{"id":4743,"date":"2023-05-18T05:33:00","date_gmt":"2023-05-18T11:33:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&#038;p=4743"},"modified":"2024-10-08T13:01:02","modified_gmt":"2024-10-08T19:01:02","slug":"tennessee-information-protection-act-background-brief","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/tennessee-information-protection-act-background-brief\/","title":{"rendered":"Background Brief: Tennessee Information Protection Act"},"content":{"rendered":"\t\t<section id=\"block_870110a8cd1d23b6e0ad3d7c0486f70e\" class=\"resource-intro intro-simple\">\n\t\t\t<div class=\"container\">\n\t\t\t\t\t\t\t\t\t<strong class=\"sub-title block uppercase\">article<\/strong>\n\t\t\t\t\t\t\t\t\t\t<h1>Background Brief: Tennessee Information Protection Act<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t<section id=\"block_591de863b4755e589cc138edeede2432\" class=\"columns-content\">\n\t\t<div class=\"container\">\n\t\t\t<div class=\"left\">\n\t\t\t\t\t\t\t<\/div>\n\t\t\t<div class=\"middle\">\n\t\t\t\t<div class=\"content\">\n\t\t\t\t\t<p>Tennessee legislators gave businesses more than two years to prepare for compliance with the <a href=\"https:\/\/legiscan.com\/TN\/text\/SB0073\/id\/2817209\/Tennessee-2023-SB0073-Chaptered.pdf\" target=\"_blank\" rel=\"noopener\">Tennessee Information Protection Act<\/a> in one of the longest lead times between a comprehensive consumer data privacy law passing and becoming enforceable. Governor Bill Lee signed the Act into law on May 11, 2023, and it is effective from July 1, 2025.<\/p>\n<p>The name of the Act offers a clue-by-omission of the word \u2018consumer\u2019, indicating this privacy law, compared to other privacy laws in states such as California and Colorado, is more business-friendly. It doesn\u2019t cover fairly common consumer data rights, such as support of universal opt-out mechanisms (e.g. Global Privacy Control) and where it does offer opt-out from sale or targeted advertising the caveats allow companies to continue serving most cookies used for targeted ads.<\/p>\n<h2>Key dates: Tennessee Data Privacy Law<\/h2>\n<ul>\n<li>January 4, 2023 \u2013 <a href=\"https:\/\/legiscan.com\/TN\/bill\/SB0073\/2023\" target=\"_blank\" rel=\"noopener\">Senate Bill 73<\/a>, \u201cTennessee Information Protection Act\u201d, is introduced to the Tennessee Senate and passed on First Consideration.<\/li>\n<li>January 31, 2023 \u2013 <a href=\"https:\/\/legiscan.com\/TN\/bill\/HB1181\/2023\" target=\"_blank\" rel=\"noopener\">House Bill 1181<\/a>, a cross-filing of SB73, is introduced in Tennessee\u2019s House of Representatives. It is then assigned to the subcommittee for Banking &amp; Commerce on February 7, 2023.<\/li>\n<li>March 10, 2023 \u2013 SB73 is sent to the Senate Committee for Commerce and Law.<\/li>\n<li>March 21, 2023 \u2013 Tennessee\u2019s Senators vote 9-0 to recommend passage of the Information Protection Act.<\/li>\n<li>April 10, 2023 \u2013 Tennessee\u2019s Representatives unanimously vote 90-0 in favor of the bill.<\/li>\n<li>May 5, 2023 \u2013 Tennessee\u2019s House of Representatives transmits the bill to the Governor for signing.<\/li>\n<li>May 11, 2023 \u2013 Governor Bill Lee signs the Tennessee Information Protection Act into law.<\/li>\n<li>May 12, 2023 \u2013 Consumer Reports, a consumer rights advocacy group headquartered in New York, issues a <a href=\"https:\/\/advocacy.consumerreports.org\/press_release\/consumer-reports-calls-on-tennessee-to-improve-new-privacy-law-for-consumers\/\" target=\"_blank\" rel=\"noopener\">media release calling on Tennessee to improve the new privacy law for consumers<\/a>, claiming the law <em>\u201cincludes numerous loopholes that undercut its protections\u201d.<\/em> Matt Schwartz, policy analyst at Consumer Reports, is quoted as saying: <em>\u201cThe definitions of sale and targeted advertising, as well as the pseudonymous data exemption and enforcement framework, should all be reworked to provide Tennessee consumers the protections they deserve. Aside from that, privacy legislation, at a minimum, should include an easy way to opt-out of data sales and tracking, such as through a universal opt-out mechanism.\u201d<\/em><\/li>\n<li>May 2, 2024 \u2013 Governor Lee signs the state\u2019s <a href=\"https:\/\/www.capitol.tn.gov\/Bills\/113\/Amend\/SA0929.pdf\" target=\"_blank\" rel=\"noopener\">Protecting Children from Social Media Act<\/a>, which requires social media companies to prohibit children from becoming or continuing as account holders unless they get verified and express consent from their parents.<\/li>\n<li>July 1, 2025 \u2013 The Tennessee Information Protection Act becomes enforceable.<\/li>\n<\/ul>\n<h2>Tennessee consumer rights: Personal data<\/h2>\n<p>The <a href=\"https:\/\/legiscan.com\/TN\/text\/SB0073\/id\/2817209\/Tennessee-2023-SB0073-Chaptered.pdf\" target=\"_blank\" rel=\"noopener\">Tennessee Information Protection Act<\/a> defines a consumer as <em>\u201ca natural person who is a resident of this state acting only in a personal context\u201d.