Section 47-18-3304 - [Effective 7/1/2025] Personal information rights - Consumers(a)(1) A consumer may invoke the consumer rights authorized pursuant to subdivision (a)(2) at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke. A known child's parent or legal guardian may invoke the consumer rights authorized pursuant to subdivision (a)(2) on behalf of the child regarding processing personal information belonging to the known child.(2) A controller shall comply with an authenticated consumer request to exercise the right to: (A) Confirm whether a controller is processing the consumer's personal information and to access the personal information;(B) Correct inaccuracies in the consumer's personal information, taking into account the nature of the personal information and the purposes of the processing of the consumer's personal information;(C) Delete personal information provided by or obtained about the consumer. A controller is not required to delete information that it maintains or uses as aggregate or de-identified data; provided, that such data in the possession of the controller is not linked to a specific consumer. A controller that obtained personal information about a consumer from a source other than the consumer is in compliance with a consumer's request to delete such personal information by: (i)(a) Retaining a record of the deletion request and the minimum information necessary for the purpose of ensuring that the consumer's personal information remains deleted from the controller's records; and(b) Not using such retained personal information for any purpose prohibited under this part; or(ii) Opting the consumer out of the processing of such personal data for any purpose except for those exempted under this part;(D) Obtain a copy of the consumer's personal information that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; or(E) Opt out of a controller's processing of personal information for purposes of:(i) Selling personal information about the consumer;(ii) Targeted advertising; or(iii) Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.(b) Except as otherwise provided in this part, a controller shall comply with an authenticated request by a consumer to exercise the consumer rights authorized pursuant to subdivision (a)(2) as follows:(1) A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of a request submitted pursuant to subsection (a). The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial forty-five-day response period, together with the reason for the extension;(2) If a controller declines to take action regarding the consumer's request, then the controller shall inform the consumer without undue delay, but in all cases and at the latest within forty-five (45) days of receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision pursuant to subsection (c);(3) Information provided in response to a consumer request must be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are manifestly unfounded, technically infeasible, excessive, or repetitive, then the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, technically infeasible, excessive, or repetitive nature of the request; and(4) If a controller is unable to authenticate the request using commercially reasonable efforts, then the controller is not required to comply with a request to initiate an action under subsection (a) and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request.(c) A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subdivision (b)(2). The appeal process must be made available to the consumer in a conspicuous manner, must be available at no cost to the consumer, and must be similar to the process for submitting requests to initiate action pursuant to subsection (a). Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, then the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general and reporter to submit a complaint.Added by 2023 Tenn. Acts, ch. 408, s 2, eff. 7/1/2025.