On April 21, 2023, the Tennessee legislature voted to enact the Tennessee Information Privacy Act (H.B. 1181)(“TIPA”). TIPA includes a requirement for controllers and processors to create, maintain and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework. Under TIPA, the scale and scope of a controller or processor’s privacy program is appropriate if it is based on specific factors enumerated in the law. These include (1) the size and complexity of the controller or processor’s business; (2) the nature and scope of the activities of the controller or processor; (3) the sensitivity of the personal information processed; (4) the cost and availability of tools to improve privacy protections and data governance; and (5) compliance with a comparable state or federal law.
Notably, the TIPA recognizes a controller’s certification to the APEC Cross-Border Privacy Rules system (“CBPR”) and a processor’s certification to the APEC Privacy Recognition for Processors system (“PRP”) as additional factors to be considered in determining whether the scale and scope of a controller or processor’s privacy program is appropriate. This marks the first time the CBPR and PRP systems, to which the U.S. is an active participating economy, have been expressly recognized in a comprehensive state privacy law.
The TIPA has been sent to Tennessee Governor Bill Lee for signature.