Can I store personal information about my customers in Tennessee? What are the requirements?

Storing Personal Information in Tennessee

Yes, you can store personal information about your customers in Tennessee, but you must comply with the state’s privacy regulations. The Tennessee Nonpublic Personal Information Protection Act (NPIPA) regulates the collection, use, and disclosure of nonpublic personal information by licensees.

Under TNRR Section 0780-1-72-.06, a licensee must provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. The licensee must define the twelve (12) consecutive month period, but the licensee shall apply it to the customer on a consistent basis.

TNRR Section 0780-1-72-.11 limits the disclosure of nonpublic personal information to nonaffiliated third parties. A licensee may not disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless the licensee has provided to the consumer an initial notice as required under Section 0780-1-72-.05, an opt-out notice as required in Section 0780-1-72-.08, and given the consumer a reasonable opportunity to opt-out of the disclosure.

TNRR Section 0780-1-72-.14 provides an exception to opt-out requirements for disclosure of nonpublic personal information for service providers and joint marketing. The opt-out requirements in Sections 0780-1-72-.08 and 0780-1-72-.11 do not apply when a licensee provides nonpublic personal information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice in accordance with Section 0780-1-72-.05 and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information.

TNRR Section 0780-1-72-.15 provides exceptions to notice and opt-out requirements for disclosure of nonpublic personal information for processing and servicing transactions. The requirements for initial notice in Section 0780-1-72-.05(1)(b), the opt-out in Sections 0780-1-72-.08 and 0780-1-72-.11, and service providers and joint marketing in Section 0780-1-72-.14 do not apply if the licensee discloses nonpublic personal information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes.

TNRR Section 0780-1-72-.16 provides other exceptions to notice and opt-out requirements for disclosure of nonpublic personal information. The requirements for initial notice to consumers in Section 0780-1-72-.05(a)(b), the opt-out in Sections 0780-1-72-.08 and 0780-1-72-.11, and service providers and joint marketing in Section 0780-1-72-.14 do not apply when a licensee discloses nonpublic personal information with the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction, to protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction, to protect against or prevent actual or potential fraud or unauthorized transactions, for required institutional risk control or for resolving consumer disputes or inquiries, to persons holding a legal or beneficial interest relating to the consumer, or to persons acting in a fiduciary or representative capacity on behalf of the consumer.

In summary, you can store personal information about your customers in Tennessee, but you must provide an annual privacy notice, give customers a reasonable opportunity to opt-out of disclosure, and comply with the NPIPA regulations. There are exceptions to notice and opt-out requirements for disclosure of nonpublic personal information for processing and servicing transactions and other exceptions to notice and opt-out requirements for disclosure of nonpublic personal information.

^{[1.1][1.2][1.3][1.4][1.5][1.6]}

Source(s):

• [1.1] ANNUAL PRIVACY NOTICES TO CUSTOMERS REQUIRED
• [1.2] OTHER EXCEPTIONS TO NOTICE AND OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION
• [1.3] LIMITS ON REDISCLOSURE AND REUSE OF NONPUBLIC PERSONAL INFORMATION
• [1.4] EXCEPTIONS TO NOTICE AND OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION FOR PROCESSING AND SERVICING TRANSACTIONS
• [1.5] EXCEPTION TO OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION FOR SERVICE PROVIDERS AND JOINT MARKETING
• [1.6] LIMITS ON DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION TO NONAFFILIATED THIRD PARTIES

Jurisdiction

Tennessee

• Privacy