(3) The sensitivity of the personal information processed;
(4) The cost and availability of tools to improve privacy protections and data governance; and
(5) Compliance with a comparable state or federal law.
(c)
(1) In addition to subsections (a) and (b):
(A)  A controller may be certified pursuant to the Asia Pacific Economic Cooperation’s Cross Border Privacy Rules
system; and
(B)  A processor may be certified pursuant to the Asia Pacific Economic Cooperation’s Privacy Recognition for Processors
system.
(2) Certifications under subdivision (c)(1) may be considered in addition to the factors in subsection (b).
§ 47-18-3315. Supersedence and preemption of conflicting provisions
This part supersedes and preempts any conflicting provisions of any public or private act and laws, ordinances, resolutions,
regulations, or the equivalent adopted by a home rule municipality, county, including a metropolitan government, or city re-
garding the processing of personal data by controllers or processors. To the extent there exists a conflict, this section does
not require the home rule municipality, county, or city to adopt any law, ordinance, resolution, regulation, or the equivalent
to modify or repeal such conflicting provisions enacted prior to July 1, 2025.
403 | Tennessee Information Protection Act