NASHVILLE, Tenn. (WKRN) — One Tennessee lawmaker has taken steps to protect Tennesseans’ digital information after witnessing how a young boy was taken advantage of online.
Rep. Johnny Garrett (R—Goodlettsville) filed HB1181, also dubbed the Tennessee Information Protection Act, which would make tech companies who use internet user data to disclose how they use it and for what purposes as well as give consumers a chance to opt out of their information being sold or used for targeted advertising, among other things.
Garrett told News 2 he knew of a young boy about his children’s age who was tricked by an online predator after that person gained access to his email address through the use. The ease by which the perpetrator was able to gain that kind of information was troubling to Garrett, who sought to limit how large companies like Facebook, TikTok, Instagram and others share consumers’ personal information.
According to the text of the bill, any “data controller” would be required to:
- Limit the collection of personal information;
- Not process personal information for purposes beyond what is reasonably necessary, unless they receive the consumer’s consent;
- Establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality of personal information;
- Not be required to delete information it maintains as aggregate or de-identified data, so long as it cannot be linked to an individual consumer;
- Nor process personal information in violation of state and federal laws; and
- Not process sensitive data concerning a consumer without their consent.
Further, if the company sells any personal information to a third party or processes the personal information for targeted advertising, they would be required to “clearly and conspicuously disclose” that processing, as well as how a consumer could opt out of such processing. Companies would also be required to provide a way for consumers to obtain a copy of the data collected by the company.
The bill would allow any violations of the law to be investigated and enforced by the Attorney General’s office, according to Garrett, as a way to ease the financial burden on any individual consumer. Violations are punishable by up to a $15,000 fine per violation as well as other court-imposed remedies, according to the bill.
According to Garrett, the goal of the bill was to protect consumer information while not becoming too burdensome on businesses in a business-friendly state.
“It’s as business friendly as we could make it so the businesses that we’re targeting can comply with the law, and it’s not a ridiculous expense for them to comply,” he told News 2. “It doesn’t prevent them from doing business.”
What he didn’t want to do, he said, was sweep up small businesses in with the legislation.
“If you’re a mom-and-pop pizza place, we’re not really interested in whatever data they’re collecting from their customers to make sure they have a customer list,” he said. “That’s not what this legislation is intended to do. It’s really intended to make sure when you travel through the internet universe that your ‘virtual you’ is protected.”
Tennessee is getting in on the ground floor with this type of legislation, according to Garrett.
“There are about four or five different states that have either passed legislation similar to this or are working on this legislation,” he said. Most of the language of his bill comes from California and Virginia, he added, though California’s contribution was primarily the definitions included in the bill.
“California’s law is very cumbersome, very expensive to comply with, and people have realized that,” he said. Instead, the bulk of the bill drew inspiration from Virginia.
Other states that have worked on similar legislation include Ohio and Utah, according to Garrett.
The House version of the bill was assigned to the Banking & Consumer Affairs Subcommittee in February, while the Senate version was referred to the Senate Commerce & Labor Committee in January.