On April 21, 2023, the Tennessee State Senate passed the Tennessee Information Protection Act (TIPA). The passing of this privacy bill is the latest in a flurry of privacy legislation being passed in the first half on 2023 and adds to an increasingly complex privacy landscape in the US.
The TIPA will enter into effect on July 1, 2025, and will introduce several requirements for businesses covered by its scope including risk assessments, data minimization requirements, and obtaining opt-in consent for processing sensitive personal information.
Keep reading to learn more about the key provisions and compliance areas of the latest comprehensive privacy bill to be passed.
A good place to start with the TIPA is to understand its scope and what businesses it will cover. The TIPA will apply to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee. TIPA will apply to businesses that exceed $25,000,000 in revenue and meet one of the following criteria:
One unique feature of the TIPA is that businesses can voluntarily “create, maintain, and comply with a written privacy program” in line with the National Institute of Standards and Technology’s (NIST) Privacy Framework which can be used as an affirmative defense against a cause of action for violations of the law.
There are further requirements that must be worked into a TIPA-compliant privacy program which we will look at in more detail below.
The TIPA introduces a range of consumer rights, referred to as personal information rights, that are similar to those found under other US state privacy laws.
Consumer rights under the TIPA include:
Although not listed as a personal information right, consumers will have the right to not be discriminated against including denying goods or services, charging different prices or rates. Businesses will have a 45-day period respond to consumer requests with the possibility of a 45-day extension.
There are several responsibilities placed upon the controller under the TIPA. These are requirements that are commonplace among many privacy laws in the US and that will form a key part of any TIPA-compliant privacy program.
Under the TIPA, there is a requirement for controllers to conduct and document a data protection assessment for certain processing activities that identifies and balances the benefits and risks of the processing activity. Activities that require a data protection assessment include:
Similar to the risk assessments requirements found in Virginia, the TIPA allows a single data protection assessment for similar processing operations that include similar activities as well as data protection assessments that have been conducted in compliance with other laws for comparable processing activities.
The TIPA will be enforced by the Tennessee Attorney General and controllers found to be in violation of the law will be granted a 60-day cure period. Controllers that do not remediate violations within 60 days are liable for civil penalties of up to $7,500 per violation. There is no private right of action.
The TIPA will still need to be signed into law by the Governor of Tennessee before officially becoming part of the US privacy landscape, however this looks to be a formality. OneTrust DataGuidance Research can help you to keep up to date with the status of the law as well as further amendments and developments to privacy laws right across the US.
For businesses that want to get a head start on TIPA compliance, OneTrust Data Mapping Automation can help you to create a central view of your organizations data so you can understand what you have, where it is stored, and what rules will apply once TIPA comes into effect.
Request a demo to see how the OneTrust Privacy & Data Governance Cloud can help you prepare for the new era of US privacy laws or stay up to date on all the latest updates with the OneTrust DataGuidance Research US Privacy Law tracker.