田纳西州通过了一项法律 田纳西州信息保护法案 that aims to protect the personal information of Tennessee residents. TIPA的颁布只是众多法案中的一个 状态 privacy laws that have been passed in the United 状态s. 事实上, 就在这个春天, 另外四项隐私法也被颁布, in addition to other laws that specifically affect certain types of data. 

TIPA对谁有影响? 

This new law applies to companies with more than $25 million in gross revenue, that do business in Tennessee or target products or services to Tennessee consumers, 和: 

  • Control or process personal information of 175,000 or more Tennessee consumers; or 
  • Control or process personal information of 25,000 or more Tennessee consumers and derive over 50% of gross revenue from the sale of that data. 

哪些人可获豁免? 

TIPA defines a “consumer” as a person who lives in Tennessee and is using items for themselves. This doesn’t include people who work for a company or people who are part of a business deal. The exemptions to TIPA closely mimic those of other 状态 privacy laws, 如, personal information is covered by laws 如 the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online 隐私 Protection Act (COPPA), 格雷姆-里奇-比利利法案, the Family Educational Rights and 隐私 Act, 还有其他一系列的联邦法律. The law doesn’t apply to government groups, charities, or higher education institutions. There are some reasons when personal information can be used, 如果需要遵守法律的话, 制止欺诈, 或者在法律案件中保护某人. 

这是什么消费者权益啊? 

The TIPA creates consumer rights that allow Tennessee residents to access, 正确的, 并删除他们的个人信息. They can also obtain a copy of their personal information that was previously provided to the controller. 此外, Tennessee residents have the right to opt-out of a controller’s processing of personal information for the purposes of selling personal information, 有针对性的广告, 和分析. Your organization will need to be prepared to respond to consumer requests related to the exercise of these new rights.   

谁来执行TIPA? 

The Tennessee Attorney General has the exclusive authority to enforce the TIPA, 也没有私人的诉讼权利.  

我需要怎样做才能遵守规定? 

遵守TIPA, 企业需要提供隐私声明, establish a secure means for consumers to exercise their privacy rights, obtain consumer consent to process sensitive data, 与加工者签订合同, and conduct and document data protection assessments. The TIPA provides an affirmative defense to a cause of action for a TIPA violation where a controller creates, 维护, and complies with a written privacy policy that reasonably conforms to the National Institute of Standards and 技术 (“NIST”) privacy 框架 entitled “A Tool for Improving 隐私 through Enterprise Risk Management Version 1.0.” This means that if a controller adopts a privacy program that reasonably conforms to the NIST 框架, it may be able to avoid liability for certain violations of the TIPA. 

该协定将于2025年7月1日生效. 

如果我不服从会发生什么? 

如果一家企业违反了法律, the Tennessee Attorney General must give 60 days’ written notice and an opportunity to cure to the controller. If an enforcement action follows, violations of the TIPA are up to $15,000 per violation. 

我现在该怎么准备呢? 

If you believe your business may be subject to this new Tennessee law, one of the best first steps is to have a NIST 隐私 Assessment performed. This activity will assess the completeness and maturity of the privacy-related practices inside your organization. Through a series of interviews with key stakeholders and subject matter experts, 以及对选定文档的审查, our team of privacy professionals will evaluate the people, processes and technology that contribute to the protection of Personally Identifiable Information.  

LBMC can also help you with the review and/or creation of Policies and Procedures. 现有的政策可以重新制定, or completely new policies can be provided to help organizations ensure a focus on consumer privacy.

Content provided by LBMC professionals, Van Steel and Dennis McGough.

最后,LBMC可以帮助您进行定制 隐私咨询服务. If you need to improve your existing program, or if you need to start fresh with a brand-new privacy program, our knowledgeable professionals can provide consulting to help you to improve your privacy practices.