The Tennessee Information Protection Act is a legislation that protects the privacy of personal information collected by businesses and government agencies in Tennessee. 

The Tennessee Information Protection Act (TIPA) is a significant legislative development in the sphere of data privacy, mirroring the growing trend of state privacy laws across the United States. This legislation emphasizes the importance of protecting sensitive information and privacy, a topic that has become increasingly significant in recent times. The Act imposes specific requirements on entities that collect, store, or use personally identifiable information (or personal information) of Tennessee residents, thereby fortifying the state’s commitment to data privacy and security. The implementation of the TIPA is a significant step towards ensuring data privacy and security in Tennessee, setting a high standard for entities handling personal information, promoting a culture of transparency, responsibility, and trust.

The TIPA enforces stringent data handling standards, necessitates breach notifications, and introduces consumer rights similar to CCPA and GDPR, promoting transparency and control over personal information.

The TIPA’s primary purpose is to ensure that businesses and organizations that deal with personal information adhere to strict standards to minimize the risk of unauthorized access and misuse of such information. The Act necessitates that these entities implement appropriate security measures and protocols to safeguard the information they handle. These measures can range from secure data storage systems to comprehensive cybersecurity policies. The TIPA also requires that entities notify affected individuals in the event of a data breach. This notification must be prompt and must provide details about the nature of the breach, the type of information compromised, and the steps taken to mitigate the damage. Moreover, the TIPA introduces new consumer rights, similar to those provided under the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). Consumers have the right to access their personal information, correct inaccuracies, delete their data, and opt-out of the sale of their personal information. These rights necessitate the implementation of mechanisms to accommodate consumer requests, thereby increasing businesses’ responsibility to ensure transparency and control over their personal information.

The Act is based on the broader concept of information privacy, which involves the proper handling of data—its collection, storage, use, and dissemination—particularly focusing on the personal information of individuals. The Act is designed to combat the growing threat of identity theft, data breaches, and other forms of cybercrime that have become prevalent with the advent of modern technology. The TIPA defines “personal information” as information that is linked or reasonably linkable to an identified or identifiable natural person. The definition excludes information that is publicly available, deidentified, or aggregated consumer information. Like other state privacy laws, the TIPA establishes a category of “sensitive data” as personal information that includes:

• personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; 
• the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; 
• the personal information collected from a known child (a natural person under 13 years of age); or 
• specific geolocation data

The TIPA applies to businesses heavily involved in data operations, with exemptions for certain entities and data processed in employment or commercial contexts.

The TIPA applies to businesses that control or process the personal information of more than 25,000 consumers, or derive over 50% of their revenue from selling personal information. By setting these thresholds, the Act focuses on businesses with significant data operations, ensuring that those handling large volumes of personal information or engaging in data monetization practices are held accountable. The TIPA includes exemptions for certain entities and types of data. Entities exempted under the TIPA encompass government bodies, nonprofits, financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, higher education institutions, and entities under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Notably, the TIPA is the first state privacy law to specifically exempt all insurance companies licensed under Tennessee law.

The TIPA also includes various data-based exemptions. Similar to the laws in Utah, Virginia, and Iowa, the TIPA does not apply to personal information processed or maintained in an employment context, including information provided by individuals applying for or engaged in roles as employees, agents, or independent contractors, as well as emergency contact information and data used for benefits administration. The law’s definition of a “consumer” specifically excludes individuals acting in a commercial or employment context. Furthermore, data that is publicly available, aggregated, or de-identified is not considered “personal information.” There are also exemptions specific to health data. These include exemptions for protected health information under the Health Insurance Portability and Accountability Act (HIPAA), as well as information and documents created for the HealthCare Quality Improvement Act (HCQIA). Patient safety work products created under the Patient Safety and Quality Improvement Act (PSQIA) and information used solely for public health activities as authorized by HIPAA are also exempt. Additionally, the TIPA contains specific carve-outs for personal information collected, processed, or sold in connection with certain types of research, such as human subject research and public or peer-reviewed scientific or statistical research in the public interest.

Non-compliance with the TIPA can result in hefty penalties, emphasizing the need for organizations to understand the Act, conduct audits, enhance security, develop policies, and train staff.

Failure to comply with the TIPA can result in severe penalties. The Tennessee Attorney General can impose fines of up to $2,500 per negligent violation and up to $7,500 per intentional violation. Additionally, businesses may face injunctive relief or even civil penalties under the Tennessee Consumer Protection Act. The potential financial and reputational repercussions of non-compliance underscore the importance of understanding and adhering to the TIPA’s requirements.

To prepare for TIPA compliance, organizations can follow these steps:

• Familiarize yourself with the TIPA. This includes understanding the law’s requirements, such as what personal information is covered, how it must be collected and used, and how it must be protected.
• Conduct a data audit to determine what data falls under TIPA’s purview. This will help you identify the personal information that your organization collects, uses, and stores, so that you can take steps to protect it.
• Implement security measures to safeguard personal information. This includes measures such as encryption, access controls, and data backups.
• Develop policies and procedures that align with TIPA’s requirements. These policies and procedures should document how your organization will comply with the law, and should be communicated to all employees.
• Train staff and monitor compliance. Employees should be trained on the law and your organization’s policies and procedures, and compliance should be monitored on a regular basis.

By following these steps, organizations can help ensure that they are in compliance with TIPA and protect the personal information of their customers.

If you are looking to ensure compliance with the Tennessee Information Protection Act and other US States privacy laws, Aphaia now offers US privacy add-on to our Outsourced DPO service, as well as ad hoc US privacy advice. Contact Aphaia today to find out more.