First Same-Date Privacy Laws
Tennessee and Montana just passed privacy laws on the same date, April 21, 2023.
Background to the Tenessee Information Protection Act
In Tennessee, the House unanimously passed HB 1181 by a vote of 90-0 earlier in April, and the companion bill SB 73 passed in the Senate as well. The bill introduces the “Tennessee Information Protection Act” and is tentatively set to go into effect on July 1, 2024.
The Tennessee Information Protection Act is like a familiar snowflake in the flurry of state privacy laws that are drifting during the last year or so. They’re all unique but have so much in common.
It has a new requirement, though, that has not been seen before in other consumer data protection laws. The law requires that covered Tennesse businesses comply with the NIST privacy framework and goes so far as to require any future revision of the standard. In an interesting twist, the law provides an affirmative defense to violation charges against entities that comply with the NIST standard, as described.
In the next sections, we’ll bring you some key takeaways from the new Tenessee privacy act.
How the Bill Defines Personal Information
Under the Tennessee consumer privacy act, personal information is defined as information that relates to or describes a particular individual or that is capable of being linked with a specific person. This includes:
- Real names
- Unique identifier
- IP address
- Email address
- Social security number
- Passport number
- Drivers license number
- Signatures
- Physical character description
- Address
- Phone number
- Insurance policy number
- Credit or debit card number
- Financial information
- Health-related information
- Employment history
- Records of personal property
- Purchasing or consuming history
- Biometric data
- Internet network activity like browsing history, search history, and interactions with a website or app
- Geolocation data
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Scope of the Tennessee Privacy Bill
The Tennessee data privacy law covers persons that conduct business in this state or produce products or services that are targeted to residents of Tennessee and that:
- During a calendar year, control or process the personal information of at least 100,000 consumers
- Control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information
Personal Information Rights for Consumers
- A consumer may submit a request to a controller specifying the right they wish to invoke under the law.
- A controller must comply with an authenticated consumer request to:
- Confirm whether a controller is processing the consumer’s personal information and be allowed to access it
- Correct inaccuracies in their personal information
- Delete personal information, unless it is used as aggregate or de-identified data by a business
- Obtain a copy of the consumer’s personal information that was provided to the controller by the consumer
- Request specified information regarding personal information that a controller sold or disclosed
- Opt-out of a controller selling their personal information
- As noted in the bill, consumers should receive a response from a controller within 45 days of the receipt of the request, with some exceptions for an extension
Key Controller Responsibilities
- Controllers shall limit the collection of personal information to what is adequate and relevant
- The controller must not process personal information for purposes that are beyond what is reasonably necessary with the disclosed purpose for processing the information
- Controllers must establish, implement and maintain reasonable data security practices, as described in detail in the bill
- Controllers are not required to delete information that is used as aggregate or de-identified data
- Controllers can not discriminate against a consumer for exercising their rights under this law
- Controllers can not process sensitive data without obtaining consent from the consumer, or, regarding children, per COPPA
Key Processor Requirements
- Processors must adhere to the instructions of a controller and shall assist the controller in fulfilling its obligations under the law.
- Processes must sign a contract with a controller that governs their data processing procedures.
Data Protection Assessments
Controllers shall conduct and document a data protection assessment of each of the following processing activities involving personal information:
- The processing of personal information for targeted advertising
- The sale of personal information
- The processing of personal information for purposes of profiling, where profiling presents certain specified risks
- Processing of sensitive data
Privacy Programs
Controllers and processors are required to create a written privacy program that conforms to the NIST privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.”, and to subsequent revisions that will be published in the future.
This requirement is a first-of-its-kind inclusion in a state privacy law. It essentially means that a state legislature is basing its state privacy requirements on a federal standard, rather than trying to prescribe those standards themselves.
Affirmative Defense
One notable point is that the bill would create an affirmative defense for businesses that create, maintain, and implement a privacy program that aligns with the National Institute of Standards and Technology (NIST) privacy framework, as specified in the section above. What this means is that if a business is suspected to violate certain parts of the law, having the required privacy program in place can act as a defense to the attorney general’s violation claim.
What This Means for Tennessee Businesses
“Most businesses will be able to leverage the data privacy and security programs built for other state law requirements,” Baker Donelson Partner Andy Droke, CIPP/US, said. “However, for those Tennessee businesses that have not previously had to comply with other state privacy laws, this will be a significant undertaking, and they should start developing a strategy now.”
Stay with Centraleyes as we keep you updated on the complex patchwork design of comprehensive US state privacy laws.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days