Appeal: A request made after a trial, asking another court (usually the court of appeals) to decide whether the trial was conducted properly. To make such a request is "to appeal" or "to take an appeal." One who appeals is called the appellant.
Authenticate: means to verify using reasonable means that a consumer who is entitled to exercise the rights in §. See Tennessee Code 47-18-3302
Child: means a natural person younger than thirteen (13) years of age. See Tennessee Code 47-18-3302
Contract: A legal written agreement that becomes binding when signed.
Controller: means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information. See Tennessee Code 47-18-3302
De-identified data: means data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to that individual. See Tennessee Code 47-18-3302
processing: means an operation or set of operations performed, whether by manual or automated means, on personal information or on sets of personal information, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal information. See Tennessee Code 47-18-3302
Sensitive data: means a category of personal information that includes: (A) Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. See Tennessee Code 47-18-3302
State: when applied to the different parts of the United States, includes the District of Columbia and the several territories of the United States. See Tennessee Code 1-3-105
(1) Limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer;(2) Except as otherwise provided in this part, not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal information is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent;(3) Establish, implement, and maintain reasonable administrative, technical, and physical data security practices, as described in § 47-18-3314, to protect the confidentiality, integrity, and accessibility of personal information. The data security practices must be appropriate to the volume and nature of the personal information at issue;(4) Not be required to delete information that it maintains or uses as aggregate or de-identified data, provided that such data in the possession of the business is not linked to a specific consumer;(5) Not process personal information in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising the consumer rights contained in this part, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, this subdivision (a)(5) does not require a controller to provide a product or service that requires the personal information of a consumer that the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the right to opt out pursuant to § 47-18-3304(a)(2)(F) or the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and(6) Not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing the data in accordance with the federal Children’s Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) and its implementing regulations.(b) A provision of a contract or agreement that purports to waive or limit the consumer rights described in § 47-18-3304 is contrary to public policy and is void and unenforceable.(c) A controller shall provide a reasonably accessible, clear, and meaningful privacy notice that includes:
(1) The categories of personal information processed by the controller;(2) The purpose for processing personal information;(3) How consumers may exercise their consumer rights pursuant to § 47-18-3304, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;(4) The categories of personal information that the controller sells to third parties, if any; and(5) The categories of third parties, if any, to whom the controller sells personal information.(d) If a controller sells personal information to third parties or processes personal information for targeted advertising, then the controller shall clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.(e)(1) A controller shall provide, and shall describe in a privacy notice, one (1) or more secure and reliable means for a consumer to submit a request to exercise the consumer rights in § 47-18-3304. Such means must take into account the:
(A) Ways in which a consumer normally interacts with the controller;(B) Need for secure and reliable communication of such requests; and(C) Ability of a controller to authenticate the identity of the consumer making the request.(2) A controller shall not require a consumer to create a new account in order to exercise consumer rights in § 47-18-3304, but may require a consumer to use an existing account.
