Senior Content Marketing Manager II
October 25, 2024â˘6 min read
Determining whether your business falls under the Tennessee Information Protection Act (TIPA) is an essential first step, as not all entities will be affected.
The TIPA applies to businesses that:
These thresholds are designed to capture a broad range of businesses, particularly those engaging in significant data processing activities. Certain exemptions apply, including government agencies and entities governed by specific federal regulations like HIPAA.
Tennesseeâs privacy law outlines several compliance obligations for businesses:
Tennesseeâs privacy law grants consumers several rights, including:
Businesses must respond to consumer requests within 60 days and consumers may appeal a businessâs decision if their request is rejected.
Businesses are required to issue a privacy notice that details:
For sensitive data, especially concerning users under 13 (subject to COPPA), businesses must obtain explicit consent before processing. This applies to targeted advertising, data sales, and profiling activities.
Organizations must limit their data collection to what is necessary for stated purposes and cannot repurpose data without consumer consent.
Businesses must implement reasonable administrative, technical, and physical measures to protect the confidentiality and integrity of personal information.
Enforcement of the Tennessee Information Protection Act will be managed by the Attorney General, and there is no private right of action. A 60-day cure period allows businesses to rectify compliance issues, with penalties up to $7,500 per violation.
The Tennessee Information Protection Act (TIPA) establishes specific thresholds for its applicability:
These thresholds are relatively high compared to some other states, meaning fewer businesses will be subject to TIPA's regulations.
TIPA introduces a unique "affirmative defense" provision. Organizations can defend against alleged TIPA violations by establishing and adhering to a written privacy program that aligns with recognized standards, such as:
This piece of the law is not commonly seen in other state privacy lawsâoffering businesses a potential defense strategy.
TIPA is notable in that it completely exempts all insurance providers licensed in Tennessee. This exemption is unique among state privacy regulations and offers a significant relief for the insurance sector.
TIPA provides a broad carve-out for pseudonymous data. Consumer rights do not extend to pseudonymous data if the organization can demonstrate that identifying information is kept separate and protected by effective technical and organizational measures.
This provision allows for more flexibility in managing pseudonymous data compared to regulations in other states.
Unlike some state laws, such as those in California and Colorado, the TIPA does not explicitly require the recognition of universal opt-out mechanisms. This lack of specific mandate might reduce the compliance obligations imposed on businesses, as they are not compelled to honor browser-based signals like the Global Privacy Control.
To prepare for compliance with the Tennessee Information Protection Act, businesses can take several key steps:
Begin by thoroughly reviewing the specific revenue and consumer thresholds outlined in the law. This step is crucial to assess whether your business operations fall under the lawâs scope. Consider factors such as annual revenue, the number of consumers your business engages with, and how many consumers on whom you process data.
Begin by creating a comprehensive inventory of all personal information collected by the organization. This should include detailed descriptions of the categories of data, such as names, email addresses, and phone numbers. Additionally, document the specific purposes for which each type of data is collected and the legal bases for processing this information.
Businesses should implement data minimization practices, ensuring they collect only the personal information thatâs relevant and necessary for their operations. Organizations must also limit their data processing activities to the purposes disclosed to consumers and establish clear policies that restrict data usage to these specified purposes.
Businesses need to provide clear mechanisms for consumers to access, correct, delete, and transfer their data. A process should be established to respond to consumer requests within 45 days, and an appeals process must be created for instances where requests are denied.
Ensure a robust consent management process is in place for handling sensitive data and related activities. This involves obtaining clear and explicit consent from users before collecting their data, regularly reviewing and updating consent records, and providing users with the option to withdraw their consent at any time.
Develop accessible privacy notices that clearly communicate your data practices and consumer rights. This notice should include, among other things, the categories of personal information collected, the purposes for processing that data, and methods for consumers to exercise their rights and appeal decisions.
Create a documented privacy program that aligns with recognized standards, such as the U.S. National Institute of Standards and Technology (NIST) Privacy Framework. This will help establish credibility for your compliance efforts and provide an affirmative defense against potential violations.
Transcend is the next-generation privacy solution. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facingâincluding getting you ready for new legislation like Tennesseeâs data privacy law.
From Consent Management to automated DSR Automation to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, Unstructured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.
Senior Content Marketing Manager II