Official Summary Text
The
Tennessee Information Protection Ac
t (the "Act") requires a controller to
comply with an authenticated consumer request to exercise the right to
any of the following:
Confirm whether a controller is processing the consumer's personal information and to access the personal information
.
Correct inaccuracies in the consumer's personal information, taking into account the nature of the personal information and the purposes of the processing of the consumer's personal information
.
Delete
certain
personal information provided by or obtained about the consumer.
Obtain a copy of the consumer's personal information that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means
.
Opt out of a controller's processing of personal information for purposes of
(i)
s
elling personal information about the consumer
,
(ii)
t
argeted advertising
,
or
(iii)
p
rofiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Such Act applies to
persons that conduct business in this state producing products or services that target residents of this state and that
e
xceed
$25
million in revenue
and
either (i
)
c
ontrol or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information; or
(
ii)
d
uring a calendar year, control or process personal information of at least
175,000 consumers.
As used in the Act, a "controller" means
the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information
. This bill clarifies that such term specifically
includes an entity whose primary business is the commercial sale, licensing, or transfer of personal information about individuals, regardless of whether the entity has a direct relationship, consumer-facing or otherwise, with those individuals
.
REGISTRATION REQUIRED
On or before January 31 following a year in which this
bill
applies to a controller,
this bill requires
the controller
to
register with the consumer protection division of the office of the attorney general
("division").
In registering with the division, a controller
must
pay a registration fee in an amount determined by the division, not to exceed the division's reasonable costs of establishing, maintaining, and providing a webpage on the division's website that contains the accessible deletion mechanism
described
below
. The fee collected pursuant
to such registration
must be deposited into the Information Protection Registry fund, described
below.
By July 1, 2027,
this bill requires
the division
to
create
a
webpage on the division's website that
h
as the accessible deletion mechanism in a conspicuous location and
p
rovides information about
both of the following:
How a consumer can utilize the accessible deletion mechanism, including the process for submitting a deletion request and examples of the types of information that may be deleted
.
The additional rights a consumer may
have under the
Act.
ACCESSIBLE DELETION MECHANISM
By July 1, 2027,
this bill requires
the division
to
create
a
n accessible deletion mechanism that
(i) i
mplements and maintains reasonable security procedures and practices, including administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used;
(
ii
)
p
rotects consumers' personal information from unauthorized use, disclosure, access, destruction, or modification; and
(iii) a
llows a consumer or the consumer's au
thorized agent to
engage in all of the following actions:
Through a single authenticated consumer request, request that every controller to which this part applies and that maintains personal information about the consumer delete the personal information related to the consumer that is held by the controller, or an agent of the controller
.
Selectively exclude a specific controller from a request
so
made
.
Make a request to alter a previous request
so
made after at least
45
days have passed since the consumer last made such a request
.
Verify the status of a deletion request submitted by the consumer.
This bill requires such
accessible deletion mechanism
,
at a minimum
, to (i) a
llow a controller registered with the division to determine whether a consumer has submitted an authenticated request to delete the personal information related to the consumer;
(
ii
)
b
e available for use by a consumer at no cost to the consumer; and
(
iii
)
b
e usable by a consumer with a disability.
This bill requires a
controller
to
access the accessible deletion mechanism at least once every 45
days and
to engage in all of the following actions:
Within 45 days after receipt of a deletion request, process the deletion request and delete all required personal information related to the consumer who made the request
.
Process the request as an opt-out of the sale or sharing of the consumer's personal information, consistent with the consumer
's
right
to opt out of a controller's processing of personal information under present law
, if the controller denies a consumer's deletion request because the controller is unable to authenticate the request using commercially reasonable efforts
.
Direct any affiliates of the controller to
(i) delete all personal information in the affiliate's possession related to the consumer who submitted the deletion request; or
(ii) process a request as an opt-out of the sale or sharing of the consumer's personal information, consistent with the consumer right
to opt out of a controller's processing of personal information under present law
.
However, this bill provides that a
controller, or its affiliate, is not required to delete a consumer's personal information if such deletion would not be required if the request was submitted to the controller in accordance with
present law
.
VIOLATIONS
This bill provides that
a
controller's failure to comply with the registration or deletion request requirements of this
bill
constitutes a violation and is subject to a civil investigative demand, civil penalties, and other relief or actions that may be sought by the attorney general pursuant to
present law
.
INFORMATION PROTECTION REGISTRY FUND
–
ANNUAL REPORT
This bill
create
s
within the state general fund a special account to be known as the information protection registry fund.
The fee collected pursuant to
this bill
must be deposited into the fund and used only to implement and administer the purposes set forth in this
bill
. In addition to appropriations made to the fund, the division may accept other funds, public or private, by way of gift or grant to the fund. Any such gift or grant must be deposited into the fund to be expended in accordance with this
bill.
This bill requires the
division
to
administer the fund, and moneys in the fund must be expended and obligated only in accordance with this
bill
and in accordance with appropriations made by the general assembly. All expenditures from the fund are subject to review in the form of an annual report submitted by the division to the commissioner of finance and administration no later than January 1,
2028, and by January 1 each year thereafter.
Current Bill Text
Read the full stored bill text
<BillNo> <Sponsor>
SENATE BILL 2100
By Akbari
SB2100
011964
- 1 -
AN ACT to amend Tennessee Code Annotated, Title 47,
Chapter 18, Part 33, relative to the Tennessee
Information Protection Act.
