Adoption of the Information Protection Act in Tennessee

Introduction

The adoption of the Information Protection Act in Tennessee has brought significant changes to data privacy regulations in the state. With the introduction of this comprehensive law, Tennessee joins other states in safeguarding consumer data and enhancing privacy rights. The Information Protection Act sets forth guidelines and requirements for personal information collected for businesses operating in Tennessee.

In recent years, the increasing concern over data privacy and security when processing personal information has prompted many states to enact comprehensive data protection laws. Tennessee has taken a significant step in this direction by passing the TIPA. This act introduces a comprehensive framework that aims to protect personal information and ensure that businesses handle consumer data responsibly.

Key points of the Tennessee Information Protection Act (TIPA)

On the 11th of May, 2023, the Governor of Tennessee, Bill Lee, signed into law the Tennessee Information Protection Act (TIPA). This new legislation is aimed at ensuring that companies who operate and conduct business within the state of Tennessee take adequate steps in safeguarding the personal information of their customers. The TIPA is a comprehensive privacy law that imposes significant obligations on such companies, including measures to prevent data breaches, timely notification to affected individuals in the event of a breach, and appropriate actions to mitigate the risks of identity theft and fraud. By signing the TIPA into law, Governor Lee has taken a significant step towards protecting the privacy rights of Tennessee residents and ensuring that businesses operating within the state are held accountable for the safekeeping of their customers’ sensitive data.

Here are some key points about the TIPA:

1. Effective Date: The law will go into effect on July 1, 2025.

2. Applicability: TIPA applies to companies that exceed $25 million in annual gross revenue and control or process personal information of at least 25,000 consumers, among other criteria.

3. Consumer Rights: TIPA establishes consumer rights, including access to personal information, correction of inaccuracies, deletion of data, and obtaining a portable copy of the data.

4. Business Obligations: The law imposes duties on controllers, such as limiting data collection, conducting and documenting a data protection assessment, implementing security measures, and providing clear privacy notices.

5. Safe Harbor: TIPA provides a safe harbor for compliance with the NIST Privacy Framework.

6. Enforcement: The Tennessee Attorney General is granted authority to enforce the law, and penalties can be imposed for non-compliance.

7. Affirmative Defense: Controllers or processors that maintain a privacy program conforming to the NIST privacy framework may have an affirmative defense against violations.

It’s important to note that TIPA shares similarities with other privacy laws, such as the Virginia Consumer Data Protection Act (VCDPA), Utah’s privacy law, and Iowa’s privacy law. However, there are also differences that make TIPA unique in its coverage thresholds, exemptions, and affirmative defense provisions.

Consumer rights and privacy program

Under the Information Protection Act, consumers have a range of rights designed to give them control over their personal information. These rights include:

1. Access: Every person has the right to request and obtain any personal information held by businesses or organizations. This includes information such as their name, address, contact details, employment history, financial records, and any other data that may pertain to them. These rights are protected by TAPI, and businesses are required to comply with them to ensure the privacy and security of their customers’ information.

2. Correction: In the event that any personal information provided appears to be inaccurate or incomplete, it is within an individual’s rights to request for the necessary corrections or updates to be made. This ensures that their personal information remains accurate and up-to-date, providing an additional layer of security and safety.

3. Deletion: Individuals who have interacted with various businesses have a lawful entitlement to demand that any personal information that has been amassed by these entities be erased from their records. This right ensures that they have control over their personal data and can prevent it from being misused or mishandled.

4. Opt-out: The act provides individuals with the ability to make an informed decision regarding the utilization of their data for targeted advertising by offering an opt-out option. This ensures that individuals have control over the use of their personal information and can make choices that are in line with their preferences and values. By exercising their right to opt-out, individuals can safeguard their privacy and ensure that their data is being used in a manner that aligns with their interests and values.

To comply with the Information Protection Act, businesses are required to establish and maintain a written privacy program aligned with recognized standards, such as the National Institute of Standards and Technology (NIST) privacy framework or other documented policies. This privacy program serves as an affirmative defense for businesses when facing potential legal issues related to data privacy.

