By Gerald L. Maatman, Jr., Jennifer A. Riley, and Tyler Zmick
Duane Morris Takeaways: As efforts to enact comprehensive privacy protection continue to stall on the federal level, states have stepped up to create a patchwork quilt of protections for those doing business with consumers within their borders. Tennessee recently became the eighth state – following Indiana, California, Colorado, Connecticut, Iowa, Utah, and Virginia – to enact comprehensive privacy legislation. At least 15 other states have introduced similar bills during the current legislative session, and Montana’s comprehensive consumer privacy statute awaits the signature of its Governor. Companies doing business in Tennessee or with Tennessee consumers should take heed of the new law and review their policies and processes for compliance.
Tennessee Legislation
After receiving overwhelming support from both houses of the General Assembly, on May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act into law. With this law, Tennessee became the eighth state to institute comprehensive consumer privacy legislation. The law is set to take effect on July 1, 2024.
The act applies to businesses that conduct business in Tennessee or produce products or services that are targeted to Tennessee residents and that: (1) control or possess the personal information of at least 175,000 consumers; or (2) control or process personal information of at least 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal information. The law contains exemptions for certain types of entities, such as governmental entities, certain financial institutions, non-profit organizations, and higher education institutions. The law also exempts certain types of data, such as personal information regulated by the Family Educational Rights and Privacy Act, and protected health information under HIPAA.
Similar to other comprehensive state privacy laws, the Tennessee law grants Tennessee residents certain rights in their personal information. It allows for consumers to confirm whether a company is processing their personal information, to access their personal information, to correct inaccuracies in their personal information, to delete their personal information, to obtain copies of their personal information, and to opt out of future sales or targeted advertising.
The law allows a consumer to invoke his or her rights (and the rights of his or her children) at any time by submitting a request to a controller of the personal information specifying the rights that the consumer wishes to invoke, and it requires the respondent to comply with an authenticated request without undue delay but, in all cases, within 45 days.
The law imposes various requirements on persons and entities who “determine[] the purpose and means” of processing personal information. For example, it requires such persons and entities to limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed; to establish, implement, and maintain reasonable data security practices; and, if the controller processes or sells personal information for targeted advertising, to clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.
The Tennessee law does not provide for a private right of action and vests exclusive enforcement authority in the Tennessee attorney general. It allows a court to impose civil penalties of up to $7,500 per violation, and allows treble damages for willful or knowing violations. The law requires that, prior to initiating an action, the attorney general must provide a 60-day notice period during which the recipient may cure the noticed violation to avoid an enforcement action. The law also creates an affirmative defense under certain circumstances for a company that creates, maintains, and complies with a written privacy policy that reasonably conforms to documented policies, standards, and procedures designed to safeguard consumer privacy.
Implications for Businesses
Covered persons and entities who do business in Tennessee or who target Tennessee consumers should start reviewing their policies and developing processes to comply with the Tennessee law. Although the law is not set to take effect until July 1, 2024, the law adds another challenge to the already complex compliance landscape for companies seeking to operate on a nationwide basis.