It is not the first time we have written about complaints, OCR settlements, and even jail time following snooping by hospital employees into patient records. For example, as COVID raged, an investigation showed that for approximately 10 months ending in February, 2021, an employee at a California state hospital improperly accessed approximately 2,000 individuals’ COVID-19 related data including test results. Preventing these kinds of breaches can be difficult especially when system assess is needed to facilitate the efficient and often urgent delivery of health care.

Yesterday, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), announced a settlement with a not-for-profit community hospital under HIPAA. As many do, the settlement resulted from an investigation of a data breach report submitted by the hospital. According to the report, 23 security guards working in the hospital’s emergency department used their login credentials to access patient medical records maintained in hospital’s electronic medical record (EMR) system without a job-related purpose. The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information. The breach affected 419 individuals.  

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”

In addition to agreeing to pay $240,000, the hospital also agreed to be monitored under a two-year corrective action plan (CAP). The CAP included the following steps:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information.
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
  • Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures;
  • Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures;
  • Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

Digging into the details of the settlement and CAP, it is clear OCR is focused on access management – ensuring appropriate access between systems, ensuring access only to those that need it, providing training about access, etc. Another consideration, prudent for any kind of surveillance, is monitoring the monitors. That is, for example, regularly reviewing access logs to assess appropriateness of the activity.

Organizations, whether covered by HIPAA or not, engaged in monitoring and surveillance activities should be thinking about how to control the nature and extent of that monitoring and surveillance to avoid unintended consequences. This includes assessing the safeguards implemented by third party vendors supporting the systems, devices, and activities. Data security should not be focused only on systems designed to prevent external hackers, but also what can be done internally to prevent unauthorized access, uses, and disclosures of confidential and sensitive personal information by insiders, employees.

FTC Safeguards Law (and Car Dealerships)

June 9th marked the deadline for financial institutions, including certain non-banking institutions that collect or maintain sensitive customer information (e.g., car dealerships), to implement a comprehensive information security program to comply with the Federal Trade Commission’s updated Safeguards Rule. For additional information, see our post: Reminder: The FTC “Safeguards Rule” Compliance Date is Next Month.

State Consumer Data Protection Laws

Enforcement of the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA) begins July 1, 2023. For more information, see our post: Employers Get Ready – CCPA Employee and B2B Exemptions End, Expanded Privacy Compliance Begins in 2023.

The Colorado Privacy Act goes into effect on July 1, 2023, and applies to a “controller” that conducts business in the State of Colorado, determines the purposes and means of processing personal data, and satisfies at least one of the following requirements: controls or processes the personal data of more than 100,000 Colorado residents per year or derives revenue from selling the personal data of more than 25,000 Colorado residents. For additional information, see our post: Version 2 Proposed Draft Rules for the Colorado Privacy Act.

The Connecticut Act Concerning Personal Data Privacy and Online Monitoring also goes into effect on July 1, 2023, and applies to a “controller” that conducts business in Connecticut or produces products or services that are targeted to residents of Connecticut and, during the preceding calendar year, either: controlled or processed personal data for at least 75,000 Connecticut residents, or controlled or processed personal data of at least 25,000 Connecticut residents and derive over 25 percent of gross revenue from the sale of personal data. For more information, see our post: Connecticut Likely to Become Fifth State to Enact Comprehensive Consumer Privacy Law.

The Florida “Digital Bill of Rights” provision prohibiting government employees and entities from using their position and/or state resources for the purpose of moderating content on social media platforms, including requesting removal of content, goes into effect on July 1, 2023. For additional information, see our post: Florida Passes “Digital Bill of Rights”.

State Data Breach Notification Laws

The amended Texas Data Breach Notification law goes into effect on September 1, 2023. The amended law revises the deadline for businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents from 60 days to “as soon as practicable and not later than 30 days” and now requires such persons to submit the notification via an electronic form accessible on the Attorney General’s website. For additional information, see our post: Texas Tightens State’s Data Breach Notification Law.