<\/em> Like several other U.S. States\u2019 data privacy laws, the definition excludes <em>\u201ca natural person acting in a commercial or employment context\u201d.<\/em><\/p>\n<p>Personal information is also similarly defined as it is in other states\u2019 data privacy laws as <em>\u201cinformation that is linked or reasonably linkable to an identified or identifiable natural person\u201d.<\/em> The text of the Act notes it <em>\u201cdoes not cover publicly available information or de-identified or aggregate consumer information\u201d.<\/em><\/p>\n<p>Tennessee\u2019s data privacy law does not support a universal opt-out mechanism. It also requires consumers to contact each controller individually to exercise their rights. Parents and legal guardians can exercise these rights on behalf of their children. In each case, the person making the request must be authenticated by the controller.<\/p>\n<p>The personal information rights of consumers in Tennessee are:<\/p>\n<ul>\n<li><strong>Right to confirm (right to know)<\/strong> whether a controller is processing their personal information.<\/li>\n<li><strong>Right to access<\/strong> the personal information about them held by a controller.<\/li>\n<li><strong>Right to correct inaccuracies<\/strong> in their personal information. When processing such requests controllers are required to consider the nature of the personal information and the purposes of the processing of the consumer&#8217;s personal information.<\/li>\n<li><strong>Right to delete<\/strong> personal information they have provided or has been obtained about them. The Act states a controller is <em>\u201cnot required to delete information that it maintains or uses as aggregate or de-identified data; provided, that such data in the possession of the controller is not linked to a specific consumer\u201d.<\/em><\/li>\n<li><strong>Right to obtain a copy (portability)<\/strong> of the personal information that the consumer previously provided to the controller. When honoring these requests controllers must provide a copy of the data in a <em>\u201cportable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means\u201d.<\/em><\/li>\n<li><strong>Right to opt-out<\/strong> from having their personal information processed by a controller to sell that information to a third party, targeted advertising or <em>\u201cprofiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer\u201d.<\/em><\/li>\n<\/ul>\n<p>From July 1, 2025, when Tennessee\u2019s data privacy law goes into force, controllers must respond to authenticated consumers\u2019 requests within 45 days, although this timeframe can be extended by another 45 days \u2018when reasonably necessary\u2019, based on the complexity and number of the consumer\u2019s personal information rights requests.<\/p>\n<p>A controller must still inform the consumer of the extension within the initial 45-day period and provide them with a reason for the extension.<\/p>\n<p>A consumer can make requests to exercise their personal information rights up to twice each year for each controller and a controller cannot charge them to provide this information on these two occasions each year.<\/p>\n<p>However, a controller can charge an administrative fee to process these requests from a consumer, or deny these requests, if the controller can show the requests are <em>\u201cmanifestly unfounded, technically infeasible, excessive, or repetitive\u201d.<\/em> <strong>The burden of proof in these cases is on the controller.<\/strong><\/p>\n<p>The Act also prohibits controllers from discriminating against consumers for exercising their personal information rights protected in the law, which means controllers cannot deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods and services to the consumer.<\/p>\n<p>However, the Act states it <em>\u201cdoes not require a controller to provide a product or service that requires the personal information of a consumer that the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee\u201d.<\/em><\/p>\n<h3>Sensitive personal information<\/h3>\n<p>Although not directly listed under consumers\u2019 rights in the text of the Act, sensitive personal information is protected under \u2018data controller responsibilities\u2019, which restricts controllers from processing <em>\u201csensitive data concerning a consumer without obtaining the consumer&#8217;s consent, or, in the case of the processing of sensitive data concerning a known child, without processing the data in accordance with the federal <a href=\"\/regulations\/coppa\/\">Children&#8217;s Online Privacy Protection Act (COPPA)<\/a> and its implementing regulations\u201d.