In this compliance guide, we will discuss the following aspects of TIPA:
- Who needs to comply with this new law;
- How the law defines personal data;
- The privacy rights provided to residents of Tennessee;
- The penalties for non-compliance; and
Table of Contents
Who needs to comply with TIPA?
TIPA applies to persons that conduct business in Tennessee or that produce products or services that are targeted to residents of the state and that:
- During a calendar year, control or process the personal information of at least 100,000 residents of Tennessee; or
- Control or process the personal information of at least 25,000 Tennessee residents and derive more than 50% of gross revenue from the sale of personal information.
It is important to note that TIPA applies to businesses that are located in Tennessee, as well as businesses that are not so business in other states must still pay attention to and comply with this law if it applies to them.
How does Tennessee’s privacy law define personal information?
TIPA applies only to businesses that collect the personal information of residents of Tennessee and that meet the criteria above, so it is important to determine whether your business collects personal information as defined by this law. HB1181 defines personal information as “information that identifies, relates to, or describes a particular consumer or is reasonably capable of directly or indirectly associated or linked with, a particular consumer.” While this definition is quite verbose, personal information, as described by this law, includes:
- Identifiers such as name, online identifier, IP address, email address, account name, and social security number;
- Information that identifies, relates to, describes or could be associated with a particular individual such as signature, address, telephone number, employment history, credit card number or bank account number;
- Characteristics of protected classifications under state or federal law (e.g. race or gender);
- Commercial information such as records of products or services bought;
- Biometric data;
- Internet or other electronic activity such as browsing history, search history, and information regarding a particular individual’s interaction with a website, application or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory or similar information;
- Professional or employment-related information;
- Education information; and
- Inferences drawn from the information about to create a profile about a consumer.
What privacy rights are provided to residents of Tennessee by TIPA?
The Tennessee Information Protection Act helps consumers protect their personal information by providing them with the following privacy rights:
- The right to confirm whether a controller is processing the consumer’s personal information and to access that information;
- The right to correct inaccurate personal information;
- The right to delete personal information;
- The right to obtain a copy of the consumer’s personal information in a portable format that allows the consumer to transmit that personal information to another controller;
- The right to request additional information if a business sells or discloses personal information;
- The right to opt out of sales of personal information; and
- The right to not be discriminated against based upon the exercise of privacy rights.
A business that receives a request to exercise privacy rights must comply with such a request unless an exception applies. Finally, consumers have the right to appeal any decision that has been made by the business with respect to the privacy rights request.
- The categories of personal information processed;
- The purpose for processing the personal information;
- How consumers may exercise their privacy rights;
- How consumers may appeal a decision made with regard to their privacy rights request;
- The categories of personal information sold to third parties, if any;
- The categories of third parties, if any, to whom the controller sells the personal information; and
- A list of the privacy rights provided to consumers.
Penalties for failure to comply with Tennessee’s new privacy law
TIPA will be enforced exclusively by the Tennessee Attorney General who may bring an action in court seeking any of the following relief:
- Declaratory judgment that a practice violates TIPA;
- Injunctive relief, including preliminary and permanent injunctions;
- Civil penalties;
- Reasonable attorneys’ fees and investigative costs; or
- Other relief that the court deems to be appropriate.
The civil penalties for violations of TIPA are high, up to $15,000 per violation. In this case, per violation may mean per website visitor whose privacy rights were violated, which can lead to substantial penalties.
Termageddon’s plan for TIPA