Florida Telephone Solicitation Act

On May 25, 2023, the Governor of Florida signed a bill amending the Florida Telephone Solicitation Act (FTSA). The amendments become effective immediately upon signing by the Governor and apply retroactively to any class action not certified on or before May 25, 2023. For additional information on these amendments, see our post: Amendments to Florida Telephone Solicitation Act Provides Relief for Businesses.

Social Security Numbers

The Virginia law prohibiting employers from using an employee’s Social Security number or any derivative as an employee’s identification number takes effect July 1, 2023. You can find more information on the law in our post: Virginia Passes Legislation Prohibiting the Use of Employees’ Social Security Numbers as Identifiers.  

AI and Automated Employment Decision Tools

The New York City “AI Law” (New York City Local Law 144), which prohibits employers from using automated employment decision tools for screening applicants and employees within New York City unless a bias audit has been conducted and notice provided, takes effect July 5, 2023. For more information, see our post: Employer Alert: New York City Issues Final Rules on Automated Employment Decision Tools Law.

Cross Border Transfers of Personal Data

June 1, 2023, marked the effective date for implementing the “Standard Contract” in appropriate circumstances for transfers of personal data, including employee data, out of China to third countries in accordance with China’s Personal Information Protection Law. For more information see our webinar: Transferring Employee and Customer Data from China to the United States: Using the Appropriate Transfer Mechanism.

Complying with these new or amended laws may require multiple steps including reviewing your organization’s data collection activities, updating relevant notices as well as internal policies and procedures, and conducting employee training.

If you have questions about data protection laws, cybersecurity, or related issues, contact a member of our Privacy, Data, and Cybersecurity practice group to discuss.

On June 6, 2023, Governor DeSantis signed Senate Bill (SB) 2262, legislation intended to create a “Digital Bill of Rights” for Floridians. While Florida’s new law provides similar privacy rights to consumers as other states’ comprehensive privacy laws passed in recent months, the law is narrower in the businesses that are regulated.

Generally, the requirements of the law take effect on July 1, 2024, with certain sections taking effect sooner.

Covered Businesses

The new legislation applies to businesses that collect consumers’ personal information, make in excess of $1 billion in gross revenues, and meet one of the following thresholds:

  • Derive 50% or more of its global annual revenues from providing targeted advertising or the sale of ads online; or
  • Operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to cloud computing service that uses hands-free verbal activation.

Consumer Rights

Like many of the comprehensive privacy laws passed in recent months, the new law provides Florida consumers the right to:

  • Access their personal information;
  • Delete or correct personal information; and,
  • Opt out of the sale or sharing of their personal information.

In addition to these rights, the law adds biometric data and geolocation information to the definition of personal data, for purposes of protecting consumers.

Covered Business Obligations

Under the new law, covered businesses and their processors are required to implement a retention schedule for the deletion of personal data. Controllers or processors may only retain personal data until:

  • The initial purpose of the collection was satisfied;
  • The contract for which the data was collected or obtained has expired or terminated; or
  • Two years after the consumer’s last interaction with the covered business.

Covered businesses will be required to provide reasonably accessible and clear privacy notices, and such notices will need to be updated annually, including disclosures to consumers regarding data collection, processing, and use practices.  

The law also requires covered businesses to develop and implement reasonable data security practices.

If you have questions about Florida’s new Digital Bill of Rights or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On May 27, 2023, Texas’ Governor signed Senate Bill 768 amending Texas’ data breach notification law. The law in question, Section 521.053 of the Texas Business and Commerce Code, sets out the specific requirements any person conducting business in the state who owns or licenses sensitive personal information in a computerized format must follow in the event of any breach of system security.

The amendment updates only the portion of the law requiring a business to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents. Previously, the law required such persons to notify the Texas Attorney General within 60 days of discovering a breach affecting 250+ residents but did not specify a particular method of providing the notice. The amendment shortens the deadline from 60 days to “as soon as practicable and not later than 30 days” and requires such persons to submit the notification via an electronic form accessible on the Attorney General’s website.