Obligations for businesses

The Information Protection Act outlines various obligations for businesses to ensure the protection and responsible handling of consumer data. These obligations include:

1. Responding to consumer requests: According to legal requirements, it is mandatory for businesses to promptly respond to any customer inquiries that pertain to their personal information. This includes providing necessary details and addressing concerns within a designated timeframe. Failure to comply with these regulations can result in serious consequences for the company in question.

2. Providing information free of charge: It is critical for organizations to provide comprehensive information on how they manage and safeguard personal data without any cost to the individual. This ensures transparency and accountability in the handling of sensitive information and instills trust and confidence in the company’s data protection practices.

3. Authenticating requests: To ensure the protection of individuals’ sensitive data and maintain their privacy, it is crucial for entities to carefully authenticate any requests for personal data. This process helps to prevent unauthorized access to confidential information, which could lead to serious consequences. By verifying the legitimacy of requests, organizations can establish a secure environment that promotes trust and confidence among individuals.

4. Establishing an appeals process: Organizations are obligated to establish a systematic approach that enables individuals to raise objections against any judgments made concerning their personal information. This procedure serves as a safeguard mechanism to protect the privacy rights of individuals and ensures that companies are held accountable for their use of personal data.

Additionally, businesses must provide clear and meaningful privacy notices to consumers, disclosing how personal data is processed for targeted advertising purposes. These notices play a crucial role in informing individuals about data collection, their sensitive data usage, and their rights regarding their personal information.

Compliance and enforcement

The Tennessee Information Protection Act will take effect on July 1, 2025. It is essential for businesses operating in Tennessee to familiarize themselves with the act’s requirements and ensure compliance before the effective date. Failure to comply with the Information Protection Act can result in penalties and legal consequences for businesses.

The recently introduced legislation comes with a set of comprehensive measures that are aimed at ensuring compliance with the law, and these measures will be overseen by the Tennessee Attorney General. The legislation imposes heavy fines of up to $7,500 per violation for businesses that fail to comply with the regulations. However, businesses are given a 60-day grace period to rectify any issues before any penalties are enforced. This timeframe is meant to encourage businesses to make the necessary adjustments and comply with the law without having to face any undue financial burden.

Impacts and benefits

The adoption of the Tennessee Information Protection Act brings several significant impacts and benefits:

1. Enhanced consumer privacy: The act is designed to afford individuals the ability to exert their influence over their own personal information. This is achieved through the granting of control over said information and the implementation of strict transparency measures to ensure that users are fully aware of how their information is being utilized. Such empowering measures serve to safeguard the privacy rights of individuals and promote a more fair and just society.

2. Standardized privacy framework: The act strongly advocates for the adoption of optimal measures in managing data privacy, with a specific emphasis on adhering to well-established standards of privacy, such as the widely recognized NIST framework. By complying with these guidelines, organizations can effectively safeguard sensitive information and uphold the privacy rights of their clients and customers.

3. Protection against data breaches: By prioritizing security measures and conducting thorough data protection assessments, customers can rest assured that their personal information is being safeguarded at all times. This not only minimizes the risk of potential data breaches but also demonstrates responsible data management practices that prioritize the protection of consumer data. As a result, customers can have greater peace of mind when sharing their information with trusted organizations.

4. Business accountability: The enactment of this legislation has placed specific responsibilities and consequences on businesses in regard to the proper handling and management of personal information. These measures are in place to ensure that companies acknowledge and take ownership of their role in safeguarding such data and to encourage the implementation of sound and ethical practices for managing sensitive information.

Overall, the TIPA aims to safeguard consumer privacy and strike a balance between protecting consumer privacy and enabling businesses to operate in a data-driven economy. By establishing comprehensive data privacy laws, Tennessee joins other states in prioritizing consumer rights and data protection.

Conclusion

The adoption of the TIPA marks a significant milestone in the state’s commitment to data privacy. This comprehensive legislation sets requirements and obligations for businesses operating in Tennessee to ensure the protection and responsible handling of consumer data. With provisions for consumer rights, privacy notices, and compliance with recognized privacy standards, the act aims to enhance individual privacy and establish a standardized framework for data privacy management.

As the effective date approaches, businesses should take proactive measures to understand and comply with the Information Protection Act’s requirements. By doing so, they can prioritize the privacy and security of consumer data while building trust with their customers.