The Tennessee governor has signed Tennessee’s comprehensive privacy law, which as we have indicated will go into effect July 1, 2025. As initially proposed, the law would have been effective July 1, 2024, and would have required companies have a written privacy program compliant with NIST’s privacy framework. That obligation -which is unlike that which exists in any other state’s general privacy law- has been toned down in the final version signed by the governor.
Tennessee, like other states, has no right of action for violations of the law, but does provide statutory penalties of up to $7,500 per violation. Before initiating an enforcement action, the attorney general must first give companies written notice and 60 days to cure the violation. Tennessee’s law for the most part merely expands existing comprehensive law obligations onto their states’ citizens. There are two notable exceptions:
-
NIST – An Affirmative Defense. Companies who violate the Tennessee law will have an affirmative defense if they have a “written privacy policy” that “reasonably conforms” with the NIST privacy framework or if they otherwise have documented policies and procedures “designed to safeguard consumer privacy.” While a written privacy program is no longer required under the law as finally signed, it mirrors other states in requiring that companies have “reasonable” administrative and technical practices to protect the “confidentiality, integrity and accessibility” of personal information (47-18-3204(a)(3)).
-
Applicability: The law has higher thresholds than many of the other states. First, it applies only to those who do business in the state and have revenues of over $25,000,000. In addition, for the law to apply, companies must also either (1) control or process information of 175,000 or more state residents during a calendar year or (2) control or process personal information of 25,000 or more state residents and get over 50% of gross revenue from the sale of personal information. As with other states, the law does not apply to those regulated by HIPAA or GLBA. It also does not apply to non-profit entities or “institutions of higher education,” among other exceptions.
Tennessee’s law otherwise fairly closely mirrors that in other states. Namely:
-
Notice. As in other states, companies will need a privacy policy that outline the categories of data being processed, the purpose, categories of data being sold or shared, and provide consumers with information about exercising their consumer rights.
-
Consumer Rights. Tennessee will require, like others, that companies give state residents rights of access, correction, deletion, and portability (within 45 days, extendable by 45 additional days). Companies need only provide portability to information the consumer provided. As is the case elsewhere, companies also have to let consumers opt out of sale, targeted advertising and profiling (the last of which if it has “legal or other similarly significant” effects). Tennessee has a broad impact assessment requirement, applying to entities that engage not only in selling or profiling, but also targeted advertising. Tennessee follows California and Connecticut, with “sale” including both a monetary exchange, as well as an exchange of personal data for “other valuable consideration.” Disclosures to affiliates or as part of a sale or merger are expressly excluded from the definition of sale.
-
Data Minimization. Like Colorado and Connecticut, companies will need to limit their collection and processing to information that is reasonably necessary and proportionate to the purpose for which it was collected.
-
Sensitive Personal Data. Businesses in Tennessee -as with Colorado, Connecticut and Virginia- must obtain consent before processing consumer’s sensitive information. Sensitive data includes not only elements like race, ethnicity, religion, sexual orientation, or medical diagnoses, but also biometric information and precise geolocation.
-
Contracts. As we reported for Indiana, TIPA will require contractual obligations that are very similar to other US state comprehensive privacy laws.
Putting It Into Practice: While mostly following other states, Tennessee’s privacy program provisions serve as a reminder to think about documenting and ensuring compliance with privacy laws more generally. While many may find that -even when the law does go into effect in 2025- they do not meet its thresholds, it is possible that other states may begin to mirror these new provisions.
Kathryn Smith also contributed to this article.