<\/em><\/p>\n<p>The Tennessee Information Protection Act defines <strong>\u2018sensitive data\u2019<\/strong> as a category of information that includes personal information revealing:<\/p>\n<ul>\n<li>Racial or ethnic origin<\/li>\n<li>Religious beliefs<\/li>\n<li>Mental or physical health diagnosis<\/li>\n<li>Sexual orientation<\/li>\n<li>Citizenship or immigration status<\/li>\n<\/ul>\n<p><strong>The definition also covers:<\/strong><\/p>\n<ul>\n<li>Processing of genetic or biometric data that is processed for the purpose of uniquely identifying a natural person<\/li>\n<li>Personal information collected from a known child<\/li>\n<li>Precise geolocation data (defined as <em>\u201cinformation derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 fifty feet and not include the content of communications or data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility\u201d.<\/em>)<\/li>\n<\/ul>\n<h2>Does the Tennessee Information Protection Law apply to your organization?<\/h2>\n<p>The scope of the Tennessee Information Protection Act covers anyone that conducts business in the state by <em>\u201cproducing products or services that target residents\u201d<\/em> of Tennessee and:<\/p>\n<ul>\n<li>Earns more than $25 million in revenue<\/li>\n<\/ul>\n<p>AND<\/p>\n<ul>\n<li>Controls or processes personal information of at least 25,000 consumers and derives more than 50% of gross revenue from the sale of personal information<\/li>\n<\/ul>\n<p>OR<\/p>\n<ul>\n<li>During a calendar year controls or processes personal information of at least 175,000 consumers.<\/li>\n<\/ul>\n<h3>Exempted organizations under Tennessee\u2019s Information Protection Act<\/h3>\n<p>Tennessee\u2019s data protection law does not apply to the following types of organizations:<\/p>\n<ul>\n<li>A body, authority, board, bureau, commission, district or agency of Tennessee or a political subdivision of the state;<\/li>\n<li>Financial institutions, their affiliates or data subject to the <a href=\"\/regulations\/glba\/\">Gramm-Leach-Bliley Act<\/a>;<\/li>\n<li>Insurance businesses, including individuals, firms, associations, corporations or other entities licensed in Tennessee under Title 56;<\/li>\n<li>Covered entities or business associates governed by the privacy, security and breach notification rules of the federal <a href=\"\/regulations\/hippa-privacy\/\">Health Insurance Portability and Accountability Act (HIPAA)<\/a> and <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/special-topics\/hitech-act-enforcement-interim-final-rule\/index.html\" target=\"_blank\" rel=\"noopener\">Health Information Technology for Economic and Clinical Health Act (HITECH)<\/a>;<\/li>\n<li>Nonprofit organizations;<\/li>\n<li>Institutions of higher education;<\/li>\n<li>Controllers and processors that comply with the verifiable parental consent requirements of the federal <a href=\"https:\/\/www.ftc.gov\/legal-library\/browse\/rules\/childrens-online-privacy-protection-rule-coppa\" target=\"_blank\" rel=\"noopener\">Children\u2019s Online Privacy Protection Act 1998 (COPPA)<\/a> are deemed compliant with an obligation to obtain parental consent.<\/li>\n<\/ul>\n<h3>Data exempted from provisions of Tennessee Information Protection Act<\/h3>\n<p>Tennessee\u2019s data protection law also includes exemptions from its provisions for the following categories of data:<\/p>\n<ul>\n<li>Protected health information under HIPAA, including deidentified information;<\/li>\n<li>Health records for purposes of title 68;<\/li>\n<li>Patient identifying information for purposes of 42 U.S.C. (<a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title42\/html\/USCODE-2011-title42-chap117.htm\" target=\"_blank\" rel=\"noopener\">Health Care Quality Improvement Act<\/a>);<\/li>\n<li>Personal information processed or sold as part of research conducted in accordance with the federal policy for the protection of human subjects (<a href=\"https:\/\/www.hhs.gov\/ohrp\/regulations-and-policy\/regulations\/45-cfr-46\/index.html\" target=\"_blank\" rel=\"noopener\">45 CFR 46)<\/a>; human subjects research conducted in accordance with good clinical practice guidelines issued by The International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use; or research conducted in accordance with the protection of human subjects (<a href=\"https:\/\/www.ecfr.gov\/current\/title-21\/chapter-I\/subchapter-A\/part-50\" target=\"_blank\" rel=\"noopener\">21 CFR 50<\/a> and <a href=\"https:\/\/www.ecfr.gov\/current\/title-21\/chapter-I\/subchapter-A\/part-56\" target=\"_blank\" rel=\"noopener\">21 CFR 56<\/a>);<\/li>\n<li>Information and documents created for purposes of the federal <a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title42\/html\/USCODE-2011-title42-chap117.htm\" target=\"_blank\" rel=\"noopener\">Health Care Quality Improvement Act<\/a>;<\/li>\n<li>Patient safety work product for purposes of the federal federal <a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2010-title42\/html\/USCODE-2010-title42-chap6A-subchapIII-A-partD-sec290dd-2.htm\" target=\"_blank\" rel=\"noopener\">Patient Safety and Quality Improvement Act<\/a>;<\/li>\n<li>Information collected, maintained, disclosed, sold, communicated or use of personal information under the regulations of the federal <a href=\"https:\/\/www.consumer.ftc.gov\/sites\/default\/files\/articles\/pdf\/pdf-0111-fair-credit-reporting-act.pdf\" target=\"_blank\" rel=\"noopener\">Fair Credit Reporting Act<\/a>;<\/li>\n<li>Personal information collected, processed, sold or disclosed in compliance with the federal <a href=\"https:\/\/www.govinfo.gov\/app\/details\/USCODE-2011-title18\/USCODE-2011-title18-partI-chap123-sec2721\" target=\"_blank\" rel=\"noopener\">Driver\u2019s Privacy Protection Act<\/a>;<\/li>\n<li>Personal information or educational information regulated by the federal <a href=\"\/regulations\/ferpa\/\">Family Educational Rights and Privacy Act<\/a>;<\/li>\n<li>Personal information collected, processed, sold or disclosed in compliance with the federal <a href=\"https:\/\/www.govinfo.gov\/app\/details\/USCODE-2021-title12\/USCODE-2021-title12-chap23-sec2001\" target=\"_blank\" rel=\"noopener\">Farm Credit Act<\/a>;<\/li>\n<li>Personal data used in accordance with the federal Children\u2019s Online Privacy Protection Act 1998 (COPPA);<\/li>\n<li>Personal data that is processed or maintained within an employment or business content, including emergency contact information and administering their benefits for another person;<\/li>\n<li>Information collected as part of public-reviewed or peer-reviewed scientific or statistical research in the public interest;<br \/>\nPersonal information maintained or used for purposes of compliance with the regulation of listed chemicals under the federal <a href=\"https:\/\/uscode.house.gov\/view.xhtml?req=29&amp;f=treesort&amp;num=11212\" target=\"_blank\" rel=\"noopener\">Controlled Substances Act<\/a>.<\/li>\n<\/ul>\n<h2>Compliance with Tennessee Data Protection Act<\/h2>\n<p>Data controllers have the following responsibilities under the Act:<\/p>\n<ul>\n<li><strong>Limit collection<\/strong> \u2013 the collection of personal information must be limited to what is \u201cadequate, relevant and reasonably necessary\u201d in relation to the purposes disclosed to the consumer;<\/li>\n<li><strong>Limit processing<\/strong> \u2013 personal information cannot be processed for any purpose \u201cbeyond what is reasonably necessary to and compatible with the purposes\u201d disclosed to the consumer unless the consumer gives consent to these other purposes;<\/li>\n<li><strong>Data security<\/strong> \u2013 \u201cestablish, implement and maintain reasonable administrative, technical and physical data security practices\u201d to protect the confidentiality, integrity, and accessibility of personal information. These security practices must be appropriate to the volume and nature of the personal information processed.<br \/>\nControllers must also conduct and document data protection assessments for processing activities where personal information is sold, or used for targeted advertising or profiling;<\/li>\n<li><strong>Comply with state and federal discrimination laws<\/strong> \u2013 personal information cannot be processed in violation of state and federal laws that prohibit unlawful discrimination against consumers (see the Consumer Rights section about non-discrimination above);<\/li>\n<li><strong>Sensitive personal information<\/strong> \u2013 such information cannot be processed without a consumer\u2019s consent (see the Sensitive Personal Information section above);<\/li>\n<li><strong>Privacy Notice<\/strong> \u2013 the Privacy Notice must be reasonably accessible, clear and meaningful (see below).<\/li>\n<\/ul>\n<h3>Privacy notice requirements under Tennessee law<\/h3>\n<p>Controllers must provide a Privacy Notice that includes the following information:<\/p>\n<ul>\n<li>Categories of personal information processed by the controller;<\/li>\n<li>Purpose\/s for processing personal information;<\/li>\n<li>How consumers can exercise their consumer rights, including instructions on submitting a request to exercise these rights via a secure and reliable method that allows the controller to authenticate the identity of the consumer;<\/li>\n<li>How a consumer can appeal a controller\u2019s decision to their personal information rights request;<\/li>\n<li>Categories of personal information the controller sells to third parties (if any), and the categories of those third parties;<\/li>\n<li>Clear disclosure if the controller sells personal information to third parties or processes personal information for targeted advertising, along with instructions on how a consumer can exercise their right to opt out from such processing.