The changes go into effect on September 1, 2023. However, the amendment does not disturb any of the other requirements of the law that are already in effect. Such persons are still required to provide notice of a data breach to affected individuals “without unreasonable delay” but not later than 60 days after discovering the breach. For breaches affecting more than 10,000 individuals, such persons are required to notify each consumer reporting agency without unreasonable delay. In the case of a person who maintains computerized sensitive personal information on behalf of another and experiences a breach of system security, notice must be provided to the owner or license holder of the information “immediately after discovering the breach.”

Although the amendment brings Texas’ rules more closely in line with some other states, there remains a complicated and often conflicting web of data breach rules nationwide. Connecticut, for example, imposes a 60-day requirement for notifying affected individuals (similar to Texas) but requires all data breaches to be reported to the state’s Attorney General (not only when the breach affects more than a specified number of residents). Also, Connecticut and four other jurisdictions require credit monitoring, and ID theft services be provided for a period of time at no cost to affected persons, though that is not the case in the Lone Star State. Florida, on the other hand, is both more and less strict than Texas, its law requires notifications to individuals within 30 days (stricter than Texas) but imposes a higher threshold (500 affected residents) before requiring a notification to the Attorney General. These are just a few of the nuances organizations must grapple with when facing a data breach affecting individuals in multiple states. Because Texas’ data breach law allows the business to choose to give notice under the laws where the individual is located or under Texas’ laws when a breach affects a non-resident, it can be advantageous to know the distinctions.

For additional information regarding Texas’ or another state’s data breach requirements, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On May 25, 2023, the Governor of Florida signed a bill amending the Florida Telephone Solicitation Act (FTSA). The amendments under Florida’s House Bill (HB) 761, become effective immediately upon signing by the Governor. Moreover, the amendments apply retroactively to any class action not certified on or before May 25, 2023.

The FTSA is Florida’s version of the federal Telephone Consumer Protection Act (TCPA), however, the FTSA was previously considered more restrictive than the federal version.

HB 761 however makes the following changes to FTSA:

  • Revises the prohibition on telephonic sales calls that use an automated system to specifically include unsolicited calls using automated systems for the section and dialing of telephone numbers or playing of a recorded message.
  • Clarifies what constitutes consent and clear and conspicuous disclosure.
  • Revises what constitutes a consumer’s “signature” for purposes of giving prior express written consent to include either an electronic or digital signature or an “act demonstrating consent,” which may include a simple affirmative response.
  • Provides a safe harbor period of 15 days from the date a consumer notifies the telephone solicitor that he or she does not want to receive text message solicitations.

While these amendments will take some of the sting out of the FTSA, businesses should still be aware of their practices when it comes to Florida to ensure compliance with the TCPA and the scaled-back FTSA.

If you have questions regarding FTSA or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

At the start of 2023, the New York State legislature introduced several privacy-related bills.  One of those bills, S365, appears to be gaining momentum. It was reported and committed to the Internet and Technology Committee on April 25, was amended on May 18, and was further amended and recommitted to the Finance Committee on June 4. 

If it becomes law, S365 would require organizations to make disclosures regarding their data processing practices, impose limitations on sharing personal information, require data protection impact assessments in certain situations, and grant consumers an array of rights, including to access, correct, and/or delete their personal information. 

Among the other data privacy and security bills under consideration are the following:

  • A417 would restrict the disclosure of personal information and require that organizations make available to customers, free of charge, access to or copies of their personal information.
  •  A1366 would require advertising networks to post a clear and conspicuous notice on the home pages of their websites regarding their privacy policies and the data collection and use practices associated with their advertising delivery activities.
  •  S2277  would require any entity that conducts business in the state and maintains the personal information of 500 or more individuals to provide meaningful notice of their use of personal information. The law would also prohibit unlawful discriminatory practices relating to targeted advertising.
  • S3162, which would grant consumers the right to request that organizations disclose the categories of any specific personal information they collect, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

Along with this flurry of legislative activity, State enforcement agencies have, in recent months, announced several notable data breach settlements.  For instance, lender and mortgage servicer OneMain agreed to pay $4.25M to resolve a New York State Department of Financial Services enforcement action and healthcare professional services provider PracticeFirst agreed to pay $550,000 – and to implement a variety of measures to bolster its data security program – to resolve an enforcement action by the State Attorney General.     

