The Tennessee Information Protection Act (TIPA) Overview
The Tennessee Information Protection Act (TIPA) Overview provides a comprehensive understanding of the legislation signed into law on May 11, 2023. TIPA applies to businesses meeting specific criteria, including an annual revenue exceeding $25 million and the control or processing of personal information for a substantial number of Tennessee consumers. Key provisions of the act include a safe harbor provision for maintaining a written privacy program conforming to NIST frameworks, civil penalties for violations, and consumer rights such as accessing, correcting, and deleting personal data. With a lengthy compliance period, businesses have until July 1, 2025, to adhere to TIPA’s requirements, which encompass data security, non-discrimination, and the establishment of data minimization practices. It is also crucial for controllers to disclose their data processing purposes and practices to consumers through clear and accessible privacy notices.
Overview
The Tennessee Information Protection Act (TIPA) is a comprehensive state privacy law that was signed into law on May 11, 2023. Designed to protect the personal information of Tennessee consumers, TIPA introduces key provisions and requirements for businesses operating in the state. This article will provide an in-depth overview of the key provisions of TIPA, including scope, safe harbor provisions, exemptions, civil penalties, the cure period, compliance deadline, personal information coverage, applicability to controllers and processors, consumer rights, and responsibilities and obligations.
Key Provisions
Scope of TIPA
TIPA applies to businesses that meet certain criteria. Specifically, the law applies to businesses with annual revenue exceeding $25 million and who control or process the personal information of 175,000 or more Tennessee consumers. This scope ensures that larger businesses that handle significant amounts of personal information are subject to TIPA’s provisions.
Safe Harbor Provision
One important provision of TIPA is the safe harbor provision. Under this provision, businesses can demonstrate compliance with TIPA by maintaining a written privacy program that conforms to the National Institute of Standards and Practices (NIST) framework. By aligning their privacy practices with this recognized framework, businesses can ensure they meet the requirements of TIPA and protect consumer data.
Exemptions
There are certain exemptions to TIPA. Notably, insurance companies licensed in Tennessee are exempt from the provisions of the law. This exemption recognizes the unique regulatory landscape of the insurance industry and allows for separate privacy regulations to govern these entities.
Civil Penalties
TIPA establishes civil penalties for violations of its provisions. Businesses found in violation of TIPA can face penalties of up to $7,500 per violation. In cases of willful or knowing violations, treble damages may be awarded, further emphasizing the seriousness of non-compliance with the law.
Cure Period
Unlike many other state privacy laws, TIPA includes a cure period. This means that businesses have a designated period of time to correct violations before penalties are imposed. The cure period for TIPA is 60 days, which allows businesses ample opportunity to rectify any non-compliance before facing penalties.
Compliance Deadline
To ensure businesses have sufficient time to understand and implement the requirements of TIPA, a compliance deadline is established. This compliance deadline provides businesses with over two years to comply with the provisions of the law. Specifically, TIPA takes effect on July 1, 2025, allowing for a reasonable timeframe for businesses to implement the necessary changes to their privacy practices.
Personal Information Coverage
TIPA defines personal information as any information that is linked or reasonably linkable to an identified or identifiable person. This definition is broad and encompasses a wide range of data that can be used to identify an individual. Additionally, TIPA includes sensitive data within the scope of personal information. Sensitive data includes information such as race, religion, health information, and precise geolocation data, further highlighting the comprehensive nature of the law.
Applicability to Controllers and Processors
TIPA applies to both data controllers and processors. This ensures that all parties involved in the handling and processing of personal information are subject to the requirements and obligations outlined in the law. Controllers are responsible for establishing data minimization practices, ensuring data security, and not discriminating against consumers. Additionally, controllers must enter into agreements with processors that clearly outline their responsibilities and obligations.
Consumer Rights
TIPA provides robust consumer rights, ensuring that individuals have control over their personal information. These rights include the right to access and correct personal data, delete personal data, obtain a copy of personal data, and opt-out of certain processing. By affording individuals these rights, TIPA empowers consumers to have a greater say in how their personal information is handled and processed.
Responsibilities and Obligations
Alongside the consumer rights established by TIPA, there are also responsibilities and obligations placed on businesses. These responsibilities include establishing clear and accessible privacy notices, disclosing data processing purposes and practices to consumers, and obtaining appropriate consent for data processing activities. By imposing these responsibilities, TIPA ensures that businesses are accountable and transparent in their handling of personal information.
This image is property of images.pexels.com.
Scope of TIPA
Applicability to Businesses
TIPA applies to businesses that meet specific criteria outlined in the law. To be subject to TIPA, a business must have annual revenue exceeding $25 million and control or process the personal information of 175,000 or more Tennessee consumers. This scope ensures that businesses handling significant amounts of personal information are included within the requirements of TIPA.
Annual Revenue Threshold
The annual revenue threshold of $25 million ensures that TIPA applies to larger businesses that have the resources to implement the necessary privacy measures. This threshold recognizes that businesses of this size have a greater impact on consumer privacy and should be subject to the provisions of the law.
