This article has been co-authored by Vivien Peaden, CIPP/US, CIPP/E, CIPM, PLS, from Baker Donelson.
On May 11, 2023, Tennessee Governor Bill Lee signed into law the Tennessee Information Protection Act (TIPA), becoming the eighth U.S. state to regulate how companies use and collect consumer personal data. With the passage of TIPA, Tennessee joins California, Virginia, Colorado, Connecticut, Utah, Iowa and Indiana in creating a hodgepodge of state privacy laws that companies must bring themselves to comply with. Compliance with privacy laws is no longer voluntary in the Volunteer State.
Key Highlights in TIPA:
Safe Harbor Rules under the NIST Framework: As a first-of-its-kind in the United States, TIPA cites the National Institute of Standards and Technology (NIST) Privacy Framework as an affirmative defense against enforcement if a company can show compliance with this leading privacy risk management framework. By creating a safe harbor, the law provides a practical path for businesses to demonstrate trust and transparency to their customers.
Data Protection Assessment as early as July 1, 2024: TIPA requires companies to begin data protection compliance assessments for certain data use, collection or exchanges after July 1, 2024, which is 12 months before TIPA goes into effect on July 1, 2025.
What and Who Does the Law Protect?
TIPA protects “personal information” that is linked or reasonably linkable to an identified or identifiable individual. While we think of personal data to mean names, Social Security numbers and dates of birth, “personal information” has a broader definition under TIPA – even an online profile collected through cookies placed on your website would be considered personal data under TIPA.
TIPA protects Tennessee “consumers,” who are defined as natural persons residing in Tennessee acting in a personal context. This means that certain personal data collected within an employment-related context and business-to-business contacts are exempt from TIPA. In other words, TIPA may apply to an e-commerce or social media platform that targets a large audience in Tennessee, but may not apply to a payroll, human resources information system (HRIS) or employee wellness platform as those primarily collect employee data for corporate customers.
What Companies Are Covered Under TIPA?
TIPA applies if a business meets both of the following two thresholds:
- Revenue Threshold: First, TIPA applies only to those companies that report more than $25 million in global annual revenue, not just revenue generated from the state of Tennessee; and
- Data Threshold: With at least $25 million in revenue, a company falls within the scope of TIPA if it handles a high volume of Tennessee consumers’ personal data exceeding the following thresholds:
i. during a calendar year, more than 175,000 Tennessee residents’ personal data; or,
ii. more than 25,000 Tennessee residents’ personal data and derive more than 50 percent of its gross revenue from the sale of Tennessee residents’ personal data.
One distinct feature of TIPA is that it exempts, on an entity level, all insurance companies and insurance producers licensed under Tennessee laws. Similar to other state privacy laws, TIPA exempts government entities, nonprofits, institutions of higher education, healthcare and financial institutions. The law will most likely impact the following types of companies:
- Technology or consulting companies that collect consumer data
- Advertising, Media and Marketing companies
- Any company with a loyalty program for 175,000 or more Tennessee consumers
- Hospitality and leisure entities
- Social media platforms
- E-learning and tutoring services
- Businesses-to-Consumer companies
What About Artificial Intelligence?
While TIPA does not specifically use the term “artificial intelligence (AI),” it adopts a similar human-centric, risk-based standard set by the EU’s AI Act (set to pass in December 2023). Under TIPA, consumers can request that a company stop using their personal data to reach automated decisions that impact their access to education, housing, insurance, employment opportunities, healthcare, and other essential services. Much like California privacy laws, TIPA’s approach focuses on the use of high-risk AI that could have significant adverse impacts upon individuals.
What Happens If My Company Breaches TIPA?
The Tennessee Attorney General will oversee the enforcement of TIPA. If the Attorney General comes knocking, a company has only 60 days to cure the violation. After the 60-day window, a court can impose a civil penalty of up to $7,500 per violation – if you have a security incident that impacts several thousand Tennessee residents’ personal data, that means a company can face millions of dollars in civil penalties. What’s more, if a company is found to be knowingly or willfully in violation of TIPA, a TN court can triple the penalty to $22,500 per violation.
What Should Companies Do to Comply?
Tennessee companies can maintain TIPA compliance by following these A-B-C-D steps:
- Accountability:
- Transparency: Just like a company needs rules and policies to manage its operations, it also needs a privacy policy to provide transparency about how it handles an individual’s information.
- Less is More: Companies should collect and retain only the amount of data they reasonably need. If they collect the data for one purpose, and later wish to use it for separate and unrelated purposes, they may need to receive consent from consumers in certain cases.
- Business Obligations:
- Data Security Practices: TIPA requires companies to establish and implement security measures that protect the confidentiality, integrity and availability of personal data (known as the CIA triad). These measures should be appropriate given the volume, nature and sensitivity of the data your company retains.
- Data Protection Assessment: Beginning July 1, 2024, companies should conduct and document risk-benefit analysis, and implement additional security measures before they engage in certain high-risk data use, known as a data protection assessment. Such an assessment must be made available by a company in response to a data protection investigation by the Tennessee Attorney General. Therefore, companies will have the next 12 months to prepare for this assessment if they use personal data for targeted advertising, sell personal data, handle sensitive personal data or use personal data that could reasonably harm or unfairly impact Tennessee residents.
- Audit and Contractual Obligations: TIPA requires a company to enter into a written contract with its service providers. The contract must set clear instructions, specific purposes, and duration for handling personal data. Further, service providers must also adhere to the audit requests by the company and push down its data protection obligations to subcontractors.
- Consumers’ Rights: Beginning Jan. 1, 2025, TIPA will allow consumers to opt out of sales of personal data and other high-risk data uses. In addition, Tennessee consumers can also take control and require a company to provide clarity on how it handles their personal data. Companies will have up to 45 days to address consumer requests upon receipt and may extend the response period for an additional 45 days.
- Defense through NIST: As aforementioned, one highlight of TIPA is that it cites compliance with the NIST privacy framework (see here) as an affirmative defense to allegations of TIPA violations. The NIST privacy framework focuses on the following principles:
- Risk Identification
- Risk Governance
- Control through Policies
- Communications
- Security in Action
Based on a client’s size and scope of operations, we take an agile and risk-based approach to help companies navigate the NIST compliance process.
Windham Brannon Can Help
The best approach to privacy and cybersecurity is to incorporate privacy and cybersecurity in the culture and operation of the business by design. Windham Brannon’s cybersecurity professionals can help you with TIPA compliance as well as assess current cyber hygiene and make recommendations on best practices for now and in the future. For more information, contact your Windham Brannon advisor today, or reach out to Dean Flores
About Vivien Peaden
Vivien Peaden is a technology and privacy attorney for Baker Donelson, bringing in-house counsel experience to deliver business-oriented and practical advice regarding technology, data privacy, and cybersecurity issues.
About Baker Donelson
Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 22 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia and Washington, D.C.
