Bass, Berry & Sims attorney Roy Wyman outlined the new Tennessee Information Protection Act (TIPA) that Governor Lee signed into law early this month to establish data privacy regulations for businesses and consumers in the state. In a Q&A format, Roy answered several questions about the scope of the new legislation, how TIPA will benefit consumers, what companies should be doing now ahead of the act’s 2025 implementation, and others.
As Roy points out, there are currently nine different states that have passed data privacy legislation. “This is creating a situation where you have nine different states that are similar, but none of them are identical. It’s becoming very complex. The difficulties are really not worth the differences. The cost to businesses are often in the millions of dollars just to try to comply with these things,” said Roy.
In response to a question about what companies should be doing now to prepare for the 2025 implementation, Roy provided the following guidance:
Something they’re going to need to do in the next year is start doing … data privacy impact assessments. That’s looking at how do we use data. Are any of them ones where it could impact the privacy of individuals’ information. For each of those where it could, we need to weigh, [“Does] the use make sense given the risk, and what can we do to mitigate those risks?[“] They’ll need to have a process in place and make sure all their new uses of personal information go through that process, which is a cultural change. That’s going to impact marketing, that’s going to impact IT. That’s going to impact contracts. That’s going to impact any areas that deal with personal information.
The other interesting thing, and this is unique to Tennessee, is that they created an exception for companies that comply with NIST, [the security process] government contractors have to comply with. If your company has a process in place that complies with NIST or something similar, then it’s a little bit of a get-out-of-jail-free card. How much of a get-out-of-jail-free card it is, we still don’t really know. That’s going to be open to interpretation. Those are the two things I would be looking at now, putting in place that process for the privacy impact assessments and seeing whether we comply with NIST and is it worth it in order to have that exemption.
The full article, “Q&A: Attorney Discusses New Tennessee Data Privacy Law,” was published by the Nashville Post on May 22 and is available online. To learn more about TIPA, click here to read our latest client alert on the topic.