As is evident from the above, organizations that collect and process personal information related to New York residents need to be proactive in managing their data privacy and security risk.  The web of compliance obligations in this space is expanding quickly and the consequences of non-compliance are becoming more and more significant.

Jackson Lewis will continue to monitor the fast-changing landscape in New York and similar developments across the country and internationally.  If you have questions about New York’s proposed legislation or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Unhappy consumers, including patients, are free to express dissatisfaction with services they receive from providers on popular social media or online review platforms, such as Yelp and Google. At least in the healthcare industry, providers must be very careful when responding, if they respond at all.

“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

Yesterday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with a New Jersey provider of adult and child psychiatric services. According to the settlement, the provider “impermissibly disclosed the PHI of four (4) patients in response to their negative reviews posted on Google Reviews.” The OCR claimed that the provider included the complaining patient’s diagnosis and treatment of their mental health condition in the online response. The investigation that followed the complaint also revealed, according to the settlement materials, (i) responses by the provider to three other patients including protected health information and (ii) that the practice’s written policies and procedures were not HIPAA compliant.

While not admitting any wrongdoing, the practice agreed to pay $30,000 to OCR and to implement a corrective action plan (CAP) to resolve the potential violations. As a practical matter, the monetary settlement may be less of a burden than the CAP. According to the settlement materials, the CAP requires that the practice:

  • be monitored for two years by OCR to ensure compliance with the HIPAA Privacy Rule, 
  • develop, maintain, and revise written policies and procedures to comply with the HIPAA Privacy Rule,
  • train all members of it workforce, including owners and managers, on the organization’s policies and procedures,
  • issue breach notices to all individuals, or their personal representatives, whose protected health information is disclosed on any internet platform without a valid authorization, and
  • submit a breach report to HHS concerning individuals whose protected health information is disclosed on any internet platform without a valid authorization.

So, what should a small healthcare practice be doing to avoid a similar penalty and CAP:

  • Get complaint with HIPAA and Maintain Policies on Disclosures in Social Media! HIPAA covered healthcare providers should have policies and procedures related to the disclosures of PHI and more specifically with regard to disclosures of PHI on social media.
  • Train staff (including healthcare providers and owners) concerning these policies. Policies alone may not be enough. The OCR also may ask for sign-in sheets showing staff attended the training, along with the materials that the training was based on.
  • Maintain a HIPAA Notice of Privacy Practice. At a minimum, this should be posted in the office and on the practice’s website, as applicable.
  • Monitor social media activity by staff. Understand the social media channels that the practice engages in and consider periodically monitoring public social media activity by staff.
  • Cooperate with the OCR. Covered entities should absolutely make their case to the OCR in defense of a compliance review or investigation. At the same time, being responsive to the agency’s requests can go a long way toward resolving the matter quickly and with minimal impact. Having experienced legal counsel versed in the HIPAA Privacy and Security Rules to guide the practice can be tremendously helpful.

On May 19, 2023, Montana’s Governor signed Senate Bill 384, the Consumer Data Privacy Act. Montana joins  CaliforniaColoradoConnecticut, IndianaIowaTennessee, Utah, and Virginia in enacting a comprehensive consumer privacy law.  The law is scheduled to take effect on October 1, 2024.

When does the law apply?

The law applies to a person who conducts business in the state of Montana and:

  • Controls or processes the personal data of not less than 50,000 consumers (defined as Montana residents), excluding data controlled or processed solely to complete a payment transaction.
  • Controls and processes the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Hereafter these covered persons are referred to as controllers.

The following entities are exempt from coverage under the law:

  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state;
  • Nonprofit organization;
  • Institution of higher education;
  • National securities association that is registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934;
  • A financial institution or an affiliate of a financial institution governed by Title V of the Gramm- Leach-Bliley Act;
  • Covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act (HIPAA);

Who is protected by the law?

Under the law, a protected consumer is defined as an individual who resides in the state of Montana.

However, the term consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.

What data is protected by the law?