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF TENNESSEE:
SECTION 1. Tennessee Code Annotated, Section 47-18-3302(8), is amended by
adding the following at the end of the subdivision immediately preceding the semicolon:
, and includes an entity whose primary business is the commercial sale, licensing, or
transfer of personal information about individuals, regardless of whether the entity has a
direct relationship, consumer-facing or otherwise, with those individuals
SECTION 2. Tennessee Code Annotated, Title 47, Chapter 18, Part 33, is amended by
adding the following as a new section:
(a)
(1) On or before January 31 following a year in which this part applies to
a controller, the controller shall register with the consumer protection division of
the office of the attorney general and reporter in accordance with this section.
(2) In registering with the division, a controller shall pay a registration fee
in an amount determined by the division, not to exceed the division's reasonable
costs of establishing, maintaining, and providing a webpage on the division's
website that contains the accessible deletion mechanism described in
subdivision (b)(2). The fee collected pursuant to this subdivision (a)(2) must be
deposited into the Information Protection Registry fund, described in subsection
(e).
(b) By July 1, 2027, the division shall create:
(1) A webpage on the division's website that:
- 2 - 011964
(A) Has the accessible deletion mechanism in a conspicuous
location; and
(B) Provides information about:
(i) How a consumer can utilize the accessible deletion
mechanism, including the process for submitting a deletion
request and examples of the types of information that may be
deleted; and
(ii) The additional rights a consumer may have under this
part; and
(2) An accessible deletion mechanism that:
(A) Implements and maintains reasonable security procedures
and practices, including administrative, physical, and technical
safeguards appropriate to the nature of the information and the purposes
for which the personal information will be used;
(B) Protects consumers' personal information from unauthorized
use, disclosure, access, destruction, or modification; and
(C) Allows a consumer or the consumer's authorized agent to:
(i) Through a single authenticated consumer request,
request that every controller to which this part applies and that
maintains personal information about the consumer delete the
personal information related to the consumer that is held by the
controller, or an agent of the controller;
(ii) Selectively exclude a specific controller from a request
made under subdivision (b)(2)(C)(i);
- 3 - 011964
(iii) Make a request to alter a previous request made
under subdivision (b)(2)(C)(i) after at least forty-five (45) days
have passed since the consumer last made such a request; and
(iv) Verify the status of a deletion request submitted by the
consumer.
(c) The accessible deletion mechanism described in subdivision (b)(2) must, at a
minimum:
(1) Allow a controller registered with the division to determine whether a
consumer has submitted an authenticated request to delete the personal
information related to the consumer;
(2) Be available for use by a consumer at no cost to the consumer; and
(3) Be usable by a consumer with a disability.
(d)
(1) A controller shall access the accessible deletion mechanism required
under this section at least once every forty-five (45) days and:
(A) Within forty-five (45) days after receipt of a deletion request
made pursuant to subdivision (b)(2)(C), process the deletion request and
delete all required personal information related to the consumer who
made the request;
(B) Process the request as an opt-out of the sale or sharing of the
consumer's personal information, consistent with the consumer right
described under § 47-18-3304(a)(2)(E), if the controller denies a
consumer's deletion request made pursuant to subdivision (b)(2)(C)
because the controller is unable to authenticate the request using
commercially reasonable efforts; and
- 4 - 011964
(C) Direct any affiliates of the controller to:
(i) Delete all personal information in the affiliate's
possession related to the consumer who submitted the deletion
request; or
(ii) Process a request described in subdivision (d)(1)(B) as
an opt-out of the sale or sharing of the consumer's personal
information, consistent with the consumer right described under §
47-18-3304(a)(2)(E).
(2) A controller, or its affiliate, is not required to delete a consumer's
personal information if such deletion would not be required if the request was
submitted to the controller in accordance with § 47-18-3304(a)(1).
(e) A controller's failure to comply with the registration or deletion request
requirements of this section constitutes a violation of this part and is subject to a civil
investigative demand, civil penalties, and other relief or actions that may be sought by
the attorney general and reporter pursuant to this part, including relief under §§ 47-18-
3307 and 47-18-3313.
(f)
(1) There is created within the state general fund a special account to be
known as the information protection registry fund.
(2) The fee collected pursuant to subdivision (a)(2) must be deposited
into the fund and used only to implement and administer the purposes set forth in
this section. In addition to appropriations made to the fund, the division may
accept other funds, public or private, by way of gift or grant to the fund. Any such
gift or grant must be deposited into the fund to be expended in accordance with
this section.
- 5 - 011964
(3) The state treasurer shall invest moneys in the fund for the benefit of
the fund in accordance with § 9-4-603. Interest accruing on investments and
deposits of the fund must be credited to and remain part of the fund.
(4) Any unencumbered moneys and any unexpended balance of the fund
remaining at the end of a fiscal year do not revert to the general fund, but must
be carried forward until expended in accordance with this section. No part of the
fund must be diverted to the general fund or another public fund.
(5) The division shall administer the fund, and moneys in the fund must
be expended and obligated only in accordance with this section and in
accordance with appropriations made by the general assembly. All expenditures
from the fund are subject to review in the form of an annual report submitted by
the division to the commissioner of finance and administration no later than
January 1, 2028, and by January 1 each year thereafter.
SECTION 3. This act takes effect July 1, 2027, the public welfare requiring it.