<\/li>\n<\/ul>\n<h3>Processor responsibilities<\/h3>\n<p>Controllers and processors must enter binding contracts that include clear instructions for:<\/p>\n<ul>\n<li>Processing personal data;<\/li>\n<li>Nature and purpose of the processing;<\/li>\n<li>Type of data subject to processing;<\/li>\n<li>Duration of the processing; and<\/li>\n<li>Rights and responsibilities of both parties.<\/li>\n<\/ul>\n<p>Processors must also:<\/p>\n<ul>\n<li>Adhere to the controller\u2019s instructions;<\/li>\n<li>Assist the controller in meeting its obligations, including responding to consumer rights requests;<\/li>\n<li>Ensure each person processing personal data is subject to a duty of confidentiality concerning the data, and engage subcontractors under written contracts that ensure they meet the processor\u2019s obligations concerning personal information;<\/li>\n<li>Comply with the controller\u2019s direction to delete or return all personal information to the controller at the end of the provision of services, unless retention of the personal information is required by law;<\/li>\n<li>Comply with a reasonable request from the controller to prove compliance with the Act by making available to the controller all necessary information in its possession;<\/li>\n<li>Cooperate with reasonable compliance assessments by the controller or a designated assessor, or a qualified and independent assessor arranged by the processor.<\/li>\n<\/ul>\n<h2>Tennessee Information Protection Act enforcement<\/h2>\n<p>The Tennessee Attorney General and reporter have the exclusive authority to enforce the Act. Consumers do not have a private right of action.<\/p>\n<p>The AG and reporter can initiate action if a controller or processor is suspected to have violated or is about to violate the Tennessee Information Protection Act, either through the AG and reporter\u2019s own inquiry or based on consumer or public complaints.<\/p>\n<p>Before initiating action, the AG must give a controller or processor 60 days\u2019 written notice, which specifies the violation\/s. Action will not proceed if the alleged violator cures the noticed violation and provides the AG with a written statement detailing how it is achieved compliance.<\/p>\n<p>If the violation isn\u2019t satisfactorily cured after 60 days the AG can bring a court action for preliminary or permanent injunctions to prevent further violation\/s and compel compliance, and the AG can seek civil penalties. A court can impose a civil penalty of up to $15,000 for each violation.<\/p>\n\t\t\t\t\t\t\t\t\t<div class=\"question-box-multiple\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-white\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Online-Privacy_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Nymity Research<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>Stay up to date on hundreds of global privacy laws, regulations, and standards.<\/p>\n<a href=\"\/free-trial\/nymity-research\/\" class=\"cta\">Start today<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"question-box bg-white\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"icon\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/icon_Data-Lock_Small.svg\" class=\"attachment-full size-full\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<h4>Automate your compliance program<\/h4>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<p>Use PrivacyCentral to streamline privacy compliance across all relevant jurisdictions.<\/p>\n<a href=\"\/products\/privacy-data-governance\/privacycentral\/\" class=\"cta\">Learn more<\/a>\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\t<div class=\"right sm\">\n\t\t\t\t<div class=\"share-it\">\n\t\t\t\t\t<strong class=\"title block uppercase\">Follow us<\/strong>\n\t\t\t\t\t<div class=\"soc-list\">\n\t\t\t\t\t\t<a href=\"https:\/\/www.linkedin.com\/company\/trustarc\/\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/li-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"\nhttps:\/\/twitter.com\/TrustArc\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/tw-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<a href=\"javascript:;\" id=\"copy-url\"><img decoding=\"async\" src=\"https:\/\/trustarc.com\/wp-content\/themes\/trustarc\/assets\/dist\/images\/link-dark.svg\" alt=\"\" \/><\/a>\n\t\t\t\t\t\t<span class=\"copied\" style=\"display:none;\">Link Copied!