The statute protects personal data defined as information that is linked or reasonably linkable to an identified or identifiable individual.

There are several exemptions to protected personal data, including for data protected under HIPAA and other federal statutes.

What are the rights of consumers?

Under the new law, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data
  • Access Personal Data processed by a controller
  • Delete personal data
  • Obtain a copy of personal data previously provided to a controller.
  • Opt-out of the processing of the consumer’s personal data for the purpose of targeted advertising, sales of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

What obligations do businesses have?

The controller shall comply with requests by a consumer set forth in the statute without undue delay but no later than 45 days after receipt of the request.

If a controller declines to act regarding a consumer’s request, the business shall inform the consumer without undue delay, but no later than 45 days after receipt of the request, of the reason for declining.

The controller shall also conduct and document a data protection assessment for each of their processing activities that present a heightened risk of harm to a consumer.

How is the law enforced?

Under the statute, the state attorney general has exclusive authority to enforce violations of the statute. There is no private right of action under Montana’s statute.

For additional information on Montana’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Yesterday, New York’s Department of Financial Services (“DFS”) announced another enforcement action under the state’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (“Reg 500”).  According to the press release, OneMain Financial Group LLC (“OneMain”) will pay a $4.25 million penalty to New York State for alleged violations of Reg 500.  

In the Consent Order, DFS pointed to several provisions of Reg 500 for which it alleged OneMain came up short:

  • 23 NYCRR § 500.03: requires all covered entities to implement and maintain a cybersecurity policy that is based on the covered entity’s risk assessment and addresses business continuity and disaster recovery planning and resources.
  • 23 NYCRR § 500.07: requires covered entities to limit user access privileges to information systems that provide access to Nonpublic Information (“NPI”);
  • 23 NYCRR § 500.08: requires covered entities to implement and maintain policies and procedures to protect information systems and NPI during application development and quality assurance operations;
  • 23 NYCRR § 500.10(a)(3): requires covered entities to provide cybersecurity personnel with cybersecurity training and verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures; and
  • 23 NYCRR § 500.11(a): requires covered entities to implement written policies and procedures that address, among other things, due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party service providers.

These provisions of Reg 500 describe controls one might find in just about any cybersecurity framework, not just one focused on entities that provide financial services. For example, under the HIPAA Privacy and Security Rules, simply adopting a set of policies and procedures that address the standards under the Security Rule would be insufficient if they were not based on a risk assessment. That is, cybersecurity policies and procedures should reflect the threats and vulnerabilities to the organization identified in a risk assessment. Likewise, the New York SHIELD Act requires covered entities to “select[] service providers capable of maintaining appropriate safeguards,” not just require those safeguards by contract. The same is true for fiduciaries of ERISA-covered retirement plans – fiduciaries must exercise prudence in the selection of entities providing services to the plan.  

Among the examples provided in the Consent Order was a folder containing passwords, that was named “PASSWORDS.” DFS acknowledged the folder was encrypted and password protected, but cautioned that “anyone with access to that internal shared drive, which included personnel in OneMain’s call center, could rename, move, or delete the folder.” New York’s Attorney General recently released a guide for businesses on effective data security that addresses strong password hygiene.

Another area of concern cited by DFS was the management of third-party service providers. Having a written vendor assessment policy is not enough. According to DFS, the required due diligence to assess the cybersecurity risk of vendors must be performed timely. Allowing vendors to commence work prior to completing the assessment process is problematic. Also problematic is failing to adjust a cybersecurity risk score assigned to a third-party vendor after the vendor experience a cybersecurity event that arguably warrants a change to its risk profile.  

This settlement demonstrates the Department’s ongoing dedication to upholding the responsibility of licensees, particularly those with access to personal financial information of consumers.” Superintendent of Financial Services Adrienne A. Harris.

The Consent Order points out that it is not enough to establish a written cybersecurity program. That program must be actively managed and adjusted based on changing circumstances.

On May 11, 2023, Tennessee’s Governor signed Senate Bill 0073, the Tennessee Information Protection Act, making the state the eighth state to pass consumer privacy legislation. Tennessee joins  CaliforniaColoradoConnecticutIndiana, IowaUtah, and Virginia which have previously passed consumer privacy statutes.

