Section 47-18-3314 - [Effective 7/1/2025] Affirmative defense - Voluntary privacy program(a) A controller or processor has an affirmative defense to a cause of action for a violation of this part if the controller or processor creates, maintains, and complies with a written privacy policy that: (1)(A) Reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0." or other documented policies, standards, and procedures designed to safeguard consumer privacy; and(B) Is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two (2) years of the publication date stated in the most recent revision to the NIST or comparable privacy framework; and(2) Provides a person with the substantive rights required by this part.(b) The scale and scope of a controller or processor's privacy program under subsection (a) is appropriate if it is based on all of the following factors:(1) The size and complexity of the controller or processor's business;(2) The nature and scope of the activities of the controller or processor;(3) The sensitivity of the personal information processed;(4) The cost and availability of tools to improve privacy protections and data governance; and(5) Compliance with a comparable state or federal law.(c)(1) In addition to subsections (a) and (b): (A) A controller may be certified pursuant to the Asia Pacific Economic Cooperation's Cross Border Privacy Rules system; and(B) A processor may be certified pursuant to the Asia Pacific Economic Cooperation's Privacy Recognition for Processors system.(2) Certifications under subdivision (c)(1) may be considered in addition to the factors in subsection (b).Added by 2023 Tenn. Acts, ch. 408, s 2, eff. 7/1/2025.