On May 15, 2023, the Tennessee HB1181 was enrolled into law, enacting the Tennessee Information Protection Act (TIPA). TIPA was passed to protect the privacy of residents of Tennessee by providing them with privacy rights and imposing certain requirements, such as having a Privacy Policy upon businesses. This new law will go into effect on July 1, 2025 so businesses who need to comply should start their compliance efforts now.
In this Compliance Guide, we will discuss the following aspects of TIPA:
- Who needs to comply with this new law;
- How the law defines personal data;
- The privacy rights provided to residents of Tennessee;
- The Privacy Policy requirements of the Tennessee Information Protection Act;
- The penalties for non-compliance; and
- Termageddon’s plan for making Privacy Policy updates for this new privacy law.
Table of Contents
Who needs to comply with TIPA?
TIPA applies to persons that conduct business in Tennessee or that produce products or services that are targeted to residents of the state and that:
- During a calendar year, control or process the personal information of at least 100,000 residents of Tennessee; or
- Control or process the personal information of at least 25,000 Tennessee residents and derive more than 50% of gross revenue from the sale of personal information.
It is important to note that TIPA applies to businesses that are located in Tennessee, as well as businesses that are not so business in other states must still pay attention to and comply with this law if it applies to them.
How does Tennessee’s privacy law define personal information?
TIPA applies only to businesses that collect the personal information of residents of Tennessee and that meet the criteria above, so it is important to determine whether your business collects personal information as defined by this law. HB1181 defines personal information as “information that identifies, relates to, or describes a particular consumer or is reasonably capable of directly or indirectly associated or linked with, a particular consumer.” While this definition is quite verbose, personal information, as described by this law, includes:
- Identifiers such as name, online identifier, IP address, email address, account name, and social security number;
- Information that identifies, relates to, describes or could be associated with a particular individual such as signature, address, telephone number, employment history, credit card number or bank account number;
- Characteristics of protected classifications under state or federal law (e.g. race or gender);
- Commercial information such as records of products or services bought;
- Biometric data;
- Internet or other electronic activity such as browsing history, search history, and information regarding a particular individual’s interaction with a website, application or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory or similar information;
- Professional or employment-related information;
- Education information; and
- Inferences drawn from the information about to create a profile about a consumer.
What privacy rights are provided to residents of Tennessee by TIPA?
The Tennessee Information Protection Act helps consumers protect their personal information by providing them with the following privacy rights:
- The right to confirm whether a controller is processing the consumer’s personal information and to access that information;
- The right to correct inaccurate personal information;
- The right to delete personal information;
- The right to obtain a copy of the consumer’s personal information in a portable format that allows the consumer to transmit that personal information to another controller;
- The right to request additional information if a business sells or discloses personal information;
- The right to opt out of sales of personal information; and
- The right to not be discriminated against based upon the exercise of privacy rights.
A business that receives a request to exercise privacy rights must comply with such a request unless an exception applies. Finally, consumers have the right to appeal any decision that has been made by the business with respect to the privacy rights request.
Tennessee Information Protection Act Privacy Policy requirements
The Tennessee Information Protection Act requires businesses that need to comply with this law to have an accessible, clear and meaningful Privacy Policy that includes the following disclosures:
- The categories of personal information processed;
- The purpose for processing the personal information;
- How consumers may exercise their privacy rights;
- How consumers may appeal a decision made with regard to their privacy rights request;
- The categories of personal information sold to third parties, if any;
- The categories of third parties, if any, to whom the controller sells the personal information; and
- A list of the privacy rights provided to consumers.
Penalties for failure to comply with Tennessee’s new privacy law
TIPA will be enforced exclusively by the Tennessee Attorney General who may bring an action in court seeking any of the following relief:
- Declaratory judgment that a practice violates TIPA;
- Injunctive relief, including preliminary and permanent injunctions;
- Civil penalties;
- Reasonable attorneys’ fees and investigative costs; or
- Other relief that the court deems to be appropriate.
The civil penalties for violations of TIPA are high, up to $15,000 per violation. In this case, per violation may mean per website visitor whose privacy rights were violated, which can lead to substantial penalties.
Termageddon’s plan for TIPA
We will continue to monitor TIPA and any rules and regulations of the law and will inform all of our clients of Privacy Policy updates as appropriate prior to the effective date of the law. If you do not currently have a Privacy Policy with Termageddon and do not have a plan to keep up to date with changes such as this one, make sure to check out our Privacy Policy generator, which includes automatic updates.