Tennessee’s law will take effect July 1, 2025.

When does this law apply?

The law will apply to persons that conduct business in the state of Tennessee or produce products or services that are targeted to Tennessee residents and that:

  • During the calendar year, control or process personal information of at least 100,000 consumers; or,
  • Control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.

Covered persons hereafter are referred to as controllers.

Are there exemptions?

Among the entities not subject to the Act include Tennessee and state agencies, financial institutions, HIPAA-covered entities and business associates, not-for-profit organizations, and institutions of higher education.

There also are several categories of personal information exempted from the Act, including without limitation personal information protected by the Family Educational Rights and Privacy Act (FERPA) and the Driver’s Privacy Protection Act.

Who is protected by the law?

Under the statute, individuals referred to as “consumers” are protected. A consumer is defined as a natural person who is a resident of the state of Tennessee and acts only in a personal context.

What personal information is protected by law?

Under the statute, personal information is protected, which includes:

  • Identifiers such as a real name, alias, unique identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Information that identifies, relates to, describes, or could be associated with, a particular individual, including, but not limited to, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or other financial, medical, or health insurance information
  • Characteristics of protected classifications under state or federal law;
  • Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Biometric data;
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information;
  • Education information that is not publicly available information

Personal information also includes “sensitive data” which means:

  • Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  • The personal information collected from a known child; or
  • Precise geolocation data.

Personal information does not include information that is:

  • Publicly available
  • De-identified or aggregate consumer information

What are the rights of consumers?

Under the statute, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal information and to access the personal information.
  • Correct inaccuracies in the consumer’s personal information.
  • Delete personal information provided by or obtained about the consumer.
  • Obtain a copy of the consumer’s personal information that the consumer previously provided to the controller.
  • Request information about personal information the controller sold or disclosed to third parties.
  • Opt-out of the controller selling the personal information of the consumer.

What obligations do controllers and processors have?

Under the statute, a controller shall respond to requests from a consumer without undue delay, but no later than 45 days from the date of receipt of the request. If the controller declines to take action upon a consumer’s request, the controller shall inform the consumer without undue delay but no later than 45 days from receipt.

The controller is required to take certain steps to ensure transparency of its processing including:

  • Limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purpose for which the data is processed
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
  • Not process “sensitive data” without obtaining the consumer’s consent, provided that in the case of a child, the controller does so in accordance with the federal Children’s Online Privacy Protection Act.  

Controllers shall conduct and document a data protection assessment of each of the following processing activities:

  • The processing of personal information for purposes of targeted advertising
  • The sale of personal information
  • The processing of personal information for purposes of profiling where the profiling presents a foreseeable risk
  • The processing of sensitive data
  • The processing of personal information presents a heightened risk of harm to consumers.

Upon receipt of an authenticated consumer request, a controller must provide a “reasonably accessible, clear, and meaningful privacy notice” the contents of which are similar to but not as expansive as the California Consumer Privacy Act (CCPA).

With respect to processors, the Act requires they adhere to the instructions of controllers, such as assisting the controller with responding to consumer requests. Contracts between controllers and processors are required and must include certain provisions, such as (i) instructions for processing personal information, (ii) the nature, purpose, and duration of the processing, and (iii) the type of data subject to the processing. Other required provisions include (i) a requirement for processors to make available all information in the processor’s possession to demonstrate the processor’s compliance with the Act, (ii) cooperating with reasonable assessments of compliance by the controller (or arrange for a qualified and independent assessor), and (iii) obligating the processor to push the Act’s required provisions down to the processor’s subcontractors.

How is the law enforced?

The attorney general and reporter have exclusive authority to enforce the statute, which may include bringing an action in a court of competent jurisdiction.

The Act requires controllers or processors to create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” Among the requirements for a privacy, program is that it discloses the commercial purposes for which the controller or processor collects, controls, or processes personal information. Maintaining such a program is not only important for compliance purposes, but it also provides an affirmative defense to a cause of action for a violation of the law.

For additional information on Tennessee’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.