Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • New laws come into effect on July 1, 2016; see the CSR "Law Update" under Resources;
  • Data owners are responsible for breach reporting and notifications;
  • All notifications within 45 days;
  • Notification to consumer reporting agencies may be required;
  • TN has data protection and disposal laws;
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

Who Me?


Tennessee breach and notification laws may apply if you are an information holder:

  • That conducts business in TN or is a TN agency, and own or license computerized data that includes PII;
  • Maintaining computerized data that includes PII;

 There are exemptions.

What is PII?


PII relevant to a breach in TN include a person's name plus one of the following:

  • Social Security Number;
  • Driver license number;
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account.



A few applicable statutes include, but are no limited to:

Title 47  Commercial Instruments And Transactions / Chapter 18  Consumer Protection / Part 21  Identity Theft Deterrence (known as "Tennessee Identity Theft Deterrence Act”:

47-18-2106 Violation of Tennessee Consumer Protection Act, and 47-18-2107 Release of personal consumer information.


A few related statutes include, but are not limited to:

TN has data protection and disposal laws: 

47-18-2110 Protecting social security numbers from disclosure.

39-14-150 Identity theft victims' rights, Section (g) 1-6.

There are additional laws for state agencies.



Any violation will be construed to constitute an unfair or deceptive act, subject to those penalties in addition to the penalties and remedies set forth for the Tennessee Consumer Protection Act, which includes civil action, monetary penalties, private right-of-action, and more.



When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If it was acquired by an unauthorized person;
  • Whether the breach compromises the security, confidentiality, or integrity of the data.


Notification may be delayed if law enforcement advises the person it will interfere with an investigation, otherwise, the notification must be made immediately, but no later than forty-five (45) days from the day of discovery or notification of the breach.


Requires detailed information and potential provision of services

Notification may be required to the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies. There are specific instructions on what should be included.

Disclosure may only be made by written notice, telephone or electronically, with stipulations. A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $250,000 or the persons to be notified exceeds 500,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR