Data Privacy Laws: How Does Tennessee Protect You?
Like many organizations, you probably share private data with third parties. Unfortunately, it only takes a data breach by a single one of those parties to create a ripple effect for the individuals’ data that was breached, the party that shared the data (you), and the party responsible for the breach.
Third-party breaches rose 136% last year because of these trends. The federal government has provided several privacy laws to help protect citizens from information abuse and theft, but the risk continues to grow.
State Protection Laws
Individual states have proposed and enacted their own laws governing the collection, use, and final disposition of personal information by organizations, referred to as “controllers” or “processors” of this information. Our great state of Tennessee joined California (CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Indiana (INCDPA), and Iowa (ICDPA), when it unanimously passed and signed the Tennessee Information Protection Act (TIPA) into law on May 11, 2023.
TIPA will officially go into effect on July 1, 2025, giving Tennessee organizations over two years to acclimatize to the coming expectations and changes. TIPA applies to companies that meet all of the following criteria:
- Conduct business in or target Tennessee residents
- Exceed $25 million annual revenue
- Control or process information of 25,000 consumers or more
- Derive more than 50% of their gross revenue from the sale of personal information or control the personal information of at least 175,000 consumers
TIPA requires controllers to obtain clear and affirmative consent when processing sensitive data, which includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship and immigration status
- Generic and biometric data identifying an individual
- Address location within 1750 feet
- Personal data collected from a person under the age of 13
TIPA provides individual rights for consumers, including the rights to:
- Confirm whether or not a controller is processing their personal information
- Opt out of a controller’s processing of personal information for the purpose of selling the information
- Access their personal information
- Obtain a copy of their information in a portable and readily-usable format
- Request that inaccuracies be corrected
- Delete personal data provided by the consumer or obtained by the controller
- Be told the purpose of processing their personal information
- Be informed about consumer rights and the procedures required for appeals
TIPA allows controllers and processors to defend claims for violations if they create, maintain, and comply with a written privacy program that “reasonably conforms” to the current and updated National Institute of Standards and Technology (NIST) Privacy Framework. Controllers in Tennessee are required to grant state residents the right of access, correction, deletion, and portability within 45 days of receiving a request, extendable by an additional 45 days. If a controller denies a consumer’s request and an appeal is filed, the controller must respond within 60 days.
When a law is implemented or amended, it can add to everyone’s workload and create frustration. However, the purpose of TIPA is to protect both consumers and organizations that are trying to conduct legitimate and honest business. With clear expectations and rightful limitations for all parties, healthy business transactions can take place and criminals are hindered.
Even the strongest laws cannot protect us if we neglect to implement and follow them. We must continue to protect all personal information according to federal and state laws. This includes the collection, handling, sharing, and destruction of data.
ShredPro Secure provides secure and compliant shredding throughout Eastern Tennessee. We are NAID AAA Certified and compliant with all federal and state privacy laws. Call us at 865-986-5444 or complete the form on this page for help protecting your customers’ and employees’ personal information.