessee’s privacy law, you’ll need to abide by Tennessee consumers’ subject rights and consent rights. It’s also helpful to know how the law is enforced and the consequences of privacy violations.

Consumer Rights:

TIPA grants Tennessee consumers data subject rights over their personal data, including:

• Right to know and access.
• Right to correction.
• Right to deletion.
• Right to appeal.
• Right to data portability.

Like in Iowa, Indiana, and Montana, Tennessee consumers do not have a private right of action. Tennessee residents do have the ability to correct their data like in Indiana and Montana, whereas residents in Iowa do not.

Consent Requirements

Tennessee residents also have specific opt-out and opt-in consent rights that businesses must enable.

For opt-out consent, consumers are allowed to opt out of the processing of personal data for:

• The sale of personal data.

Like Iowa’s privacy law, TIPA only specifies the ability to opt out of the sale of personal data. It’s also unclear if consumers can opt out of targeted advertising, However, unlike Indiana’s privacy law, which doesn’t mention profiling at all, TIPA mentions profiling only in the case of data protection assessments (more information about that later in this article). 

TIPA is also similar to Iowa and Indiana’s privacy law in that it does not require businesses to recognize a universal opt-out mechanism.

In terms of opt-in rights, Tennessee consumers have the right to opt into the processing of “sensitive data,” which includes:

• Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
• Genetic or biometric data for the purpose of uniquely identifying a natural person.
• Personal information collected from a known child (under 13 years old).
• Precise geolocation.

Businesses must provide a way for consumers to exercise their data subject rights and consent rights on their website by July 1st, 2025.

Violations and Enforcement

Companies must respond to consumers’ data subject and consent requests within 45 days and can extend for an additional 45 days. The Attorney General has exclusive authority to enforce TIPA and can issue notices of privacy violations or start civil investigations,

Once notified, businesses have a 60-day cure period to correct violations. If violations are not corrected on time, businesses can face a civil penalty of up to $15,000 per violation. That’s double the amount of most other state privacy laws (usually $7,500 per violation).

What Your Business Needs to Do to Comply with Tennessee’s Privacy Law

Now that you know what data subject rights and consent rights consumers have under Tennessee’s privacy law, as well as the consequences of violations, here are the additional obligations your business needs to fulfill for regulatory compliance.

Prioritize Transparency

One of the main business responsibilities that TIPA specifies is transparency. That means, companies must be transparent with their data collecting and processing practices.

For example, businesses must only collect and process data that’s necessary to fulfill a legitimate business purpose. They are also prohibited from discriminating against users that exercise their opt-out rights, such as through providing a lower level quality of product or service. 

TIPA mandates that businesses must publish easily accessible privacy notices on their websites detailing:

• The categories of personal data processed by the controller.
• The purpose for processing personal data.
• How consumers may exercise their consumer rights including the right to appeal.
• The categories of personal data that the controller shares with third-parties.
• The categories of third-parties, if any, with whom the controller shares personal data.

To ensure your business’s data practices are transparent with consumers, work with your legal team to include all of the necessary information in your privacy notice. 

Enter Data Processing Contracts 

TIPA also mandates that businesses enter data processing contracts between processors or entities that “process personal data on behalf of a controller.” Examples of this include third-party SaaS vendors that process and store data for your business. 

These contracts must establish the terms of how the processor processes personal data for the controller, including: the purpose of processing, the type of data being processed, the duration of processing, and the rights and obligations of both controllers and processors. Data processing contracts must also ensure that the processor does not prevent the controllers’ ability to maintain compliance with Tennessee’s privacy law. 

If your business works with processors or subcontractors that process data on your behalf, be sure to enter legally binding data processing contracts with each of them.

Perform Data Protection Assessments (DPAs)

Like many other state privacy laws, TIPA requires businesses to perform data protection assessments (DPAs). DPAs are meant to help businesses carefully assess the risks of processing data on the consumer and the business itself.

