The Tennessee Information Protection Act (TIPA) passed the House (HB1181) today on a 90-0 vote. The TIPA version that passed (virtually the same as the previously-discussed amended Senate bill) looks to be the most business-friendly state privacy law to date.
SB0073 is scheduled for a vote in the Senate later this week, which is also expected to easily pass. As a result, it’s likely that Tennessee will be the next state with a privacy law within the next week or so.
A quick summary of TIPA:
- Effective July 1, 2025
- Applies to businesses that have $25M+ in annual revenue AND process the personal info of at least (1) 175,000 consumers; or (2) 25,000 consumers if they derive 50% of their revenue from the sale of personal data.
- Consumer does not include a person acting in commercial/employment context
- Sale of personal info requires “monetary” consideration
- Personal information is “information that is linked or reasonably linkable to an identified or identifiable natural person” and excludes publicly available or de-identified consumer data
- Consumer rights include:
- Right to know
- Right to access
- Right to correct
- Right to delete
- Right to portability
- Right to opt-out of sale, profiling, and targeted ads
- Data controller responsibilities include:
- Transparency requirement
- Purpose limitation requirement
- Secondary use prohibition
- Data security requirement
- Nondiscrimination policy
- Sensitive data additional consent
- Privacy Notice must include:
- The categories of personal information processed by the controller
- The purpose for processing personal information
- How consumers may exercise their consumer rights
- The categories of personal information that the controller sells to third parties
- The categories of third parties, if any, to whom the controller sells personal information
- The right to opt out of the sale of personal information to third parties and the ability to request deletion or correction of certain personal information.
- Time to Respond to DSAR = 45 days + 45 additional days “when reasonable necessary”
- Consumer has right to appeal with 60-day response required
- No private right of action
- TN Attorney General has sole enforcement authority
- Up to $7500 fine per violation
- Businesses have 60-day cure period
- Data Processing Agreements must include:
- Processing instructions
- Nature and purpose of processing
- Type of data subject to processing
- Duration of processing
- Rights and obligations of both parts
- Duty of confidentiality with respect to the data
- Processor duty to delete or return data at controller’s request
- Assist with compliance obligations of controller for data in processor’s possession
- Flowdown of processor requirements to its subcontractors
- Data Protection Assessments required when:
- Processing for targeted advertising
- Sale of personal information
- Profiling, when there is a risk of:
- unfair or deceptive treatment / unlawful disparate impact
- financial, physical, or reputational injury
- invasion of privacy
- other substantial injury
- Sensitive data processing
- Any processing with a heightened risk of harm
- Affirmative defense for businesses with privacy program that reasonably conforms to NIST Privacy Framework or other documented policies, standards, and procedures designed to safeguard privacy