Consumer Privacy Bill in Tennessee Raises Concerns, Sponsor Says It Solves Current Lack of Regulation

Consumer Privacy Bill in Tennessee Raises Concerns, Sponsor Says It Solves Current Lack of Regulation
A protester holds a sign during a demonstration calling for better consumer protection and online privacy outside of Facebook headquarters in Menlo Park, Calif., on April 5, 2018. Justin Sullivan/Getty Images
Chase Smith
Updated:
0:00
A bill in Tennessee with the intention of protecting consumers was set to be discussed in committees last week but due to time in the Senate and the sponsor requesting that discussion of the bill be held a week in the House, the bill has so far not moved anywhere. It is expected to be taken up again in committees on Tuesday, March 21.
The bill, the Tennessee Information Protection Act (pdf), would guard the personal data of Tennessee consumers from being abused by companies including big tech, the House sponsor Republican Rep. Johnny Garrett said in an interview with The Epoch Times.

While the bill is touted as a privacy protection measure, members of Friends of Hamilton, a citizen group that advocates for legislators following the Constitution, say the bill’s language might have the opposite effect of protecting Tennesseans from having their data used against them.

In committee last Tuesday, Rep. Garrett said he needed additional time to make amendments to the bill.

A spokesperson for the House Republican Caucus said, “Rep. Garrett is continuing to work with stakeholders, businesses, and consumers to make sure the language of the bill is in the best posture to secure its passage.” He added the amendment is only expected to include some minor changes to the bill as currently written.

The bill is sponsored in the Senate by Sen. Bo Watson (R) who did not respond to multiple email invitations for comment by The Epoch Times.

The Legislation

Rep. Garrett told The Epoch Times the legislation was inspired by privacy concerns of his young children and their friends.

“What’s out there that makes companies protect your data,” Garrett said he asked himself. “Come to find out, there’s nothing out there, this is sort of an unregulated space,” he said.

Garrett said other states such as Florida, Utah and Virginia have passed similar legislation to protect residents’ data online, which he calls “your virtual you.”

“This was born by figuring out how to make companies that engage in data collection and the sale of data ... somehow be regulated,” he said. “Somehow, you would have the ability to know what they’re collecting, that they’re keeping it protected, or if they transferred to somebody else or sell it to somebody else.

“This legislation makes companies have some guardrails in order to keep your data safe as you travel the internet.”

The Bill’s Exemptions

There are many companies or entities that would be exempted from the bill. However, Garrett said the exemptions exist because those entities may already be covered by different laws and regulations.

“The exemptions are there because there’s some industry like your healthcare, insurance, credit reporting agencies—they are already subject to federal laws that say how they must protect your data,” he explained. “And so, I don’t want them to be doubly regulated.”

As for how those entities would be covered if federal laws were theoretically removed, he said he was not worried as many laws, such as HIPAA (Health Insurance Portability and Accountability Act) and FERPA (Family Educational Rights and Privacy Act), are a standard that won’t be going anywhere.

“Now, you can go online and grab your data about your blood draw or whatever, that stuff is protected by HIPAA, so there’s no need to have another law to say they can’t share or sell that information.”

A woman checks her phone in Orem, Utah, on Nov.14, 2019. (Rick Bowmer/AP Photo)
A woman checks her phone in Orem, Utah, on Nov.14, 2019. Rick Bowmer/AP Photo

He added the protections are there for between “95-100 percent” of the exemptions in his bill.

“If there’s not already a state or federal law that covers your interaction with a business, that’s the purpose of this legislation: to cover those that aren’t already covered under some federal or state law,” he said. “That would be the purpose of this, is that [consumers] have rights and recourse to have [companies] delete their data, have [companies] give them a copy of their data, or to never sell or transfer their data.”

The mechanism of enforcement would be for consumers, if any company violates their rights under the statute, to contact the Tennessee Attorney General’s office who would then explore any potential claims on behalf of the individual.

There is no civil right of action for consumers, he said, but the AG’s office would be able to levy a $10,000 fine per occurrence against the company.

Concern About Exemptions and Social Credit Scores

Chris Matthews, founder and president of Friends of Hamilton, said the argument for including exemptions since they are covered by U.S. Code does not sit well with him.

“If something is indeed exempt by U.S. Code, it should just be referenced in the bill for each specific exemption,” he said in a phone interview with The Epoch Times. “I think they’re playing a shell game in there.”

Concerns brought forward by Matthews and Friends of Hamilton include exemptions related to: bodies, boards, commissions, agencies of the state, political subdivisions of the state, entities under the U.S. Department of Health and Human Services’ governance, non-profit organizations, and institutions of higher learning.

The group says for example in Chattanooga, Tennessee, the U.S. Department of Transportation, the City of Chattanooga, and the University of Tennessee at Chattanooga have partnered to install smart city cameras.

Under the legislation, they say, the City is exempted as well as UT Chattanooga from regulations under the bill.

“So all of the data obtained by them collectively or independently is fully exempt from this privacy bill,” Matthews said.

Another concern is an exemption for personal information, processed and related to “human subjects research conducted in accordance with good clinical practice guidelines issued by The International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use.”

“International, harmonization, pharma, tech, humans: these are words that should never be together,” Matthews said.

Another exemption the group is concerned about is “the collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act.”

The group views the language of this exemption in particular as being akin to a “social credit score.”

“Using all of the surveillance data to impart data for determining, using, and selling one’s social credit score would be legal and exempt from privacy law in Tennessee with the passage of this bill,” Matthews added.

Last Year’s Bill

A similar bill was proposed by Garrett last year but never made it to the House or Senate floor for a vote.

He said the biggest hurdle to the bill passing then was the business world being “a little bit fearful of the cost of complying with the regulations.”

He said the reason was because a California privacy law imposes regulations that are “extremely cumbersome … and very expensive” for companies to comply with. He said the bill needed to be reworked and legislators needed more education on the matter.

As far as costs for his proposed bill, Garrett said he didn’t see there being much of a cost for companies other than paying employees or possibly buying some software.

The Tennessee state capitol in Nashville, Tenn., on Aug. 31, 2018. (FaceMePLS via Wikimedia Commons/CC BY 2.0)
The Tennessee state capitol in Nashville, Tenn., on Aug. 31, 2018. FaceMePLS via Wikimedia Commons/CC BY 2.0
According to the Tennessee Cybersecurity and Data Privacy Law website, which offers legal advice for companies related to privacy breaches, the bill was introduced as an amendment to an existing bill dealing with campaign finance disclosures.

“[The Act] was proposed in the Tennessee State House of Representatives as an amendment to an existing bill dealing with campaign finance disclosures,” the group states in an overview.

The website also says the proposed amendment last year contains similar provisions as those found in the CCPA, California’s Privacy Law, and the CDPA, Virginia’s privacy law, “with an overall goal of protecting the data privacy of Tennessee consumers.”
The CDPA also includes many exemptions, but it differs from the Tennessee bill because it specifically states U.S. Code that covers the exemptions in the Virginia legislation.
The bill is set to be brought up again in committees in the House and Senate on Tuesday. The amended bill had yet to be filed on the Tennessee General Assembly website prior to the meeting on Monday.
Chase Smith
Chase Smith
Author
Chase is an award-winning journalist. He covers national news for The Epoch Times and is based out of Tennessee. For news tips, send Chase an email at [email protected] or connect with him on X.
twitter
Related Topics