Tennessee Information Protection Act (TIPA)

On April 21, 2023, the Tennessee Information Protection Act (TIPA) was signed into law. The new legislation aims to advance security in the collection, sharing, and use of consumer personal information. It is designed to protect Tennessee consumers.

For businesses implementing compliance regulations for other privacy laws, it's important to understand what TIPA means for your business going forward.

This article outlines some key factors to consider as TIPA compliance deadlines grow near, as well as how to comply.

Note that TIPA goes into effect as of July 1, 2025.

Who is Impacted by the Tennessee Information Protection Act (TIPA)?

TIPA impacts Tennessee business owners or companies providing products or services to Tennessee consumers. It applies to businesses that earn more than $25 million per year plus meet one of the following:

• Control the personal data of 25,000 individuals and earn 50% of income from the sale of data, or
• Control the personal data of 175,000 annually (minimum)

Within the scope of data collection, TIPA only regards consumer data within these thresholds. Commercial entity data and company employee data do not fit this category.

What Exemptions Apply to the Tennessee Information Protection Act (TIPA)?

TIPA exemptions cover both the type of data collected and the people collecting it. Entities exempt from TIPA compliance include:

• Insurance companies licensed to collect personal data
• Health institutions regulated by the Health Insurance Portability and Accountability Act (HIPAA)
• Universities and educational institutions
• Government departments requiring access to consumer data
• Nonprofit organizations
• Banks and other financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA)

Data-related exemptions include data protected by the following:

• Family Educational Rights and Privacy Act (FERPA): An act designed to protect student privacy and records which is applicable to all programs within the U.S. Department of Education
• Fair Credit Reporting Act (FCRA): A program protecting consumer information collected by credit bureaus and other reporting agencies
• Controlled Substances Act: Regulates information regarding the use of controlled substances for purposes of medical, safety, dependence, liability, or the potential for abuse
• Health Care Quality Improvement Act (HCQIA): Solidified in 1986, HCQIA protects those facilitating peer reviews, including professional societies, individuals, and entities
• Driver's Privacy Protection Act: A federal statute set to control the privacy of data gathered by the Department of Motor Vehicles
• Patient Safety and Quality Improvement Act (PSQIA): A system meant to improve data availability for medical professionals, including errors and patient safety information
• Farm Credit Act: An act created during the Great Depression to protect farmers through short-term financial lending

These exemptions exist because these entities and acts contain similar compliance regulations. Without them in place, TIPA maintains priority to confirm maximum privacy and security over consumer data.

What Does the Tennessee Information Protection Act (TIPA) Mean for Tennessee Business Owners?

TIPA provides a unique approach to the current NIST Privacy Framework to identify and govern risks, share awareness of policies set to mitigate risk and protect consumer data.

Under TIPA, businesses are obligated to:

• Offer transparency in data collection and privacy protection protocols
• Limit the processing of personal data
• Avoid discrimination based on obtained data
• Avoid discrimination against consumers who refuse to provide personal data
• Safeguard the collected data

Within these standards, there are specific rules to follow, as outlined below.

Written Privacy Program

All companies impacted by TIPA must create a written privacy program that complies with the NIST Privacy Framework.

This Framework is a tool that helps businesses when it comes to privacy risks. It helps identify risks, then manage any possible risks through effective and innovative solutions. It's a voluntary tool according to NIST, but TIPA is making it mandatory for anyone who must comply with TIPA.

Whenever NIST updates its published framework, the company must also update its written privacy program. Companies must make these updates within one year of the most recent NIST update.

Privacy programs must include all rights under TIPA, while also disclosing all reasons for the collection of personal data. If the collection of data, or privacy program fails to follow NIST and TIPA, it could be legally deemed deceptive.

You can access the NIST Privacy Framework Resource Repository here.

Consumer Right Updates

TIPA requires businesses to provide Tennessee consumers with an outline of their rights, including the rights to:

• Opt out of data collection for targeted marketing
• Delete collected data
• Access data (choose who has the right to access/process data)
• Appeal the collection and use of data
• Correct previously collected data
• Share previously collected data

Consumers must be made aware of these rights before providing consent to data collection. If a company plans to share or sell any consumer information, the consumer must be made aware of this prior to data collection. The consumer must also be given information on ways to opt out of data collection if they so choose.

User rights are nothing new to you if you've been in compliance with other privacy laws. For example, the CCPA/CPRA has a robust set of user rights that must be granted.

