The Individual Rights created under TIPA resemble those provided under other state laws.
If TIPA applies to your business, you must allow consumers to:
- Confirm whether your business is processing any data and, if so, access it
- Correct inaccuracies in personal data
- Delete personal data
- Obtain a copy of certain personal data they provided (data portability)
- Opt out of the sale of personal data and processing for profiling and targeted advertising
Tennessee, like many other states, requires responses to be provided within 45 days of receipt of request (unless the business has been unable to authenticate a request), with a permissible 45-day extension in limited circumstances.
Responses must be provided free of charge at least twice a year. If the business declines to take a requested action, the consumer must be notified in writing and given instructions for appeal.
As with other recent state privacy laws, including Montana and Iowa, the appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. Businesses must respond to appeals within 60 days of receipt. If denying an appeal, it must provide an online mechanism, if available, or another method for contacting the Tennessee State Attorney General to submit a complaint.
Pseudonymous Data
Like the consumer data privacy laws in Virginia, Montana, Iowa, and some others, a business does not need to include pseudonymous data in its response to Individual Rights Requests.
The definition of ‘pseudonymous data’ under TIPA is almost identical to other state laws. It consists of: “personal information that cannot be attributed to a specific natural person without the use of additional information, so long as the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable natural person.”
One of the most common uses of pseudonymous data is in the clinical trial context, where each trial participant is assigned a random ID that stands in for their actual identity (their actual identity is only known to medical staff and not the sponsor/manufacturing company, labs, and other supporting entities).
Other types of organizations may want to consider taking this approach, especially those that already assign identifiers through, for example:
- Loyalty or participation rewards programs such as frequent flier/renter/buyer/guest numbers
- Membership IDs (like insurance companies, libraries, and fitness centers)
- Player ID (for online and mobile games)
Data Protection Assessments (aka Privacy Impact Assessments)
Like many state privacy laws, including those of Virginia, Connecticut, and Montana, Tennessee requires regulated businesses to conduct Data Protection or Privacy Impact Assessments.
The circumstances under which these assessments must be completed align with VCPDA, CTDPA, and MCDPA. Like its predecessors, TIPA also includes an allowance for the use of assessments conducted for compliance with other laws to satisfy its requirements—if they have a “reasonably comparable scope and effect.”
TIPA requires assessments for activities created or generated after July 1, 2024, that present a heightened risk of harm, specifically including:
- Processing for targeted advertising
- Selling personal data
- Processing sensitive data
- Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of
○ Unfair or deceptive treatment or unlawful disparate impact on consumers
○ Financial, physical, or reputational injury to consumers
○ Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person
○ Other substantial injury
Vendor Contracts
TIPA requires that businesses have a contract in place dictating what vendors must do with respect to processing personal data. This is also the case for privacy laws in Iowa, Montana, and many other states.
These vendor contracts must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.”
In addition, the contracts must require that the processor:
- Ensure it binds each person that processes personal data to a duty of
confidentiality
- Delete or return all personal data when it has completed the services, unless retention of the personal data is required by law
- Make available all information necessary to demonstrate the processor's compliance with its obligations
- Make itself available for audits by the controller, or arrange for an independent auditor to review its policies and practices, and provide a report of the assessment to the controller
- Pass along the same obligations to any subcontractor in a written contract
Business Friendly Exceptions to TIPA
TIPA, like other state privacy laws, specifies that it should not be construed to restrict a business’s collection, use, or retention of personal data for:
- Conducting internal research for development, improvement, and repair of products, services, and technology (R&D)
- Product recalls
- Identifying and repairing technical errors that impair existing or intended functionality
- Performing internal operations
How Will TIPA Be Enforced?
The state Attorney General has the sole enforcement authority under TIPA. This is true of almost all state privacy laws, including those of Utah, Virginia, Colorado, Connecticut, Montana, and Iowa.
The Attorney General may bring an enforcement action after providing 60 days’ notice and an opportunity for the business to cure the alleged violation(s).
Unlike almost all of the other state laws—Iowa being the sole exception currently – TIPA does not have a sunset date set for the cure period.
Violations will cost $7,500 per offense, plus attorney's fees, investigative costs, and any other relief the court determines appropriate. For willing or knowing violations, the court can award triple damages!
