The Tennessee Information Protection Act (TIPA) was introduced for the session in January 2023 as companion bills in both the Senate (SB73) and the House (HB1181). As of this writing, it has been referred to committee in both the House and Senate. Last year’s version of the TIPA failed to make it out of committee in either chamber. Reports suggested that concerns about small and medium business impact, along with compliance costs were the key problems with the 2022 version.
The bill amends Title 47, Chapter 18, of the Tennessee Code Annotated with an entirely new part 32 for the TIPA. Chapter 18 is where the consumer protection parts are located – with part 1 devoted to the Tennessee Consumer Protection Act.
If the TIPA happens to pass this session, the current effective date would be July 1, 2024.
Scope of Application
The scope of these state privacy laws is becoming fairly settled. In TIPA’s case, it is closely modeled after the Virginia Consumer Data Protection Act (VCDPA). As we’ve seen in Virginia and other state laws that have been enacted, the TIPA would be applicable to companies who control or process the personal information of at least 100,000 consumers — or 25,000 consumers if they derive 50% of their revenue from the sale of personal data. TCA § 47-18-3202. Further, there are carve-outs for HIPAA and other federal privacy laws.
Personal information is defined as “information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer.” The definition provides a long list of non-exclusive identifiers and information types as examples of “personal information.” TCA § 47-18-3201(16).
A consumer, in turn, is “a natural person who is a resident of this state acting only in a personal context.” And, digging another layer deep, a natural person is “a human being who can be readily identified, whether directly or indirectly.”
Personal Information Rights of Consumers
TCA § 47-18-3203 sets for the personal information rights of consumers, providing for:
- Right to know
- Right to access
- Right to correct
- Right to delete
- Right to obtain a copy
- Right to know info regarding sale of PI
- Right to opt-out of sale
Data Controller Responsibilities
Controllers must respond to consumer requests within 45 days, which can be extended an additional 45 days “when reasonably necessary.” TCA § 47-18-3203(b).
Under TIPA, consent “means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” Consent also “[i]ncludes a written statement, including a statement written by electronic means, or an unambiguous affirmative action.” TCA § 47-18-3201(6).
As with other provisions, a controller’s responsibilities closely mirror the VCDPA with a purpose limitation requirement, secondary use prohibition, data security requirement, nondiscrimination policy, and sensitive data additional consent. TCA § 47-18-3204.
The data controller responsibility section in the TIPA has a specific carve-out from deletion requirements for “aggregate or de-identified data” that “is not linked to a specific customer. Additionally, the data security requirements on data controllers have more specific requirements that are linked to TCA § 47-18-3213 and the NIST Privacy Framework, which I’ll dig into at the end of this article.
No Waiver of Consumer Rights
TCA § 47-18-3204(b) outlaws any attempt to waive a consumer’s rights – such provision a provision “is contrary to public policy and is void and unenforceable.”
Controller Privacy Notice to Consumers
The privacy notice requirement under TIPA is essentially identical to VCDPA with the exception that Virginia’s privacy notice requirement is unqualified. In its current form, TIPA’s requirement is triggered “[u]pon the receipt of an authenticated consumer request.” TCA § 47-18-3204(c). The controller must then “provide the consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:
- The categories of personal information processed by the controller;
- The purpose for processing personal information;
- How consumers may exercise their consumer rights pursuant to § 47-18-3203, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;
- The categories of personal information that the controller sells to third parties, if any;
- The categories of third parties, if any, to whom the controller sells personal information; and
- The right to opt out of the sale of personal information to third parties and the ability to request deletion or correction of certain personal information.” TCA § 47-18-3204(c).
Third-Party Processing and Targeted Ads Opt-Out
Controllers are required to “clearly and conspicuously disclose” the sale of personal data to third parties or the processing of personal data for targeted advertising. The disclosure must include info on the manner in which a consumer may opt out of either. TCA § 47-18-3204(d).
