352 | Tennessee Information Protection Act
(3) The sensitivity of the personal information processed;
(4) The cost and availability of tools to improve privacy protections and data governance; and
(5) Compliance with a comparable state or federal law.
(c)
(1) In addition to subsections (a) and (b):
(A)  A controller may be certified pursuant to the Asia Pacific Economic Cooperation’s Cross Border Privacy Rules
system; and
(B)  A processor may be certified pursuant to the Asia Pacific Economic Cooperation’s Privacy Recognition for Processors
system.
(2) Certifications under subdivision (c)(1) may be considered in addition to the factors in subsection (b).
SECTION 3.
If a provision of this act or its application to a person or circumstance is held invalid, then the invalidity does not affect other
provisions or applications of the act that can be given effect without the invalid provision or application, and to that end, the
provisions of this act are severable.
SECTION 4.
This act supersedes and preempts any conflicting provisions of any public or private act and laws, ordinances, resolutions,
regulations, or the equivalent adopted by a home rule municipality, county, including a metropolitan government, or city
regarding the processing of personal data by controllers or processors. To the extent there exists a conflict, this section does
not require the home rule municipality, county, or city to adopt any law, ordinance, resolution, regulation, or the equivalent
to modify or repeal such conflicting provisions enacted prior to the effective date of this act.
SECTION 5.
The headings in this act are for reference purposes only and do not constitute a part of the law enacted by this act. However,
the Tennessee Code Commission is requested to include the headings in any compilation or publication containing this act.
SECTION 6.
This act takes effect July 1, 2025, the public welfare requiring it.