Tenn. Makes Nine? ‘Tennessee Information Protection Act’ Set to Become Newest Comprehensive State Privacy Law

FILTER
April 24, 2023
Keir Lamont
Senior Director for U.S. Legislation
About Keir
Blogs by Keir

On Friday April 21, Nashville lawmakers approved the Tennessee Information Protection Act (TIPA) following unanimous votes. Tennessee now joins Iowa, Indiana, and Montana as the four states in 2023 that have advanced baseline privacy legislation governing the collection, use, and transfer of consumer data.

TIPA is closely modeled on the Virginia Consumer Data Protection Act (VCDPA) that was enacted in March 2021 and went into effect on January 1 of this year. The frameworks share key definitions, business obligations, and core consumer rights. For example, TIPA and the VCDPA both require companies to obtain consent for the processing of sensitive personal data and allow consumers to opt out of data sales, targeted advertising, and significant profiling decisions.

Nevertheless, the Tennessee proposal contains several unique deviations that will make it an overall less protective privacy regime than Virginia’s landmark law. Below, we highlight the key ways that TIPA differs from the VCDPA.

  • Unique coverage thresholds: TIPA will likely apply to a narrower range of businesses than the VCDPA by covering companies that make $25 million in annual revenue and that process that data of 175,000 or more state residents.
  • Broad carve-outs for pseudonymous data: Unlike the VCDPA, TIPA’s carveout for pseudonymized information extends to the consumer right to opt-out of data sales, targeted advertising, and significant profiling decisions. Depending on how the definition of “pseudonymous data” is interpreted and enforced, this approach could significantly narrow the impact of consumers’ opt-out rights.
  • Insurance industry exemption: TIPA establishes a blanket, entity-level carveout for licensed insurance companies.
  • Longer right to cure: Tennessee and Virginia both require the Attorney General to give a business an ‘opportunity to cure’ any alleged violation of the Act. However, Tennessee provides a 60-day cure period, rather than 30 days.
  • NIST ‘Safe Harbor’ Defense: TIPA establishes a first-of-its-kind affirmative defense against enforcement for businesses that “reasonably conform[]” to the NIST Privacy Framework or “other documented policies, standards, and procedures designed to safeguard consumer privacy.” Given that the NIST Framework is intended to provide a flexible way for organizations to identify and manage risks within diverse environments, it is unclear what ‘reasonable conformity’ to the framework would entail or how invoking this affirmative defense would work in litigation.

Not every distinction in the Tennessee proposal is weaker than the VCDPA. For instance, while Tennessee and Virginia both allow the Attorney General to recover $7,500 in civil penalties for each violation of the law, in Tennessee a court may award treble damages for willful or knowing violations. Should TIPA be enacted, it will take effect on July 1, 2025.

Published: Last Updated: May 1, 2023
Tags:

Explore

Issues

authors

dates

Posts by Keir

abstract,map,of,the,united,states,created,from,dots,and
Five Big Questions (and Zero Predictions) for the U.S. State Privacy Landscape in 2025
Read More
the,united,states,capitol,building,at,sunset,,washington,dc,,usa.
FPF Statement on the House Energy and Commerce Subcommittee on Innovation, Data and Commerce’s May 23 unanimous House subcommittee vote on the American Privacy Rights Act
Read More
black,and,white,exterior,of,legislative,chambers,of,washington,state
Five Big Questions (and Zero Predictions) for the U.S. State Privacy Landscape in 2024
Read More
View More