In March 2021, the “Tennessee Information Protection Act” was proposed in the Tennessee State House of Representatives as an amendment to an existing bill dealing with campaign finance disclosures. The 27 page proposed amendment incorporated many similar provisions as those found in the CCPA, CDPA, and CPA, with an overall goal of protecting the data privacy of Tennessee consumers. Although it did not make it into the final bill, the text of the proposed amendment provides valuable insight on what can be expected from a future Tennessee data privacy law.
Who would be subject to the Tennessee Information Protection Act?
As written, the Tennessee Information Protection Act would apply to for profit businesses (or the entity that controls them) that:
- Do business in Tennessee, and
- Collect personal information about consumers, and
- Determines the purpose and means of processing this data, and
- Meet one of the following criteria:
-
- Has global annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted in January of every odd-numbered year to reflect an increase in the consumer price index;
- Annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of fifty thousand (50,000) or more consumers, households, or devices; or
- Derives fifty percent (50%) or more of its global annual revenues from selling or sharing personal information about consumers.
Business Obligations and Consumer Rights Under the Proposed Act
The obligations of businesses that fall under the proposed Act’s purview, and the rights of consumers it aims to protect are similar to other state laws like the CCPA. Businesses would be required to disclose any personal information that will be collected, as well as how the businesses plans to use it. Additionally, the business must maintain an online privacy policy, make the policy available on its website, and update the policy at least once every twelve months.
Additionally, Tennesseans would have the right to “opt-out” of the sale or sharing of their information to third parties (through a “Do Not Sell or Share My Personal Information” link), the right to request a copy of their personal data, the right to have their data deleted or corrected, and the right to have information concerning any data sold or shared. Businesses must provide two or more methods for submitting consumer requests to exercise these rights, including, but not limited to, a toll-free telephone number and a link on the homepage of the website (if the business maintains one). Businesses would have 45 days to respond to the request. However, this period can be extended by 30 days if reasonable necessary, but only after notice and explanation to the consumer. No contracts (such as website terms of use) can waive any consumer rights, and the Act provides that any such attempt would be found void and unenforceable.
Furthermore, businesses subject to the Act would not be allowed to discriminate against a consumer simply because they exercised any of these rights. Discrimination in this context means denying goods or services, charging different prices or rates, or providing different quality of goods or services. However, this provision can be fairly easily circumvented under the Act if the difference in product or service is reasonably related to the value provided to the business by the consumer’s data.
Exceptions
Like the other state laws, numerous exceptions were written into the proposed Tennessee Information Protection Act. These exceptions would provide an “out” for businesses when necessary to comply with other federal or state laws (HIPAA, GLBA, FCRA, etc.), cooperate with law enforcement, process deidentified information (with appropriate safeguards and processes), or handle employee information.
Enforcement Mechanisms
The Act provides both a private right of action as well a government enforcement mechanism. Under the private right, “[a] consumer whose nonencrypted and nonredacted personal information or email address, in combination with a password or security question and answer that would allow access to the account, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may bring a civil action for:
- Damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred fifty dollars ($750) per consumer per incident or actual damages, whichever is greater; and
- Injunctive or declaratory relief, as the court deems proper.”
Under the government enforcement mechanism, if the Tennessee attorney general believes that a business has violated the Act, and a proceeding would be in the public interest, he may bring an action and may seek a civil penalty of not more than two thousand five hundred dollars ($2,500) for each unintentional violation or seven thousand five hundred dollars ($7,500) for each intentional violation. If the violation involves someone under sixteen years of age, then these damages are tripled. However, a business would be given 30 days written notice to cure any alleged non-compliance before such action is brought.
Moving Forward
We likely wont see the Tennessee Information Protection Act (or a similar bill) pass in this exact form. However, it still serves as a strong indication of what we can expect in a future bill. Additionally, it shows that the topic is on the legislatures radar. When speaking on the amendment, co-sponsors Johnny Garrett and Mike Bell commented:
“Anytime we interact on websites, social media or apps we leave behind personal information that is sold for profit to groups that use it to market their products, ideas or beliefs with targeted ads and we, as consumers are left in the dark about this practice,” – House Majority Whip Johnny Garrett
“This bill has important privacy provisions that give consumers more information so they can make informed choices that will protect their data.” – Senate Judiciary Chairman Mike Bell
