Tennessee and Montana are now set to be the next two states with “omnibus” privacy legislation. “Omnibus” privacy legislation regulates personal information as a broad category, as opposed to data collected by a particular regulated business or collected for a specific purpose, like health information, financial or payment card information. As far as omnibus laws go, Tennessee and Montana are two additional data points informing the trend we are seeing at the state level regarding privacy and data protection. Fortunately (or unfortunately depending on your point of view) these two states have taken the model which was initiated by Virginia and Colorado instead of following the California model.
Is There Really Anything New?
While these two new laws may seem to be “more of the same”, the Tennessee law contains some new interesting approaches to the regulation of privacy and data protection. While we see the usual set of privacy obligations (notice requirements, rights of access and deletion, restrictions around targeted advertising and online behavioral advertising, et cetera) in both the Tennessee and Montana laws, Tennessee has taken the unusual step of building into its law specific guidance on how to actually develop and deploy a privacy program in the Tennessee Information Protection Act (“TIPA”).
Previously, privacy compliance programs have been structured in a wide variety of ways, mostly as a result of the operational necessities of various businesses. With Tennessee’s new law, we now see a state attempting to standardize how businesses develop and implement privacy programs with more clearly defined NIST standards, as opposed to the traditional, but nebulous concepts of “reasonableness” and “adequacy”.
NIST Privacy Framework
Tennessee’s law incorporates standardized compliance concepts by requiring the use of the National Institute of Standards and Technology (“NIST”) privacy framework entitled “a tool for improving privacy through enterprise risk management version 1.0”. More specifically, the TIPA states that “…a controller or processor shall create…” it’s privacy program using this framework. Unfortunately, it is unclear for now whether or not failure to use the NIST framework would actually constitute a violation of the law. One could potentially argue that if a program fulfills all of the obligations of the TIPA it should not matter what framework is used.
Part of the concern around a “mandatory” use of the NIST framework is that the framework is somewhat complicated to implement; and does not factor the size, capabilities, and processing risk activity of a particular organization. Since NIST intended the framework to cover a wide range of use cases and operational complexities, the framework is inherently complex. As a consequence, smaller and less mature organizations will likely struggle in implementing a privacy program under the NIST framework. This is particularly true since while NIST framework has various levels of maturity for a privacy program, the TIPA doesn’t articulate what “tier” of program maturity a controller needs to fulfill within the NIST framework to be compliant.
The whole issue of “mandatory v. permissive” use of the NIST framework is further muddied as a result of the TIPA giving an affirmative defense to controllers who use the NIST framework. If the NIST framework is oriented as an affirmative obligation, it would not be necessary to articulate the use of the NIST framework as an affirmative defense. In our opinion, Tennessee may have been better served by providing a safe harbor for privacy programs built under the NIST framework, as opposed to mandating that all programs must use the NIST framework. In any event, further clarity as to what constitutes “compliant” use of the NIST framework would be helpful.
Another useful concept which the TIPA introduced is the participation in a certification program acting as evidence of compliance with the law. While not truly being a “safe harbor”, controllers that participate in the Asia Pacific Economic Cooperation Forum (“APEC”) Cross-Border Privacy Rules (“CBPR”) system may have their certification under these rules operate as evidence of compliance with the TIPA. Outside of one specific federal privacy law (i.e. COPPA), neither the federal nor state privacy laws have officially recognized certification schemes as providing evidence of compliance with the relevant law.
In the end, while there may be confusion in some of the components of the TIPA, Tennessee can be commended for attempting to provide more commercially viable guidance on how to comply with the TIPA, at least from the perspective of building out a privacy program. Additionally, this is the first time in the United states we have seen the use of privacy certification schemas as legally relevant evidence of compliance. Privacy certification systems have been around for some time, but they have almost never been capable of demonstrating legal compliance.