Consumer Contact Methods
Tennessee requires controllers to offer at least one of four different contact methods for consumers to exercise their rights:
- A toll-free telephone number
- An email address
- A web form
- A clear and conspicuous link on the controller’s main internet homepage to an internet webpage that enables a consumer to exercise their rights
TCA § 47-18-3204(e)(1).
This practice likely covers the overwhelming majority of use cases. However, it departs from Virginia’s more open requirement that requires controllers to establish a “secure and reliable means for consumers” to exercise their rights under the VCDPA. The VCDPA provides further guidance noting that “Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request.” VCDPA § 59.1-578(E).
Controllers can’t require consumers to create a new account with the controller to use its portal; however, it can require users with an existing account to use the account. TCA § 47-18-3204(e)(2).
Controller vs. Processor Responsibilities
Processors take orders from the controller but must assist the controller in complying with the TIPA, including using appropriate technical and organizational controls, as well as aiding in breach notification duties and “providing necessary information” for the controller’s data protection assessments.
Data processing agreements between a processor and controller must “include requirements that the processor shall:”
- Ensure that each person processing personal information is subject to a duty of confidentiality with respect to the data;
- At the controller’s direction, delete or return all personal information to the controller as requested at the end of the provision of services, unless retention of the personal information is required by law;
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this part;
- Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under this part using an appropriate and accepted control standard or framework and assessment procedure for the assessments. The processor shall provide a report of each assessment to the controller upon request; and
- Engage a subcontractor pursuant to a written contract in accordance with subdivision (b)(3) that requires the subcontractor to meet the obligations of the processor with respect to the personal information. TCA § 47-18-3204(b).
Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal information is to be processed. A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal information remains a processor.
TCA § 47-18-3204(d).
These requirements are virtually identical to those found in the VCDPA.
Data Protection Assessements
Certain data processing activities require a controller to conduct a data processing assessment (DPA):
- Processing for targeted advertising
- Sale of personal information
- Profiling, when there is a risk of:
- unfair or deceptive treatment / unlawful disparate impact
- financial, physical, or reputational injury
- invasion of privacy
- other substantial injury
- Sensitive data processing
- Any processing with a heightened risk of harm
TCA § 47-18-3206(a).
DPAs must weigh benefits and risks, as mitigated by the controller’s safeguards. The use of de-identified data, consumer expectations, and the context of the processing in the controller/consumer relationship must all be factored into the DPA. TCA § 47-18-3206(b).
The Attorney General can request DPAs that are relevant to investigations; however, the DPAs remain confidential and not open to public inspection, and AG disclosure doesn’t amount to a waiver of attorney-client or work product privileges. TCA § 47-18-3206(c).
De-Identified Data
The controller in possession of de-identified data shall:
- Take reasonable measures to ensure that the data cannot be associated with a natural person;
- Publicly commit to maintaining and using de-identified data without attempting to reidentify the data; and
- Contractually obligate recipients of the de-identified data to comply with this part.
TCA § 47-18-3207(a).
Legal, Safety, and Research Limitations
There are several common carveouts found in TCA § 47-18-3208 that exempt actions taken by controllers and processors in order to comply with laws and investigations, defend legal claims, protect life, respond to security incidents, and engage in research.
Additionally, controllers and processors have restrictions removed for internal research, product recalls, identifying and repairing technical errors, and “internal operations that are reasonably aligned with the expectations of the consumer.”
Wrapping up the limitations, TCA § 47-18-3208(f) notes that processing under this section must be:
- Reasonably necessary and proportionate to the purposes listed in this section; and
- Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section.
The burden of proof lies on the controller to demonstrate it qualifies for an exemption under § 47-28-3208.
Enforcement and Penalties
There is no private right of action for violations of the TIPA. Exclusive authority to enforce the TIPA lies with the Tennessee Attorney General and Reporter.
The AG must give a controller or processor 60 days’ written notice of the specific provisions the AG alleges are being violated. The controller/processor then has 60 days to cure the violation and provide a written statement of the cure (and a promise not to violate again). If cured, the AG will take no further action.
