United States of America: Introduced Tennessee Information Protection Act including data protection regulation (SB 73)

On 10 January 2023, the Tennessee Information Protection Act (Senate Bill 0073), which includes data protection regulation, was introduced in the Tennessee Senate. The Act would apply to business entities active in the state that, on an annual basis, either control or process personal information of at least 100,000 consumers, or control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information. The Act sets out data rights for consumers, including (i) access to personal information; (ii) data correction; (iii) data deletion; (iv) obtaining a copy of the consumer's personal information, among others. In addition, the Act includes obligations for data controllers, including abiding by principles of adequacy, relevance, and reasonable necessity in processing data, following laws prohibiting unfair discrimination against consumers, and obtaining consumer consent before processing sensitive personal data. Further, controllers would be required to carry out data protection assessments. The Tennessee Attorney General would be given authority to enforce the provisions of the Act.