Tenn. Makes Nine? ‘Tennessee Information Protection Act’ Set to Become Newest Comprehensive State Privacy Law
On Friday April 21, Nashville lawmakers approved the Tennessee Information Protection Act (TIPA) following unanimous votes. Tennessee now joins Iowa, Indiana, and Montana as the four states in 2023 that have advanced baseline privacy legislation governing the collection, use, and transfer of consumer data.
TIPA is closely modeled on the Virginia Consumer Data Protection Act (VCDPA) that was enacted in March 2021 and went into effect on January 1 of this year. The frameworks share key definitions, business obligations, and core consumer rights. For example, TIPA and the VCDPA both require companies to obtain consent for the processing of sensitive personal data and allow consumers to opt out of data sales, targeted advertising, and significant profiling decisions.
Nevertheless, the Tennessee proposal contains several unique deviations that will make it an overall less protective privacy regime than Virginia’s landmark law. Below, we highlight the key ways that TIPA differs from the VCDPA.
- Unique coverage thresholds: TIPA will likely apply to a narrower range of businesses than the VCDPA by covering companies that make $25 million in annual revenue and that process that data of 175,000 or more state residents.
- Broad carve-outs for pseudonymous data: Unlike the VCDPA, TIPA’s carveout for pseudonymized information extends to the consumer right to opt-out of data sales, targeted advertising, and significant profiling decisions. Depending on how the definition of “pseudonymous data” is interpreted and enforced, this approach could significantly narrow the impact of consumers’ opt-out rights.
- Insurance industry exemption: TIPA establishes a blanket, entity-level carveout for licensed insurance companies.
- Longer right to cure: Tennessee and Virginia both require the Attorney General to give a business an ‘opportunity to cure’ any alleged violation of the Act. However, Tennessee provides a 60-day cure period, rather than 30 days.
- NIST ‘Safe Harbor’ Defense: TIPA establishes a first-of-its-kind affirmative defense against enforcement for businesses that “reasonably conform” to the NIST Privacy Framework or “other documented policies, standards, and procedures designed to safeguard consumer privacy.” Given that the NIST Framework is intended to provide a flexible way for organizations to identify and manage risks within diverse environments, it is unclear what ‘reasonable conformity’ to the framework would entail or how invoking this affirmative defense would work in litigation.
Not every distinction in the Tennessee proposal is weaker than the VCDPA. For instance, while Tennessee and Virginia both allow the Attorney General to recover $7,500 in civil penalties for each violation of the law, in Tennessee a court may award treble damages for willful or knowing violations. Should TIPA be enacted, it will take effect on July 1, 2025.