These assessments should weigh the business benefits against the potential risks of the following activities: 

• The processing of personal information for purposes of targeted advertising.
• The sale of personal information.
• The processing of personal information for purposes of profiling, where the profiling presents a risk of harm on the consumer. 
• The processing of sensitive data.
• Any processing activities that present a heightened risk of harm to consumers. 
• The processing of de-identified data.

The Attorney General can request a DPA to determine whether a company is compliant or not. To make sure your business is ready for Tennessee regulators, conduct and document DPIAs for the above processing activities.

Process De-identified Data and Pseudonymous Data Securely

Businesses that process de-identified and pseudonymous data must:

• Take reasonable measures to ensure that the data cannot be associated with an individual.
• Publicly commit to maintaining and using de-identified data without attempting to re-identify the data.
• Demonstrate that any information necessary to identify the consumer from pseudonymous data is kept separately with technical and organizational controls.

If your business processes de-identified and pseudonymous data, make sure the required controls and safeguards are put in place by July 1, 2025.

Create a NIST-Based Privacy Program

The most unique provision of Tennessee’s privacy law is the requirement for businesses to create a privacy policy based on the National Institute of Standards and Technology (NIST) Privacy Framework, or A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.

Not following this framework is considered unfair and deceptive under TIPA, and could lead to a notice of violation by the Attorney General. To ensure your business remains compliant in Tennessee, use the NIST Privacy Framework to develop or enhance your business’ privacy program.

How Ethyca Can Help Your Business Comply with Tennessee’s Privacy Law

Making sure your business complies with all U.S. state privacy laws can feel overwhelming. Luckily, Ethyca makes it easy with the Fides privacy intelligence platform. With Fides, your business will be able to automate privacy obligations for all U.S. state privacy laws.

Read on to learn how.

Easy Consent Management

Different U.S. state privacy laws have different consent requirements your business needs to provide users. With the Fides privacy intelligence platform, your business can easily manage users’ consent preferences for any privacy law.

Your business will be able to set multiple opt-out links on your website footer, customize a Privacy Center for consent intake, and set single or multiple opt-in or opt-out consent preferences to comply with different state privacy laws at the same time.

Users can submit requests through a Privacy Center on your website and verify their identity via a code sent through SMS or email. With an easy-to-use Admin UI. your business will be able to quickly process and record users’ consent preferences as proof of compliance.

Automated Data Subject Requests Fulfillment

All privacy regulations require businesses to fulfill user subject requests, or data subject requests (DSRs). Unfortunately, this process is often manual, costly, labor-intensive, and causes lots of friction for legal, compliance, and engineering teams.

The Fides privacy intelligence platform streamlines these workflows. Your business will be able to automate DSR processing end-to-end with Fides. Users can submit their DSR requests via the same Privacy Center they would use to submit consent requests.

After DSR requests are submitted, you can approve or deny them with the same Admin UI. Users will then receive an email containing a link to the data they requested in a machine-readable format or a confirmation that their data has been corrected or deleted.

Fides will also maintain a log of the requests your business has received and processed. That way, you can prove to regulators that your business’ privacy practices are compliant if they come knocking. 

Real-Time Data System Inventorying

What makes the Fides privacy intelligence platform so powerful is its ability to connect to all internal and third-party databases and systems. After connecting with all systems, Fides will be able to produce a data map, or a real-time visualization, of your organization’s data flows.

Unlike tracking data through manual spreadsheets that are immediately out of date, Fides’ automated data map will give you an accurate inventory of all the data in your systems, i.e. what the data is, where it goes, and where it’s stored.

In fact, connecting to all of your systems is how Fides can automate consent management and data subject requests in the first place. Using the Fides privacy intelligence platform will integrate privacy across your entire business. That’s the true power of privacy intelligence.

Conclusion

Tennessee follows Iowa, Indiana, and Montana as the fourth U.S. state privacy law to be passed in 2023. But, more privacy bills are still making their way through state legislatures. Your business will need to look ahead and prepare for all of these new regulations. 

Thankfully, you don’t have to do it alone. Ethyca is here to help your business fulfill its privacy obligations every step of the way. If you have any questions about new or existing privacy laws, schedule a free 15-minute call today to get privacy intelligence and expertise.