(a) A controller or processor has an affirmative defense to a cause of action for a violation of this part if the controller or processor creates, maintains, and complies with a written privacy policy that:
Terms Used In Tennessee Code 47-18-3314
Controller: means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information. See Tennessee Code 47-18-3302
Person: means a natural person, consumer, individual, governmental agency, partnership, corporation, trust, estate, incorporated or unincorporated association, and any other legal or commercial entity however organized. See Tennessee Code 47-18-2102
Processor: means a natural or legal entity that processes personal information on behalf of a controller. See Tennessee Code 47-18-3302
State: when applied to the different parts of the United States, includes the District of Columbia and the several territories of the United States. See Tennessee Code 1-3-105
written: includes printing, typewriting, engraving, lithography, and any other mode of representing words and letters. See Tennessee Code 1-3-105
(1)(A) Reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” or other documented policies, standards, and procedures designed to safeguard consumer privacy; and(B) Is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two (2) years of the publication date stated in the most recent revision to the NIST or comparable privacy framework; and(2) Provides a person with the substantive rights required by this part.(b) The scale and scope of a controller or processor’s privacy program under subsection (a) is appropriate if it is based on all of the following factors:
(1) The size and complexity of the controller or processor’s business;(2) The nature and scope of the activities of the controller or processor;(3) The sensitivity of the personal information processed;(4) The cost and availability of tools to improve privacy protections and data governance; and(5) Compliance with a comparable state or federal law.(c)(1) In addition to subsections (a) and (b):
(A) A controller may be certified pursuant to the Asia Pacific Economic Cooperation’s Cross Border Privacy Rules system; and(B) A processor may be certified pursuant to the Asia Pacific Economic Cooperation’s Privacy Recognition for Processors system.(2) Certifications under subdivision (c)(1) may be considered in addition to the factors in subsection (b).
