Section 47-18-3305 - [Effective 7/1/2025] Data controller responsibilities - Transparency(a) A controller shall: (1) Limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer;(2) Except as otherwise provided in this part, not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal information is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;(3) Establish, implement, and maintain reasonable administrative, technical, and physical data security practices, as described in § 47-18-3314, to protect the confidentiality, integrity, and accessibility of personal information. The data security practices must be appropriate to the volume and nature of the personal information at issue;(4) Not be required to delete information that it maintains or uses as aggregate or de-identified data, provided that such data in the possession of the business is not linked to a specific consumer;(5) Not process personal information in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising the consumer rights contained in this part, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, this subdivision (a)(5) does not require a controller to provide a product or service that requires the personal information of a consumer that the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the right to opt out pursuant to § 47-18-3304(a)(2)(F) or the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and(6) Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing the data in accordance with the federal Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) and its implementing regulations.(b) A provision of a contract or agreement that purports to waive or limit the consumer rights described in § 47-18-3304 is contrary to public policy and is void and unenforceable.(c) A controller shall provide a reasonably accessible, clear, and meaningful privacy notice that includes: (1) The categories of personal information processed by the controller;(2) The purpose for processing personal information;(3) How consumers may exercise their consumer rights pursuant to § 47-18-3304, including how a consumer may appeal a controller's decision with regard to the consumer's request;(4) The categories of personal information that the controller sells to third parties, if any; and(5) The categories of third parties, if any, to whom the controller sells personal information.(d) If a controller sells personal information to third parties or processes personal information for targeted advertising, then the controller shall clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.(e)(1) A controller shall provide, and shall describe in a privacy notice, one (1) or more secure and reliable means for a consumer to submit a request to exercise the consumer rights in § 47-18-3304. Such means must take into account the: (A) Ways in which a consumer normally interacts with the controller;(B) Need for secure and reliable communication of such requests; and(C) Ability of a controller to authenticate the identity of the consumer making the request.(2) A controller shall not require a consumer to create a new account in order to exercise consumer rights in § 47-18-3304, but may require a consumer to use an existing account.Added by 2023 Tenn. Acts, ch. 408, s 2, eff. 7/1/2025.