You can disclose these rights to your users in your Privacy Policy. This helps with compliance, as part of the granting of rights is letting users know that they have them and how to go about executing their rights if they wish.

Here's how Airbnb does this in a Privacy Policy:

Rights must be adhered to. For example, sometimes a consumer requests access to collected data. Business owners must respond to requests by consumers for copies of their collected data within 45 days. A further 45-day extension may be allowed.

If the request for data is denied congruent to TIPA compliance, the consumer must be sent contact details for the attorney general. The customer may appeal the decision of a denial within 60 days.

Sensitive Data Usage

A key factor Tennessee business owners should understand within the scope of TIPA is the definition and use of sensitive data. All sensitive data requires consumer consent for use. Any data collected from a child requires compliance with the Children's Online Privacy Protection Act (COPPA).

Sensitive data is any information outlining the personal details of a consumer, including religion, race or ethnicity, sexual orientation, citizenship, health diagnoses, and location. Any information collected from a child under the age of 13 is considered sensitive.

Access to Communication with Controller

All controllers must provide their contact information to consumers via their Privacy Policies. A controller is any person or entity controlling the collection, storage, and sharing of consumer data.

Allowable methods of communication include:

• Email addresses
• Webforms
• Toll-free telephone numbers
• Link to the main website

Each communication method must be able to authenticate the consumer without the need for new account creation. This means businesses need to offer identification methods that require no additional tools.

Here's how you can disclose your contact information within your Privacy Policy:

Required Impact Assessments

There are a variety of areas where businesses process private consumer data. Some processes require impact assessment reports to be completed beforehand. The reports need to detail the reason, advantages, and potential harm of the processing of consumer data, as well as the impacts the process has on the business, public, and consumer.

Processes requiring reports include:

• The sale of data: Selling consumer data to other entities or individuals
• Profiling of data: Collection and use of any data that may pose harm or be deemed deceptive or discriminatory
• Targeted marketing: Businesses must report any plan to use consumer data to pinpoint marketing
• Sensitive data: Use of sensitive data including ethnicity, sexuality, ability, race, and mental or physical health
• Other personal data processing: Any data processing which could cause harm to the consumer's reputation, finances, legal status, or livelihood

Harm constitutes any distress caused to consumers due to data processing including financial, reputational, legal, or physical suffering.

TIPA does not require retroactive assessments for previous processing. As long as businesses have followed state laws regarding impact assessments in the past, you're covered.

Penalties for Tennessee Information Protection Act (TIPA) Noncompliance

Any business caught not complying with TIPA legislature may be fined up to $7,500 per breach. This fine system is similar to the penalties carried out in Utah, Virginia, and Iowa's state privacy protection compliance. They're designed to protect consumers from privacy discrepancies.

Business owners caught in violation of TIPA are provided a 60-day grace period to counter the accusation. If businesses fix the violation within 60 days of receiving the Attorney General's notice of violation, penalties may be reassessed or reversed.

TIPA contains no private right of action. This means any penalties are exclusively dealt with by the Tennessee Attorney General.

Courts may grant treble damages in the event of premeditated/known violations. Treble damage is a statute that triples the plaintiff's award.

Summary

The Tennessee Information Protection Act comes into effect on July 1, 2025. The act was signed following a unanimous vote on April 21, 2023. It follows several other states in the advancement of consumer privacy protection.

TIPA impacts any business in Tennessee, and businesses serving consumers in Tennessee that:

• Earns more than $25 million annually and either controls the personal data of 25,000 consumers with 50% of income earned by the sale of data, or
• Controls the personal data of 175,000 consumers

TIPA requires these businesses to:

• Outline consumer rights: All consumer privacy rights must be outlined prior to the collection, sharing, and retrieval of data
• Know the definition of sensitive data: Sensitive data includes ethnicity, religion, race, and sexuality, and includes any information regarding children under the age of 13
• Respond to consumer requests for data: All consumer requests for acquired data must be responded to within 45 days (with a potential 45-day extension)
• Complete impact assessment reports: Impact assessment reports must be filed prior to accessing, processing, or sharing consumer data
• Avoid discrimination: Businesses must not discriminate based on personal details collected within personal data
• Safeguard data: TIPA requires businesses to use discretion when obtaining, sharing, or processing consumer data

Penalties for failure to comply with the new TIPA legislature include a fine of up to $7,500 per breach. All fines are by the Tennessee Attorney General. Fines may be tripled in a court of law under the treble damages statute due to knowledgable wrongdoing.