<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<div class=\"key-topics\">\n\t\t\t\t\t\t<strong class=\"title block uppercase\">Key Topics<\/strong>\n\t\t\t\t\t\t<ul>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<li><a href=\"https:\/\/trustarc.com\/topic-resource\/us-consumer-privacy-laws\/\" class=\"badge\">US Consumer Privacy Laws<\/a><\/li>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/ul>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<div class=\"cta-area\">\n\t\t\t\t\t<p>Get the latest resources sent to your inbox<\/p>\n\t\t\t\t\t<a href=\"\/subscription-center\/\" class=\"cta\">Subscribe<\/a>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/section>\n\t","protected":false},"excerpt":{"rendered":"","protected":false},"featured_media":1694,"template":"","topic-resource":[114],"type-resource":[6],"class_list":["post-4743","resource","type-resource","status-publish","has-post-thumbnail","hentry","topic-resource-us-consumer-privacy-laws","type-resource-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Background Brief: Tennessee Information Protection Act | TrustArc<\/title>\n<meta name=\"description\" content=\"TrustArc privacy experts explain consumer rights under the Tennessee Information Protection Act and compliance requirements for businesses.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustarc.com\/resource\/tennessee-information-protection-act-background-brief\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/tennessee-information-protection-act-background-brief\\\/\",\"url\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/tennessee-information-protection-act-background-brief\\\/\",\"name\":\"Background Brief: Tennessee Information Protection Act | TrustArc\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/tennessee-information-protection-act-background-brief\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/tennessee-information-protection-act-background-brief\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-rect-pink.png\",\"datePublished\":\"2023-05-18T11:33:00+00:00\",\"dateModified\":\"2024-10-08T19:01:02+00:00\",\"description\":\"TrustArc privacy experts explain consumer rights under the Tennessee Information Protection Act and compliance requirements for businesses.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/trustarc.com\\\/resource\\\/tennessee-information-protection-act-background-brief\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/resource\\\/tennessee-information-protection-act-background-brief\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-rect-pink.png\",\"contentUrl\":\"https:\\\/\\\/trustarc.com\\\/wp-content\\\/uploads\\\/2024\\\/02\\\/res-feat-rect-pink.png\",\"width\":610,\"height\":152},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/trustarc.com\\\/#website\",\"url\":\"https:\\\/\\\/trustarc.com\\\/\",\"name\":\"TrustArc\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/trustarc.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Background Brief: Tennessee Information Protection Act | TrustArc","description":"TrustArc privacy experts explain consumer rights under the Tennessee Information Protection Act and compliance requirements for businesses.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustarc.com\/resource\/tennessee-information-protection-act-background-brief\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustarc.com\/resource\/tennessee-information-protection-act-background-brief\/","url":"https:\/\/trustarc.com\/resource\/tennessee-information-protection-act-background-brief\/","name":"Background Brief: Tennessee Information Protection Act | TrustArc","isPartOf":{"@id":"https:\/\/trustarc.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustarc.com\/resource\/tennessee-information-protection-act-background-brief\/#primaryimage"},"image":{"@id":"https:\/\/trustarc.com\/resource\/tennessee-information-protection-act-background-brief\/#primaryimage"},"thumbnailUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-rect-pink.png","datePublished":"2023-05-18T11:33:00+00:00","dateModified":"2024-10-08T19:01:02+00:00","description":"TrustArc privacy experts explain consumer rights under the Tennessee Information Protection Act and compliance requirements for businesses.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustarc.com\/resource\/tennessee-information-protection-act-background-brief\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/trustarc.com\/resource\/tennessee-information-protection-act-background-brief\/#primaryimage","url":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-rect-pink.png","contentUrl":"https:\/\/trustarc.com\/wp-content\/uploads\/2024\/02\/res-feat-rect-pink.png","width":610,"height":152},{"@type":"WebSite","@id":"https:\/\/trustarc.com\/#website","url":"https:\/\/trustarc.com\/","name":"TrustArc","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustarc.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource\/4743","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/types\/resource"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media\/1694"}],"wp:attachment":[{"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/media?parent=4743"}],"wp:term":[{"taxonomy":"topic-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/topic-resource?post=4743"},{"taxonomy":"type-resource","embeddable":true,"href":"https:\/\/trustarc.com\/wp-json\/wp\/v2\/type-resource?post=4743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}