If a violation continues beyond the cure period (or if a previously-cured violation reoccurs), then the AG may bring an action against the controller/processor. The AG can seek an injunction and/or civil penalties of up to $15,00 for each violation, along with reasonable expenses and attorney fees.
Each provision in the TIPA is a separate violation and each consumer affected is a separate violation. Unlike Virginia, when a violation of the TIPA is found, the court may award relief to each identified consumer affected by the violation “regardless of whether actual damages were suffered.” If the violation is willful or knowing, the court can award treble damages.
NIST-ish Privacy Program
Under TCA 47-18-3213, controllers and processors are required to “create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled ‘A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.'” Updates to the NIST privacy framework must be adopted in a manner that “reasonably conforms” within a year of NIST’s publication date.
The privacy program must provide for the substantive rights in the TIPA. The scale and scope of the privacy program “is appropriate if it is based on all of the following factors:”
- The size and complexity of the controller or processor’s business;
- The nature and scope of the activities of the controller or processor;
- The sensitivity of the personal information processed;
- The cost and availability of tools to improve privacy protections and data governance; and
- Compliance with a comparable state or federal law.
Notably, the “failure to maintain a privacy program that reflects the controller or processor’s data privacy practices to a reasonable degree of accuracy is considered an unfair and deceptive act or practice under § 47-18-104, except that a consumer is not entitled to a private right of action under § 47-18-109.” The reference to Section 104 makes the act a violation of the Tennessee Consumer Protection Act and, as a result, is a Class B misdemeanor under the statute.
A privacy program that complies with 47-18-3213 is an affirmative defense to a cause of action for a TIPA violation.
Thoughts on a NIST-conformed Privacy Program
This is a relatively unique take on pushing privacy program standards via state privacy laws. Ohio adopted virtually the same requirement in its 2021 attempt at privacy legislation. The overall vibe of reasonable conformity to a NIST standard is gaining traction in state-level cybersecurity legislation. However, I’m not aware of any NIST privacy mandates pushed via legislation to the general commercial business audience.
What’s notable about the selection of the NIST Privacy Framework is the broad flexibility that it offers and just how much individual judgment can be exercised at each organization. Section 3.0 of the NIST Privacy Framework specifically discourages “the notion of ‘compliance with the Privacy Framework’ as a uniform or externally referenceable concept.”
This begs the question: what kinds of privacy programs “reasonably conform” to the NIST Privacy Framework?
The NIST Privacy Framework can be used both as a tool for building a privacy program from scratch or supporting the alignment of existing privacy risks using its “Current” and “Target” profiles. Would both uses “reasonably conform” under the proposed TIPA law?
What about mature privacy programs that were built without the NIST Privacy Framework as part of the process? Just how much of this flexible and permissive tool needs to be present and documented to rise to the level of reasonable conformity?
To be clear, the NIST Privacy Framework is a great tool with incredible value to organizations who decide to use it. I’m just not so sure that the TIPA’s broad approach is a fitting application for such an individually-tailored tool.
Moreover, there is no guide for the NIST Privacy Framework with assessment objectives that demonstrate compliance/conformity as we find in cybersecurity compliance publications like NIST SP 800-53A and 800-171A. As an affirmative defense, how will the business prove reasonable conformity? It seems like a tedious, fact-driven inquiry without clear guidance on what rises to the reasonableness threshold.
Wrapping Up
It’s anyone’s guess if the TIPA will even make it out of committee. If it does, will it pass? Will it remain intact in its current state?
While there is no private right of action, having an avenue for damages awarded to consumers via the State AG’s actions seems like a worthwhile compromise and is much more than some other states are offering to consumers.
Obviously, I have concerns about the NIST Privacy Framework mandate for privacy programs and how to decide the threshold of which programs “reasonably conform.”
There are some odd phrasings throughout – like the qualification for a privacy notice only upon request. Hopefully, this and other details are sorted out to make the legislation less cumbersome if it makes it across the finish line this year.
Leave a Reply