On May 11, 2023, Tennessee Governor Bill Lee signed into law House Bill 1181, the “Tennessee Information Protection Act,” making Tennessee the eighth state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, Iowa, and Indiana. The law will take effect July 1, 2024.
Applicability
The Act applies to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee and that:
- During a calendar year, control, or process personal information of at least 100,000 consumers; or
- Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.
Exemptions
Importantly, the Act exempts financial institutions and affiliates, and data subject to the Gramm-Leach-Bliley Act (GLBA). Other exemptions include covered entities or business associates governed by the privacy, security, and breach notification rules issued pursuant to the Health Insurance Portability and Accountability Act, and the use of personal information to the extent the activity is regulated by and authorized under the Fair Credit Reporting Act.
Consumer Rights
Consumers are provided the right to:
- Confirm whether a controller is processing the consumer’s personal information and to access the personal information;
- Correct inaccuracies in the consumer’s personal information;
- Delete personal information provided by or obtained about the consumer;
- Obtain a copy of the consumer’s personal information that the consumer previously provided to the controller;
- Request that a controller that sold personal information about the consumer, or disclosed the information for a business purpose, disclose the:
a) Categories of personal information the business sold;
b) Categories of third parties to which the personal information was sold;
c) Categories of personal information disclosed for a business purpose;
6. Opt out of the sale of personal information.
Sensitive Data
A controller may not process “sensitive data” without a consumer’s consent. “Sensitive data” includes:
- Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- The personal information collected from a known child; or
- Precise geolocation data.
Contract Requirements
A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, the rights and obligations of both parties, and require that the processor:
- Ensure that each person processing personal information is subject to a duty of confidentiality with respect to the data;
- At the controller’s direction, delete or return all personal information to the controller as requested at the end of the provision of services, unless retention of the personal information is required by law;
- Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this part;
- Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor;
- Engage a subcontractor pursuant to a written contract in accordance that requires the subcontractor to meet the obligations of the processor with respect to the personal information.
Data Protection Assessments
A controller must conduct and document a data protection assessment if the processing involves:
- Targeted advertising;
- The sale of personal information;
- Certain profiling;
- Sensitive data;
- Activities involving personal information that present a heightened risk of harm to consumers.
Privacy Program
Controllers and processors must create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (“NIST”) Privacy Framework (“Framework”) entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0,” and update the program as the Framework is revised.
Enforcement
The Attorney General has the exclusive authority to enforce the Act. Prior to taking any action, the Attorney General must provide a controller or processor 60 days to cure the violation. In the absence of a cure, civil penalties up to $15,000 may be sought for each violation.
RMAI encourages its members to forward this Member Alert to those within their organization who are responsible for operations, compliance, and legal matters.
|
This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter. |