On May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act ("TIPA"). The Volunteer State is the third to adopt a comprehensive data privacy statute in 2023 (after Indiana and Iowa) and the eighth overall (joining the Golden State's California Consumer Privacy Act and California Privacy Rights Act and similar-yet-unique laws passed in Virginia, Colorado, Connecticut, and Utah).
As I cautioned in a March 2021 Perspectives from FSF Scholars, multiple, inconsistent state laws inevitably will lead to "[c]ounterproductive consumer confusion, along with unreasonably burdensome and unjustifiably costly compliance obligations." At that time, just two states – California and Virginia – had enacted legislation. Today, with that total rapidly approaching double digits, such concerns exponentially are greater.
Consumer rights established by the TIPA include the right to know that a covered entity is processing personal information; to access, correct, delete, and obtain a copy of that data; and to opt out of the sale of personal information. In addition, a covered entity must disclose, upon request, categorical information regarding personal information that was sold, and obtain a consumer's consent before processing "sensitive data."
Covered entities ("controllers") that share personal information with third parties ("processors") must include certain provisions in their contracts to protect these consumer privacy rights. Controllers also must conduct data protection assessments under certain circumstances (for example, if they engage in targeted advertising, process "sensitive data," or sell personal information).
The TIPA does not create a private right of action. The Attorney General is responsible for enforcing its provisions. Covered entities have 60 days to cure an alleged violation.
Perhaps most notably, the TIPA requires that covered entities "create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled 'A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.'"
The TIPA becomes effective on July 1, 2024.