Press "Enter" to skip to content

‘Tennessee Information Protection Act’ with NIST Security Standards Enacted

TennesseeTennessee Gov. Bill Lee on May 11 signed into law House Bill 1181, making Tennessee the eighth state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, Iowa, and Indiana. The law will take effect July 1, 2024.


Under the new law, controllers and processors must create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) Privacy Framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0,” and update the program as the Framework is revised.   


The Act applies to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee and that:

  1. During a calendar year, control, or process personal information of at least 100,000 consumers; or
  2. Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.

Importantly, the Act exempts financial institutions and affiliates, or data subject to the Gramm-Leach-Bliley Act. Other exemptions include covered entities or business associates governed by the privacy, security, and breach notification rules issued pursuant to the Health Insurance Portability and Accountability Act, and the use of personal information to the extent the activity is regulated by and authorized under the Fair Credit Reporting Act.


Consumers are provided the right to:

  1. Confirm whether a controller is processing the consumer’s personal information and to access the personal information;
  2. Correct inaccuracies in the consumer’s personal information;
  3. Delete personal information provided by or obtained about the consumer;
  4. Obtain a copy of the consumer’s personal information that the consumer previously provided to the controller;
  5. Request that a controller that sold personal information about the consumer, or disclosed the information for a business purpose, disclose the:
    1. Categories of personal information the business sold;
    2. Categories of third parties to which the personal information was sold;
    3. Categories of personal information disclosed for a business purpose;
  6. Opt out of the sale of personal information.

A controller may not process “sensitive data” without a consumer’s consent.

“Sensitive data” includes:

  1. Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  3. The personal information collected from a known child; or
  4. Precise geolocation data.


A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, the rights and obligations of both parties, and require that the processor:

  1. Ensure that each person processing personal information is subject to a duty of confidentiality with respect to the data;
  2. At the controller’s direction, delete or return all personal information to the controller as requested at the end of the provision of services, unless retention of the personal information is required by law;
  3. Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this part;
  4. Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor;
  5. Engage a subcontractor pursuant to a written contract in accordance that requires the subcontractor to meet the obligations of the processor with respect to the personal information.

A controller must conduct and document a data protection assessment if the processing involves:

  1. targeted advertising;
  2. the sale of personal information;
  3. certain profiling;
  4. sensitive data;
  5. activities involving personal information that present a heightened risk of harm to consumers.

The Attorney General has the exclusive authority to enforce the Act. Prior to taking any action, the Attorney General must provide a controller or processor 60 days to cure the violation. In the absence of a cure, civil penalties up to $15,000 may be sought for each violation.


The Tennessee Act is similar to the other non-California data privacy laws recently enacted, though the requirement to have a privacy program based on the NIST Framework is unique.

The Framework was developed by a private-public collaboration that began in 2018, and “is a voluntary tool intended to help organizations identify and manage privacy risk so that they can build innovative products and services while protecting individuals’ privacy.”

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Photo: Cindy Miller Hopkins/Danita Delimont/

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.