Last week, the Tennessee Senate Commerce and Labor Committee recommended the Tennessee Information Protection Act for passage with amendments as it sent the bill (SB0073) to the floor.
There have been substantial amendments to the bill since its introduction in January and entire sections have been rewritten. Many of the changes were directed at cleaning up confusing or ambiguous phrasings and the overall changes have been more business-friendly. The effective date was also pushed from July 1, 2024 to July 1, 2025.
Below, I hit the highlights but consider my prior post that covered the entire bill along with my comments and criticisms on particular sections.
Shrinking Scope
The scope previously applied to businesses that target Tennessee residents and control or process the personal information of at least 100,000 consumers (or 25,000 consumers if 50% of revenue is from the sale of personal info). There was no revenue threshold in the original bill.
The bill sent to the Senate floor applies to businesses that exceed $25M in revenue and control or process the personal info of at least 175,000 consumers. The 25,000 count still applies for controllers or processors that sell data; however, the $25M threshold is now part of this data broker category.
In the brief discussion in the Committee last week, Senator Bo Watson noted that the 175,000 consumer threshold was a concession to the Chamber of Commerce comments on the bill.
Additionally, the definition of consumer is amended to carve out any “natural person acting in a commercial or employment context.”
Consumer Contact Methods More Streamlined
In my last post, I noted Tennessee’s departure from Virginia in the enumeration of contact forms to submit a request to exercise consumer rights:
This practice likely covers the overwhelming majority of use cases. However, it departs from Virginia’s more open requirement that requires controllers to establish a “secure and reliable means for consumers” to exercise their rights under the VCDPA. The VCDPA provides further guidance noting that “Such means shall take into account the ways in which consumers normally interact with the controller….”
Now, the amended bill essentially mirrors the effect of Virginia’s more appropriate language.
A controller shall provide, and shall describe in a privacy notice, one (1) or more secure and reliable means for a consumer to submit a request to exercise the consumer rights in § 47-18-3203. Such means must take into account the:
(A) Ways in which a consumer normally interacts with the controller;
(B) Need for secure and reliable communication of such requests; and
(C) Ability of a controller to authenticate the identity of the consumer making the request.
TCA § 47-18-3204(e)(1)
Cleaning Up the Controller’s Privacy Notice to Consumers
One of the clunky provisions that I previously noted placed a qualifier on the requirement to provide a privacy notice to consumers. The prior version of the TIPA bill triggered “[u]pon the receipt of an authenticated consumer request.” The controller was then required to “provide the consumer with a reasonably accessible, clear, and meaningful privacy notice.”
It just didn’t make sense to have a consumer provide an authenticated request before the consumer could see what should be a public privacy notice.
This qualification has been removed and, again, the TIPA bill matches the effect of the Virginia law.
Penalties Substantially Reduced
A couple of key provisions in the prior version:
- The AG can seek an injunction and/or civil penalties of up to $15,00 for each violation, along with reasonable expenses and attorney fees.
- Each provision in the TIPA is a separate violation and each consumer affected is a separate violation. Unlike Virginia, when a violation of the TIPA is found, the court may award relief to each identified consumer affected by the violation “regardless of whether actual damages were suffered.”
The penalty amount has been reduced to $7,500 for each violation. The text specifically noting that “each consumer affected is a separate violation” has been removed in the amended bill. Additionally, the amended bill deletes the section permitting the court to award relief to each identified consumer. I found this provision in the original bill to be an elegant compromise to the lack of a consumer’s private right of action and offered a more tangible benefit to consumers for egregious conduct by controllers or processors. Time will tell if consumers will be able to benefit from AG actions for “other relief as the court determines appropriate.”
Privacy Program Requirement Gets Scaled Back
One of my biggest criticisms of the original bill was the mandate for controllers and processors to “create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled ‘A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.’”
There were so many problems with this section in the original bill. For one, the NIST Privacy Framework specifically discourages “the notion of ‘compliance with the Privacy Framework’ as a uniform or externally referenceable concept.”
Fortunately, the Tennessee legislature has backed away from this awkward position and developed a more voluntary privacy program standard that incentivizes businesses through the gift of an affirmative defense for violations of the TIPA. Additionally, the requirement for using the NIST Privacy Framework is eased by allowing businesses to use “other documented policies, standards, and procedures designed to safeguard consumer privacy.”
This move fully rewards thoughtful privacy programs that don’t necessarily rely on NIST’s Privacy Framework and removes the danger of ambiguity in deciding what “reasonably conforms” to NIST’s Privacy Framework. However, privacy advocates have to criticize the complete stripping of the prescriptive mandate for businesses to have a privacy program.
Wrapping Up
The tone and tenor of the TIPA bill suggest input from the business community, which is further confirmed by comments in the Senate Commerce and Labor Committee’s brief discussion in reference to review and input from the Chamber. If the TIPA passes in its current form, we’ll have another mild state privacy law with the pro-business concessions we’ve come to expect from state legislatures.
The amendments clean up much of the clunkiness of the original bill. However, cutting the teeth out of the penalties and providing an avenue for consumers to receive damages through the AG’s actions makes it more of the same. Even for the most egregious actions by wrongdoers, Tennesseeans will likely continue to bear the burden for the harm caused by bad actors. If the TIPA passes, we’re taking a step in the right direction in Tennessee; however, we’ve still got a long way to go before privacy laws truly provide benefits to consumers.
Leave a Reply