Tennessee Gov. Bill Lee on May 11 signed into law House Bill 1181, making Tennessee the eighth state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, Iowa, and Indiana. The law will take effect July 1, 2024.
Under the new law, controllers and processors must create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) Privacy Framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0,” and update the program as the Framework is revised.
The Act applies to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee and that:
- During a calendar year, control, or process personal information of at least 100,000 consumers; or
- Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.
Importantly, the Act exempts financial institutions and affiliates, or data subject to the Gramm-Leach-Bliley Act. Other exemptions include covered entities or business associates governed by the privacy, security, and breach notification rules issued pursuant to the Health Insurance Portability and Accountability Act, and the use of personal information to the extent the activity is regulated by and authorized under the Fair Credit Reporting Act.
Consumers are provided the right to:
- Confirm whether a controller is processing the consumer’s personal information and to access the personal information;
- Correct inaccuracies in the consumer’s personal information;
- Delete personal information provided by or obtained about the consumer;
- Obtain a copy of the consumer’s personal information that the consumer previously provided to the controller;
- Request that a controller that sold personal information about the consumer, or disclosed the information for a business purpose, disclose the:
- Categories of personal information the business sold;
- Categories of third parties to which the personal information was sold;
- Categories of personal information disclosed for a business purpose;
- Opt out of the sale of personal information.
A controller may not process “sensitive data” without a consumer’s consent.
“Sensitive data” includes:
- Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- The personal information collected from a known child; or
- Precise geolocation data.
A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, the rights and obligations of both parties, and require that the processor:
- Ensure that each person processing personal information is subject to a duty of confidentiality with respect to the data;
- At the controller’s direction, delete or return all personal information to the controller as requested at the end of the provision of services, unless retention of the personal information is required by law;
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this part;
- Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor;
- Engage a subcontractor pursuant to a written contract in accordance that requires the subcontractor to meet the obligations of the processor with respect to the personal information.
DATA PROTECTION ASSESSMENTS
A controller must conduct and document a data protection assessment if the processing involves:
- targeted advertising;
- the sale of personal information;
- certain profiling;
- sensitive data;
- activities involving personal information that present a heightened risk of harm to consumers.
The Attorney General has the exclusive authority to enforce the Act. Prior to taking any action, the Attorney General must provide a controller or processor 60 days to cure the violation. In the absence of a cure, civil penalties up to $15,000 may be sought for each violation.
The Tennessee Act is similar to the other non-California data privacy laws recently enacted, though the requirement to have a privacy program based on the NIST Framework is unique.
The Framework was developed by a private-public collaboration that began in 2018, and “is a voluntary tool intended to help organizations identify and manage privacy risk so that they can build innovative products and services while protecting individuals’ privacy.”
For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.