Tenn. Code § 47-18-3302

Current through Acts 2023-2024, ch. 1069
Section 47-18-3302 - [Effective 7/1/2025] Part definitions

As used in this part:

(1) "Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. As used in this subdivision (1), "control" or "controlled" means:
(A) Ownership of, or the power to vote, more than fifty percent (50%) of the outstanding shares of a class of voting security of a company;
(B) Control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or
(C) The power to exercise controlling influence over the management of a company;
(2) "Authenticate" means to verify using reasonable means that a consumer who is entitled to exercise the rights in § 47-18-3304, is the same consumer who is exercising those consumer rights with respect to the personal information at issue;
(3) "Biometric data":
(A) Means data generated by automatic measurement of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics that are used to identify a specific individual; and
(B) Does not include a physical or digital photograph, video recording, or audio recording or data generated from a photograph or video or audio recording; or information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA;
(4) "Business associate" has the same meaning as defined by HIPAA;
(5) "Child" means a natural person younger than thirteen (13) years of age;
(6) "Consent":
(A) Means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer; and
(B) May include a written statement, including a statement written by electronic means, or an unambiguous affirmative action;
(7) "Consumer":
(A) Means a natural person who is a resident of this state acting only in a personal context; and
(B) Does not include a natural person acting in a commercial or employment context;
(8) "Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information;
(9) "Covered entity" has the same meaning as defined by HIPAA;
(10) "Decisions that produce legal or similarly significant effects concerning the consumer" means decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, healthcare services, or access to basic necessities, such as food and water;
(11) "De-identified data" means data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to that individual;
(12) "Health record":
(A) Means a written, printed, or electronically recorded material that:
(i) Was created or is maintained by a healthcare entity described in or licensed under title 68 in the course of providing healthcare services to an individual; and
(ii) Concerns the individual and the services provided; and
(B) Includes the substance of a communication made by an individual to a healthcare entity described in or licensed under title 68 in confidence during or in connection with the provision of healthcare services or information otherwise acquired by the healthcare entity about an individual in confidence and in connection with the provision of healthcare services to the individual;
(13) "HIPAA" means the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 1320d et seq.);
(14) "Identified or identifiable natural person," "natural person," and "individual" mean a human being who can be readily identified, whether directly or indirectly;
(15) "Institution of higher education" means a public or private institution of higher education;
(16) "Nonprofit organization" means:
(A) A corporation organized under the Tennessee Nonprofit Corporation Act, compiled in title 48, chapter 51;
(B) An organization exempt from taxation under the Internal Revenue Code, codified in 26 U.S.C. §§ 501-530;
(C) A public utility organized under the laws of this state; or
(D) An entity owned or controlled by a nonprofit organization;
(17) "Personal information":
(A) Means information that is linked or reasonably linkable to an identified or identifiable natural person; and
(B) Does not include information that is:
(i) Publicly available information; or
(ii) De-identified or aggregate consumer information;
(18) "Precise geolocation data":
(A) Means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of one thousand seven hundred fifty feet (1,750'); and
(B) Does not include:
(i) The content of communications; or
(ii) Data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility;
(19) "Process" or "processing" means an operation or set of operations performed, whether by manual or automated means, on personal information or on sets of personal information, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal information;
(20) "Processor" means a natural or legal entity that processes personal information on behalf of a controller;
(21) "Profiling" means a form of solely automated processing performed on personal information to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;
(22) "Protected health information" has the same meaning as defined by HIPAA;
(23) "Pseudonymous data" means personal information that cannot be attributed to a specific natural person without the use of additional information, so long as the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable natural person;
(24) "Publicly available information" means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience;
(25) "Sale of personal information":
(A) Means the exchange of personal information for valuable monetary consideration by the controller to a third party; and
(B) Does not include:
(i) The disclosure of personal information to a processor that processes the personal information on behalf of the controller;
(ii) The disclosure of personal information to a third party for purposes of providing a product or service requested by the consumer;
(iii) The disclosure or transfer of personal information to an affiliate of the controller;
(iv) The disclosure of information that the consumer:
(a) Intentionally made available to the general public via a channel of mass media; and
(b) Did not restrict to a specific audience; or
(v) The disclosure or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets;
(26) "Sensitive data" means a category of personal information that includes:
(A) Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
(B) The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
(C) The personal information collected from a known child; or
(D) Precise geolocation data;
(27) "State agency" means an agency, institution, board, bureau, commission, council, or instrumentality of state government in the executive branch;
(28) "Targeted advertising":
(A) Means displaying to a consumer an advertisement that is selected based on personal information obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests; and
(B) Does not include:
(i) Advertisements based on activities within a controller's own websites or online applications;
(ii) Advertisements based on the context of a consumer's current search query, visit to a website, or online application;
(iii) Advertisements directed to a consumer in response to the consumer's request for information or feedback; or
(iv) Personal information processed solely for measuring or reporting advertising performance, reach, or frequency;
(29) "Third party" means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller; and
(30) "Trade secret" means information, without regard to form, including, but not limited to, technical, nontechnical, or financial data, a formula, pattern, compilation, program, device, method, technique, plan, or process, that:
(A) Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from the information's disclosure or use; and
(B) Is the subject of efforts that are reasonable under the circumstances to maintain the information's secrecy.

T.C.A. § 47-18-3302

Added by 2023 Tenn. Acts, ch. 408, s 2, eff. 7/1/2025.