The United States enacted one of the first modern data privacy laws in the world with the enactment the Privacy Act of 1974. The proliferation of personal computers in the ensuing decades has propelled data privacy to dominate policy conversations around the world, at all levels of government. Today, data privacy has risen to one of the most discussed policy topics in Washington, despite the failure of Congress to pass federal parameters. As with many hot policy topics that Congress fails to address, data privacy policy conversations have trickled down to dominate state-level policy circles as states scramble to address the issue. Although only 3 states, California, Colorado, and Virginia, have enacted comprehensive data privacy legislation, a plethora of states have bills under consideration or will consider bills in their next session, including Tennessee.

In March 2021, House Republican Majority Whip Johnny Garrett, R-Goodlettsville, and Senate Judiciary Chairman Mike Bell, R-Riceville, proposed legislation seeking to protect “Tennesseans’ right to privacy and returns control of personal information back to consumers,” per a caucus press release from earlier this year. Ultimately, the bill was presented and left in each of its respective committees of jurisdiction to provide members additional time to engage with those affected and gain a greater grasp of the topic.

On Monday, November 8th, 2021, the 13-member Joint Ad Hoc Committee to Review Data Privacy convened to discuss the merits of the bill, and how it could be improved. Over a two-day span, members heard testimony from representatives on behalf of 8 different organizations. While each organization discussed various recommended alterations to the bill with members, there were 2 recommendations consistently vouched for by each: 1. data privacy should be addressed federally, 2. the private right of action (PRA) in the bill should be removed.

Testimony in favor of addressing data privacy at the federal level is primarily perpetuated by the boundary less nature of the internet and the additional compliance costs attached to state-by-state regulation. While discussing the cost implications on the private industry, witnesses cited the California Attorney General’s 2019 Economic Impact Assessment of the data privacy law, which estimated costs could total $55 billion for businesses.

The legislature is expected to continue fostering conversations with stake holders through the remainder of the year, before further amending the bill in the upcoming 2022 legislative session.