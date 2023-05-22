Earlier this month, Gov. Bill Lee signed into law the Tennessee Information Protection Act, which by 2025 will establish a data privacy regime in the state.
Roy Wyman, a Bass, Berry & Sims member who advises businesses on data privacy and cybersecurity matters, spoke with the Post about the law.
How would you summarize the scope of the legislation?
It impacts generally larger employers. We're talking about $25 million in global revenues. For them, it's going to require that they meet certain privacy requirements that are also out there in other states. It would impact anybody who's processing personal information, usually of 175,000 Tennessee residents, or if you're getting most of your revenue from selling personal information. If you fit into those buckets, it will have some specific requirements around providing notice. The big ones are going to be that you are subject to certain consumer rights. Individuals in Tennessee will be able to request that you delete their information if you aren't specifically using it to provide a service. Right to correct. Right to a copy in a portable format. If there's any denials, individuals have a right to appeal. Right to opt out. That's going to impact a lot, especially around marketing.
If I click on a website, and that website loads up cookies on my machine that then shares the information with Meta/Facebook or Google Analytics, that's then used in order to offer up advertisements when I go to other sites. I visit a site for the local shoe store and then when I go to my Facebook page I get an ad for shoes. Those I will now have a right to opt out of. That can get pretty complex because the website that I visit doesn't know who I am, other than my IP address. That opt out, what it ends up doing is forcing cookie banners.
So that's how consumers are going to experience this?
That's likely how consumers are going to experience this. If you ask the legislature, they'll say, "No, we didn't require cookie banners." But they did without knowing it.
Is this still piecemeal across the states, where businesses are having to comply with different but related rules? Would a federal policy be more efficient?
That's exactly right. This is creating a situation where you have nine different states that are similar, but none of them are identical. It's becoming very complex. The difficulties are really not worth the differences. The cost to businesses are often in the millions of dollars just to try to comply with these things.
What should these companies be doing between now and when this goes into effect in two years?
Something they're going to need to do in the next year is start doing data processing impact assessments or data privacy impact assessments. That's looking at how do we use data. Are any of them ones where it could impact the privacy of individuals' information. For each of those where it could, we need to weigh, does the use make sense given the risk, and what can we do to mitigate those risks? They'll need to have a process in place and make sure all their new uses of personal information go through that process, which is a cultural change. That's going to impact marketing, that's going to impact IT. That's going to impact contracts. That's going to impact any areas that deal with personal information.
The other interesting thing, and this is unique to Tennessee, is that they created an exception for companies that comply with NIST, what government contractors have to comply with. If your company has a process in place that complies with NIST or something similar, then it's a little bit of a get-out-of-jail-free card. How much of a get-out-of-jail-free card it is, we still don't really know. That's going to be open to interpretation. Those are the two things I would be looking at now, putting in place that process for the privacy impact assessments and seeing whether we comply with NIST and is it worth it in order to have that exemption.
You're coming at this from the perspective of the businesses, but do you see any consumer benefit to this?
For the most part, I don't see this as much of a benefit to consumers as it should have been. I would label this as a bit of a missed opportunity. There's ways of writing these statutes, and everybody keeps following the same template. There's always a requirement for a privacy notice, but nobody reads them except plaintiff's attorneys and regulators. There are concepts in here like a controller versus a processor. The controller is the business; the processor is the contractor, the vendor that's handling information. If I'm a consumer, I don't care if you're a controller or a processor. All I want to know is, do you have my information and are you protecting it, or are you selling it? Why not just say here are things that we generally think are OK, here are things that are not, and here on the margins maybe you let people choose. Setting a standard for everybody would have made more sense. People don't exercise their rights because they don't understand them. We could have made it simpler.
Do you think it would be more effective if handled at the federal level?
It depends on what would have been done at the federal level. I think it would have been simpler in this sense: Right now, for the larger entities, they have so many regimens they have to comply with that it becomes impossible. In the U.S., you're looking at a situation where we very well could end up with 51 different applicable laws rather than one. Even a bad law that was at least uniform would be better. Each state is having a very broad impact outside of their borders with these laws, and we really haven't thought through how we deal with that.