Understanding the Tennessee Information Protection Act (SB 73): Proposed Rules for Targeted Ads

The US has five new state privacy laws this year, with another in Iowa due to take effect in 2025. The Tennessee Information Protection Act (TIPA) might be next on the list, having made substantial progress through the state’s legislature.

This article will examine the Senate version of TIPA, SB 73. We’ll explore how the law applies, its key definitions, and the new obligations for businesses operating in Tennessee with a focus on how the law will affect targeted advertising.

Application

SB 73 applies to any company targeting Tennesee consumers that:

• Has gross annual revenues of more than $25 million, and
• Either:
  • Annually controls or processes personal information about at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal information, or
  • Annually controls or processes personal information about at least 175,000 consumers.

Many exemptions apply. The following types of organizations are not covered by the bill:

• Public bodies.
• Financial institutions covered by the Gramm-Leach-Bliley Act.
• Healthcare entities covered by the Health Insurance Portability and Accountability Act (HIPAA).

SB 73 also exempts the processing of certain types of personal information, including health information for the purposes of HIPAA and research data regulated by other laws.

Definitions

Some key definitions in the bill include:

• Personal information: Information that is “linked or reasonably linkable to an identified or identifiable natural person”. Excludes publicly accessible information and “de-identified or aggregate” information.
• Processing: Any operation performed on personal information, such as “collection, use, storage, disclosure, analysis, deletion, or modification”.
• Controller: A person or organization that “determines the purpose and means of processing personal information” (decides why and how to process personal information).
• Processor: A person or organization that processes personal information on behalf of a controller.

SB 73 also defines “sensitive data”, which includes:

• Personal information revealing:
  • Racial or ethnic origin.
  • Religious beliefs.
  • Mental or physical health diagnosis.
  • Sexual orientation.
  • Citizenship or immigration status.
• Biometric or genetic data processed for the purpose of identifying a natural person.
• Personal information collected from a known child.
• Precise geolocation data.

Note that these definitions are similar to those under other US state laws, such as Virginia’s Consumer Data Protection Act (VCDPA).

Selling Personal Information and Targeted Advertising

Like several US state laws, SB 73 regulates the “sale” of personal information, defined as “the exchange of personal information for valuable monetary consideration by the controller to a third party”.

Certain activities are explicitly excluded from the definition of a “sale”, including the disclosure of personal information:

• To a processor.
• To a third party to provide a product or service requested by the consumer.
• To an affiliate of the controller.
• Where the consumer:
  • Intentionally made the personal information public via mass media, and
  • Did not restrict the disclosure to a restricted audience.
• As part of an acquisition, merger, or bankruptcy.

SB 73 also regulates “targeted advertising”, defined as displaying an advertisement to a consumer when the following conditions are met:

• The advertisement is selected based on personal information.
• The personal information is obtained from the consumer’s activities over time and across nonaffiliated websites or online applications.
• The personal information is obtained to predict the consumer’s preferences or interests.

The definition excludes “first-party” and contextual ads.

Consumer Rights

SB 73 provinces consumers with several rights over their personal information, including the right to:

• Confirm whether a controller is processing the consumer’s information.
• Access their personal information.
• Correct inaccuracies in their personal information.
• Delete their personal information.
• Obtain a copy of their personal information in a portable, machine-readable format.
• Opt out of:
  • The sale of their personal information.
  • Targeted advertising.
  • Profiling in furtherence of decisions that produce legal or similarly significant effect (this could include, for example, loan decisions based on a profiling).

Controllers must respond to a request under any of these rights within 45 days, with a 45-day extension available when reasonably necessary.

Consumers can make a request twice per year, and controllers must not charge a fee unless the request is manifestly unfounded, technically infeasible, excessive, or repetitive.

The controller must make “commercially reasonable efforts” to verify a consumer’s identity.

The consumer can appeal if the controller refuses to carry out a request. The controller must respond to the appeal, providing a reason for its decision, within 60 days, informing the consumer that they can complain to the Attorney-General if they are unhappy with the decision.

Controller Obligations

SB 73 sets out several obligations on controllers, including:

• Limiting the collection of personal information to what is adequate, relevant and reasonably necessary in relation to a specified purpose.
• Not processing the personal information for incompatible further purposes without consent.
• Establishing reasonable data security practices.
• Not processing personal information unlawfully, or discriminating against consumers that have excercised their rights.
• Only processing sensitive data with consent.
• Processing children’s personal information in compliance with the Children’s Online Privacy Protection Act (COPPA).

Privacy Notice

Controllers must publish a “reasonably accessible, clear, and meaningful privacy notice“ that explains:

• The categories of personal information the controller processes.
• The purpose for processing personal information.
• How consumers may exercise their consumer rights and how to appeal.
• The categories of any personal information the controller sells to third parties.
• The categories of any third parties to whom the controller sells personal information.
• Whether the controller sells personal information or engages in targeted advertising, and if so, an explanation of how to opt out of these activities.

Processors

A controller may only engage a processor subject to a written agreement that contains:

• Instructions for processing data.
• The nature and purpose of processing.
• The types of data subject to processing.
• The duration of processing.
• The rights and obligations of both parties.
• Requirements that the processor shall:
  • Ensure that anyone processing personal information is subject to a duty of confidentiality.
  • Delete or return all personal information to the controller as requested at the end of the provision of services, unless retention of the personal information is required by law.
  • Provide the controller with all information necessary to demonstrate compliance with SB 73.
  • Allow and cooperate with reasonable assessments by the controller, or else arrange an independent audit to a recognized standard, providing a report on request.
  • Only engage a subcontractor pursuant to a written contract that complies with the standards above.

Processors must assist controllers with consumer rights requests where necessary.

Data Protection Assessments

From July 2024, controllers must conduct data protection assessments before conducting certain processing activities, including:

• Targeted advertising.
• Selling personal information.
• Certain profiling activities with significant effects or risks attached.
• Processing sensitive data.
• Any other processing activity that presents a heightened risk of harm to the consumer.

A data protection assessment must identify and weigh:

• The benefits that arise for the controller, the consumer, other stakeholders, and the public, against
• The potential risks to the rights of the consumer, taking any possible safeguards into account.

The Attorney General can demand access to a copy of a data protection assessment.

Voluntary Privacy Program

SB 73 includes a form of “safe harbor”, whereby a controller or processor can defend itself against a cause of action for a violation of the law if it creates, maintains, and complies with a privacy policy that:

• Conforms to the NIST privacy framework or a similar privacy standard.
• Is updated to comply with any updates to the standard within two years of the update.
• Provides consumers with the same substantive rights as SB 73.

Various caveats and other possible standards are mentioned in this section of the bill. This provision is not present in any other US state privacy laws.