Tennessee’s TIPA Takes Effect, Teledoc Must Face Wiretapping Claims, Plus Global Privacy Updates

Want to receive these privacy recaps in your inbox each week? Subscribe here.

United States

Tennessee Comprehensive Privacy Law to Take Effect

The Tennessee Information Protection Act (TIPA) goes into effect July 1, 2025, bringing the total number of states with active comprehensive privacy laws to 15, following California, Colorado, Connecticut, Delaware Florida, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah and Virginia. Two more states, Minnesota (July 31) and Maryland (October 1) will take effect by the end of 2025, and Indiana, Kentucky, and Rhode Island will take effect January 1, 2026, bringing the total to 20 by the new year.

TAKEAWAY

TIPA will be the first comprehensive privacy law to provide an affirmative defense to a violation of the law if a business can show that it creates, maintains and complies with a written privacy policy that: (i) reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework (as updated) or a comparable framework and (ii) provides individuals with the substantive rights required by TIPA. Another notable element of the law is that, although it goes into effect July 1, 2025, data protection assessment requirements apply retroactively to all processing activities that were created or generated on or after July 1, 2024. A more comprehensive summary of TIPA’s requirements is available in an FAQ document published by the Tennessee Attorney General’s Office.

Wiretapping Claims Against Teledoc Overcome Motion to Dismiss

A U.S. District Judge in the Southern District of New York refused to dismiss several claims (including claims under California and federal wiretapping laws) against Teledoc based on the telehealth company’s installation of the Facebook Tracking Pixel and Conversion API on its website, which allegedly transmitted identifiable protected health information (including health conditions and diagnoses) to Facebook and other third parties for advertising purposes.

TAKEAWAY

This case highlights the importance of the nature of data in assessing risk of pixel litigation. Although the federal Wiretap Act allows for one-party consent (i.e., if one party to a communication agrees to the recording, it does not violate the law), there is a “criminal tortious” exemption to that rule, meaning that one-party consent is not a defense if the communication is intercepted for the purpose of a tortious or criminal act. That exemption was relevant in this case, where the judge found that Teledoc’s alleged knowing disclosure of protected health information without authorization for marketing purposes was sufficient to invoke the exemption due to the criminal liability imposed by HIPAA for wrongful disclosure of individually identifiable health information. The judge then found that, because the plaintiffs had plausibly stated a claim under the federal Wiretap Act, the Court must also find that the Plaintiffs likewise stated a claim under the California Invasion of Privacy Act, and denied a motion to dismiss under both claims. 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Connecticut Governor Signs Children’s Privacy Amendments
• Greece DPA Releases Annual Report, Noting that Infringements Are Still Observed

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.