What is the Tennessee Information Protection Act?
The Tennessee Information Protection Act, commonly known as TIPA, is a state law designed to safeguard residents’ personal information. It establishes rules for businesses handling such data, including security measures, breach notification, proper disposal, and penalties for non-compliance. The TIPA will take effect July 1, 2025.
How is PII defined by the regulation
The Tennessee Information Protection Act defines personal information as any data that is linked or reasonably linked to an identified natural person. The definition excludes information that is publicly available, deidentified, or aggregated consumer information.
The TIPA also provides a definition for “sensitive data”, which includes but is not personal information that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, precise geolocation data, personal information collected from a known child, and processing that involves genetic or biometric data for the purpose of uniquely identifying a natural person.
Tennessee consumer rights
The Tennessee Information Protection Act (TIPA) empowers individuals with certain rights pertaining to their personal information. These rights include the ability to request correction of inaccuracies, deletion, and access to their personal information. Individuals can also opt out for the purposes of the sale of their personal information, targeted advertising, or for profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Furthermore, the TIPA mandates consent for processing sensitive data.
Upon receiving a consumer request, controllers must respond within 45 days, with a possible 45-day extension for complex or numerous requests. Similar to privacy laws in Colorado, Connecticut, Virginia, Iowa, and Indiana, the TIPA requires controllers to offer an appeals process for denied requests, with a 60-day timeframe for response. If the appeal is denied, then the controller must also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general and reporter to submit a complaint.
The TIPA does not grant a private right of action. Instead, enforcement authority resides exclusively with the Tennessee Attorney General, who can pursue civil penalties of up to $15,000 for each violation—an amount higher than in most other state privacy laws.
TIPA considers each violated provision and affected consumer as separate violations, potentially resulting in swift accumulation of penalties. In cases of willful or knowing violations, courts may award treble damages. However, violators are granted a 60-day opportunity to rectify violations after receiving notice from the Attorney General before penalties are imposed.
The Tennessee Information Protection Act (TIPA) assigns the Tennessee Attorney General (AG) as the sole authority to enforce its provisions, excluding any private right of action. In the event of an alleged violation, controllers and processors are granted a 60-day opportunity to rectify noncompliance, which stands out from other state privacy laws as it does not sunset. Failure to cure within this period may result in the AG imposing civil penalties of up to $7,500 per violation.
GDPR vs TIPA: How do they compare?
TIPA (Tennessee Information Protection Act) and GDPR (General Data Protection Regulation) are two distinct data protection laws with some notable differences:
- Jurisdiction: TIPA is a state law in Tennessee, USA, while GDPR is a comprehensive regulation applicable to all EU member states.
- Scope: TIPA primarily focuses on protecting personal information of Tennessee residents, while GDPR applies to the personal data of individuals within the EU, regardless of their residency.
- Enforcement: TIPA grants enforcement authority exclusively to the Tennessee Attorney General and Reporter, while GDPR allows both supervisory authorities and individuals to enforce its provisions through legal action.
- Private Right of Action: TIPA does not provide a private right of action, meaning individuals cannot directly sue for violations, whereas GDPR allows individuals to pursue legal remedies and seek compensation for damages caused by non-compliance.
- Cure Period: TIPA includes a 60-day right-to-cure period, during which controllers and processors can remedy noncompliance, whereas GDPR does not specify a fixed cure period for violations.
- Penalties: TIPA allows the Tennessee Attorney General to impose civil penalties of up to $7,500 per violation, whereas GDPR imposes fines of up to €20 million or 4% of the annual global turnover of the preceding financial year, whichever is higher.
- Territorial Reach: TIPA primarily applies to data controllers and processors operating within the state of Tennessee, while GDPR has extraterritorial reach, impacting organizations outside the EU if they process personal data of EU residents.
What can organizations do to prepare
To prepare for TIPA compliance, organizations can follow these steps:
- Familiarize yourself: Thoroughly understand the requirements and provisions of the Tennessee Information Protection Act (TIPA) to identify how it applies to your organization.
- Conduct a data audit: Assess the personal information you collect, store, and handle to determine what data falls under TIPA’s purview and ensure its protection.
- Implement security measures: Establish reasonable security measures to safeguard personal information, including encryption, access controls, firewalls, and regular security assessments.
- Develop policies and procedures: Create comprehensive data protection policies and procedures that align with TIPA’s requirements. This includes guidelines for data breach notification, proper data disposal, and consumer rights.
- Train staff and monitor compliance: Educate employees on TIPA’s provisions, their responsibilities regarding data protection, and regularly monitor compliance to ensure adherence to the law’s requirements.
BigID’s Approach to TIPA Compliance
TIPA compliance is an ongoing effort requiring flexible and scalable solutions to fit your organization’s needs. BigID is a next-generation data intelligence platform for privacy, security, and governance that utilizes machine learning and advanced AI for automated deep data discovery and classification. Assess your privacy risk and proactively take steps to protect all your most sensitive enterprise data.
For streamlined compliance with TIPA, schedule a free 1:1 demo with our privacy experts today.