CONTENTS
6-48.1-4. Processing of information. . ......................................................................................................................................................................... 378
6-48.1-5. Customer rights. . ........................................................................................................................................................................................... 379
6-48.1-6. Exercising customer rights. . ....................................................................................................................................................................... 380
6-48.1-7. Controller and processor responsibilities. ............................................................................................................................................... 381
6-48.1-8. Violations. . ...................................................................................................................................................................................................... 385
6-48.1-9. Waivers - Severability................................................................................................................................................................................... 385
6-48.1-10. Construction. . .............................................................................................................................................................................................. 385
SECTION 3. This act shall take effect on January 1, 2026. ................................................................................................................................ 386
Tennessee Information Protection Act .................................................................................................................................................. 387
§ 47-18-3301. Part title. ................................................................................................................................................................................................. 388
§ 47-18-3302. Part definitions . .................................................................................................................................................................................... 388
§ 47-18-3303. Scope . ..................................................................................................................................................................................................... 392
§ 47-18-3304. Personal information rights--Consumers . ...................................................................................................................................... 392
§ 47-18-3305. Data controller responsibilities--Transparency . ............................................................................................................................ 393
§ 47-18-3306. Responsibility according to role--Controller and processor ...................................................................................................... 395
§ 47-18-3307. Data protection assessments ........................................................................................................................................................... 396
§ 47-18-3308. Processing de-identified data--Exemptions . ................................................................................................................................ 397
§ 47-18-3309. Limitations ............................................................................................................................................................................................ 397
§ 47-18-3310. Investigative authority ....................................................................................................................................................................... 399
§ 47-18-3311. Exemptions ........................................................................................................................................................................................... 399
§ 47-18-3312. Contracts . .............................................................................................................................................................................................. 401
§ 47-18-3313. Enforcement--Civil penalty--Expenses .......................................................................................................................................... 401
§ 47-18-3314. Affirmative defense--Voluntary privacy program . ........................................................................................................................ 402
§ 47-18-3315. Supersedence and preemption of conflicting provisions . .......................................................................................................... 403
Texas Data Privacy and Security Act....................................................................................................................................................... 404
SUBCHAPTER A. GENERAL PROVISIONS............................................................................................................................................................ 405
Sec. 541.001. DEFINITIONS. ....................................................................................................................................................................................... 405
Sec. 541.002. APPLICABILITY OF CHAPTER. ......................................................................................................................................................... 409
Sec. 541.003. CERTAIN INFORMATION EXEMPT FROM CHAPTER. .............................................................................................................. 409
Sec. 541.004. INAPPLICABILITY OF CHAPTER. . .................................................................................................................................................... 410
Sec. 541.005. EFFECT OF COMPLIANCE WITH PARENTAL CONSENT REQUIREMENTS UNDER CERTAIN FEDERAL LAW. . ....... 410
SUBCHAPTER B. CONSUMER ’S RIGHTS............................................................................................................................................................. 411
Sec. 541.051. CONSUMER ’S PERSONAL DATA RIGHTS; REQUEST TO EXERCISE RIGHTS. ................................................................... 411
Sec. 541.052. CONTROLLER RESPONSE TO CONSUMER REQUEST. ............................................................................................................ 411
Sec. 541.053. APPEAL. .................................................................................................................................................................................................. 412
Sec. 541.054. WAIVER OR LIMITATION OF CONSUMER RIGHTS PROHIBITED. . ....................................................................................... 412
Sec. 541.055. METHODS FOR SUBMITTING CONSUMER REQUESTS........................................................................................................... 412
SUBCHAPTER C. CONTROLLER AND PROCESSOR DATA-RELATED DUTIES AND PROHIBITIONS................................................. 413
Sec. 541.101. CONTROLLER DUTIES; TRANSPARENCY. . ................................................................................................................................... 413
Sec. 541.102.AAPRIVACY NOTICE. ........................................................................................................................................................................... 414
Sec. 541.103. SALE OF DATA TO THIRD PARTIES AND PROCESSING DATA FOR TARGETED ADVERTISING; DISCLOSURE. . ...... 414
Sec. 541.104. DUTIES OF PROCESSOR. .................................................................................................................................................................. 414
Sec. 541.105. DATA PROTECTION ASSESSMENTS. ............................................................................................................................................. 415
Sec. 541.106. DEIDENTIFIED OR PSEUDONYMOUS DATA. ............................................................................................................................. 416
Sec. 541.107. REQUIREMENTS FOR SMALL BUSINESSES. . ............................................................................................................................... 417
14 | General Privacy Laws Deskbook: US State Laws and GDPR