Number of Tennessee Consumers
In addition to the annual revenue threshold, TIPA also considers the number of Tennessee consumers a business handles. Specifically, the law applies to businesses that control or process the personal information of 175,000 or more Tennessee consumers. This provision recognizes that businesses with a large consumer base pose a higher risk to privacy and should therefore be subject to the requirements of the law.
Safe Harbor Provision
Requirement for a Written Privacy Program
TIPA includes a safe harbor provision that allows businesses to demonstrate compliance with the law through a written privacy program. This written program must detail the privacy practices and policies implemented by the business to protect consumer data. By meeting the requirements outlined in the safe harbor provision, businesses can ensure they have met the necessary standards for compliance with TIPA.
Conformance to NIST Framework
To qualify for the safe harbor provision, the written privacy program must conform to the National Institute of Standards and Practices (NIST) framework. This framework provides a recognized set of guidelines and best practices for privacy and security. By aligning their privacy program with the NIST framework, businesses can demonstrate that they have implemented effective measures to protect consumer data and meet the requirements of TIPA.
This image is property of images.pexels.com.
Exemptions
Insurance Companies Licensed in Tennessee
TIPA includes specific exemptions for insurance companies licensed in Tennessee. These entities are exempt from the provisions of the law, recognizing the existing privacy regulations and oversight within the insurance industry. This exemption allows for separate regulations to govern the privacy practices of insurance companies, ensuring they are subject to appropriate regulatory frameworks.
Civil Penalties
Penalties for Violations
Violations of TIPA can result in civil penalties for businesses found to be non-compliant with the law. The penalties for violations can be up to $7,500 per violation. This significant penalty highlights the importance of compliance with TIPA and the seriousness with which non-compliance is treated.
Treble Damages for Willful or Knowing Violations
In cases where violations of TIPA are found to be willful or knowing, treble damages may be awarded. Treble damages are damages awarded at three times the amount of the actual damages suffered. This provision further emphasizes the importance of compliance and acts as a deterrent against intentional or knowing violations of the law.
This image is property of images.pexels.com.
Cure Period
Length of Cure Period
TIPA includes a cure period, allowing businesses a designated time to rectify any violations before penalties are imposed. The cure period for TIPA is 60 days, providing businesses with ample time to identify and correct any non-compliance issues. This cure period is one of the longest among state privacy laws, emphasizing the importance of giving businesses an opportunity to remedy any violations and encouraging a culture of compliance.
Compliance Deadline
Timeframe for Compliance
To ensure businesses have sufficient time to understand and implement the provisions of TIPA, a compliance deadline is established. Businesses have over two years to comply with TIPA, as the law takes effect on July 1, 2025. This timeframe allows businesses to carefully assess their current privacy practices, make any necessary changes, and implement the requirements of TIPA in an efficient and effective manner.
Personal Information Coverage
Definition of Personal Information
TIPA defines personal information as any information that is linked or reasonably linkable to an identified or identifiable person. This definition is broad and includes a wide range of data that can be used to identify an individual. By adopting this comprehensive definition, TIPA ensures that a wide variety of data falls within the scope of the law’s protections.
Inclusion of Sensitive Data
TIPA goes beyond simply covering general personal information and includes sensitive data within its scope. Sensitive data includes information such as race, religion, health information, and precise geolocation data. By recognizing the unique challenges presented by sensitive data, TIPA ensures that this information is afforded an extra level of protection and safeguards.
Data Controllers and Processors
TIPA applies to both data controllers and processors. Data controllers are those who determine the purposes and means of processing personal information, while processors handle personal information on behalf of the data controller. By including both controllers and processors in the scope of the law, TIPA ensures that all parties involved in the handling and processing of personal information are subject to its requirements and obligations.
Appendix
Entities and Data Exemptions
TIPA includes provisions for certain entities and types of data exemptions. Specifically, government entities, nonprofits, insurance companies licensed in Tennessee, and data processed in the course of employment are exempt from certain provisions of TIPA. These exemptions recognize the unique circumstances and regulatory environments in which these entities operate and provide appropriate exceptions to the requirements of the law.
Requirements for Privacy Notices
TIPA includes requirements for privacy notices that businesses must provide to consumers. These privacy notices must be clear, accessible, and disclose the purposes and practices of data processing. By requiring businesses to provide transparent and easily understandable privacy notices, TIPA ensures that consumers have the information they need to make informed decisions about the use of their personal information.
Hi there! I'm utinsured.com, your go-to guide for all things home and life insurance in Utah. With a deep understanding of the insurance industry and a passion for helping Utah residents, I strive to provide you with the best coverage options tailored to your specific needs. At UT Insured, we believe that insurance should be reliable and hassle-free. That's why our mission is to simplify the insurance process by offering comprehensive and trustworthy solutions for your home and life insurance needs. Let me be your trusted partner in protecting what matters most to you.