On Tuesday, the Tennessee Business Roundtable delivered testimony before the Joint Ad Hoc Committee to Review Data Privacy. Roundtable President Pat Sheehy outlined the organization's initial observations about draft comprehensive data privacy legislation developed in spring 2021 by St. Rep. Johnny Garrett and St. Sen. Mike Bell.
Highlights:
"Our organization’s top concern overall is that any new law in the area of data privacy policy should “first, do no harm” to Tennessee’s business climate."
"We would urge policy-makers to continue to move at a cautious pace which ensures that they, and consumers, and the businesses which are accountable to both can all continue to learn and act prudently in this important area."
"We agree with others who have said that the optimal solution to consumer data privacy challenges – both for our state’s businesses and for the consumers they serve – would be to have a single, fair, clear set of federal data privacy regulations."
"The number-one data privacy concern among our organization’s members at this point is that Tennessee must not create uncertainty, risk, exposure, and cost by creating a private right of action."
"To the extent possible, the definitions and requirements in any new Tennessee data privacy law should try to match those in other state laws which are currently the most favorable to regulated businesses."
"The exemptions under any Tennessee data privacy law for financial institutions and health providers...would be best scoped as entity-level exemptions..."
"We would recommend that any new Tennessee law should align with Colorado’s 60-day cure period for curing any alleged violations which may be noticed by the Attorney General."
"To comply effectively with any new state data privacy mandates, Tennessee businesses – especially those covered which have never before faced compliance obligations in other states - would need a significant amount of time...We would urge Tennessee’s policy-makers to provide our state’s businesses perhaps as much as 24 months from passage to prepare fully for compliance with what for many of them would be an entirely new law."
Read a full transcript of the Roundtable's Nov. 9 testimony below (or watch the video here beginning at the 48:53 mark):
Thank you, Chairman Garrett. My name is Pat Sheehy, and I am President of the Tennessee Business Roundtable. We have been in existence since late 1983, and are also a 501(c)(6) organization. We are comprised of about four dozen companies, from all areas of the state, in industries ranging from health care to finance to manufacturing and assembly, and also service businesses.
We would want to start by thanking the Lieutenant Governor, Speaker Sexton, and the co-chairs and this Committee for taking the time to review data privacy policy collaboratively with business and other Tennessee stakeholders. Our organization does not take a position either for or against the draft Tennessee Information Protection Act, and our membership does not include at this time any tech companies. I am not a data privacy expert; like many of the Committee members, our organization is continuing to learn about this issue and its implications. Although I therefore can’t address every aspect of the draft legislation at this point in time, on behalf of our members and Tennessee businesses, I can share several initial observations here today.
First, our organization’s top concern overall is that any new law in the area of data privacy policy should “first, do no harm” to Tennessee’s business climate. If our state government chooses to move forward into mandating new requirements in this area, we feel strongly that it should do so only in ways which do not create significant new costs and benefits and risks which burden our existing businesses or which would or could become barriers to new business investment in our state.
Adopting new law regulating data privacy would be an entirely new area of regulation for Tennessee. At this stage, our state’s leaders in both business and government are still developing foundational knowledge and expertise in this policy area, and we would urge policy-makers to continue to move at a cautious pace which ensures that they, and consumers, and the businesses which are accountable to both can all continue to learn and act prudently in this important area.
Many of our state’s larger businesses are already being forced to re-allocate significant financial and human resources to support their compliance with new data privacy laws enacted by California, Virginia and Colorado. This is starting to create a patchwork of conflicting state data privacy requirements which is becoming increasingly expensive for some Tennessee businesses – even before any regulation in that area by our state. We agree with others who have said that the optimal solution to consumer data privacy challenges – both for our state’s businesses and for the consumers they serve – would be to have a single, fair, clear set of federal data privacy regulations.
The number-one data privacy concern among our organization’s members at this point is that Tennessee must not create uncertainty, risk, exposure, and cost by creating a private right of action. A broad private right of action is not necessary to protect consumers, and would force regulated businesses to divert resources away from what’s really most important: making reasonable investments in the business processes, people and tools that are necessary to give Tennessee consumers awareness and control over the personal information they have and are giving to businesses.
Notably, neither the Virginia nor Colorado data privacy laws contain private rights of action. Tennessee has taken important steps to provide legal stability to our state’s businesses – notably, through the Tennessee Civil Justice Act of 2011, and more recently, the Tennessee COVID-19 Recovery Act. These types of protections are important to our state’s business climate, and we feel that the General Assembly should not move in the opposite direction by expanding our companies’ liability exposure within any comprehensive state data privacy legislation.
Number two, to the extent possible, the definitions and requirements in any new Tennessee data privacy law should try to match those in other state laws which are currently the most favorable to regulated businesses. This would ensure that whatever Tennessee may add to a growing patchwork of comprehensive state data privacy regulations does not inadvertently make our state any sort of a difficult jurisdiction for compliance and economic competitiveness, while delivering increased protection to our state’s consumers.
Number three, regarding exemptions, the consensus among our business members thus far is that the exemptions under any Tennessee data privacy law for financial institutions and health providers - who are subject to the federal Gramm-Leach-Bliley Act and HIPAA - would be best scoped as entity-level exemptions which include the affiliates, subsidiaries and business associates of those exempted entities. That kind of a scope would align very well with the exemptions adopted earlier this year by Virginia and Colorado. And as many others have noted in their testimony, alignment and consistency are important to reduce confusion, increase clarity, and to promote compliance by those who are regulated.
Fourth, regarding enforcement, we would agree that the state Attorney General should have exclusive authority to enforce any new comprehensive data privacy law which may be enacted. However, our members have told us that the “cure period” of 30 days as proposed in the latest draft of this could be very challenging to comply with, especially for smaller companies. We would recommend that any new Tennessee law should align with Colorado’s 60-day cure period for curing any alleged violations which may be noticed by the Attorney General.
Lastly, to comply effectively with any new state data privacy mandates, Tennessee businesses – especially those covered which have never before faced compliance obligations in other states - would need a significant amount of time. Even those which already have experience complying with other state mandates would need first to educate themselves about this new area of regulation, then determine whether they would be covered, inventory and sort out the consumer data that would be covered and not covered under a new Tennessee law, find technical and legal expertise, hire and train new compliance staff or contractors, perhaps even revise contracts and create new agreements with processors, re-allocate business resources to support compliance, and create multiple new compliance processes internally, including data protection assessments.
In line with the compliance timelines adopted by other states, we would urge Tennessee’s policy-makers to provide our state’s businesses perhaps as much as 24 months from passage to prepare fully for compliance with what for many of them would be an entirely new law. In addition, we would recommend that the effective date of any such legislation should be timed so as not to burden our state’s businesses – particularly retailers and other that have or control significant amounts of customer data – at the same time as the annual winter holidays. That was a point that was brought up in discussion with some of our members relative to compliance in other states.
Mr. Chairman, that concludes my opening remarks.