Tennessee Information Protection Act (TIPA): What to Know

Tennessee has entered the consumer privacy playing field with the Tennessee Information Protection Act (TIPA), joining a growing cohort of American states that refuse to wait for a privacy law at the federal level. 

Signed into law in May 2023, businesses were given just over two years to prepare for the new privacy bill. The Tennessee privacy law takes effect July 1, 2025.  

Here, we’ll provide all the basics about the Tennessee Information Protection Act, including who it applies to, what rights it gives consumers, and how to become compliant with the state law.  

What Is the Tennessee Information Protection Act? 

The Tennessee Information Protection Act is one in a series of state-enacted consumer data protection laws. While some countries—notably those in the European Union—have an overarching law spanning multiple jurisdictions, the United States does not.  

As the amount of consumer data available online has grown, many state lawmakers have realized the importance of providing guardrails for consumers in their states.  

The TIPA is Tennessee’s approach to protecting the privacy and personal data of its more than 7 million residents. It establishes the rights consumers have related to their data and governs responsibilities for those who have access to, maintain, use, or sell personal data. Like most other privacy laws, the TIPA applies to consumers acting in a personal context rather than a commercial or employment context.   

Scope of TIPA—Who Must Comply?  

You’ll need to comply with Tennessee’s privacy law if your organization exceeds $25 million in annual revenue, conducts business in the state or provides products or services that are targeted to residents of the state, and meets one or more of the following:   

• During a calendar year, controls or processes personal information of at least 175,000 consumers. 
• Controls or processes personal information of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal information. 

But There Are Exceptions 

Like other state laws, the TIPA carves out a number of exemptions, both at the entity and the data level. 

State agencies, financial institutions and those subject to the federal Gramm-Leach Bliley Act and insurance companies are exempt from compliance. Notably, TIPA is the first state privacy law to include insurance companies on an entity level. 

In addition, covered entities or business associates governed by privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, HIPAA, and the Health Information Technology for Economic and Clinical Health Act are exempt. These include nonprofit organizations, institutions of higher education, HIPAA-protected information, health data, and personal information processed for research.   

De-identified data is also excluded from the definition of personal data. 

Consumer Rights Protected by Tennessee’s Privacy Law 

The TIPA uses a similar definition for personal information as other state laws, namely: “information that is linked or reasonably linkable to an identified or identifiable natural person.” It does not include publicly available information or de-identified or aggregate consumer information.  

Like other state privacy laws, Tennessee’s privacy law outlines a number of consumer rights, including the right to: 

• Confirm whether a controller is processing the consumer's personal information and to access the personal information.  
• Correct inaccuracies in the consumer's personal information, “taking into account the nature of the personal information and the purposes of the processing of the consumer's personal information.”  

• Delete personal information provided by or obtained about the consumer unless it is aggregated or de-identified data.  
• Obtain a copy of personal information previously provided to the controller in a portable and readily usable format. 
• Opt out of a controller’s processing of personal information for the purposes of selling it to a third party, targeted advertising, or profiling. 

When a consumer makes a request, you’ll have 45 days to respond. A 45-day extension is allowed in certain instances and as long as the consumer is informed of the extension and reason it is needed. If you decline to take action, you must still notify the consumer and provide instructions for how to appeal the decision.  

Information must be provided free of charge up to twice annually, though the TIPA outlines that the controller may charge a “reasonable fee” to cover administrative costs of complying with the request. This may only be done when requests are unfounded, technically infeasible, excessive, or repetitive. 

Other Data Controller Responsibilities Outlined in TIPA 

If your organization determines the purpose and means behind personal information processing (i.e., if you’re a “data controller”), then you’ll have a veritable laundry list of responsibilities to follow. You must: 

• Adhere to data minimization and purpose limitation principals (that is, limiting the collection and processing of personal information to what is adequate, relevant, and reasonably necessary for your intended purpose). 
• Establish administrative, technical, and physical data security practices. 
• Not process personal information that results in discrimination against consumers or discriminate against a consumer for exercising their rights.   

• Not process sensitive data concerning a consumer without obtaining the their consent first. If a controller processes sensitive data concerning a known child, it must be processed in accordance with the Children’s Online Privacy Protection Act (COPPA).  
• Respond to consumer rights requests, as outlined above. 
• Conduct a data protection assessment for processing personal information for certain risky activities, like targeted advertising, the sale of information, processing sensitive data, and more.   

In addition, you’ll be responsible for providing a reasonably accessible, clear and meaningful privacy notice to consumers. You’ll want to include information like: 

• The categories of personal information you process. 
• The purpose for processing. 
• How consumers can exercise their rights. 
• Categories of information you sell to third parties. 
• Categories of third parties to which the you sell personal information.  

As is the case with other state-level privacy laws, the Tennessee act requires controllers to enter into a contract with any entity that processes personal information on behalf of a controller. In essence, this contract is meant to ensure processors provide an equal level of protection over consumer data and assist controllers in fulfilling their responsibilities. 

What Makes Tennessee’s Privacy Law Unique? 

TIPA has several provisions that, while not completely unique in the privacy world, differ from other state laws:  

Applicability: The applicability threshold is narrower than with other state laws as it only applies to those that meet both a revenue threshold and that process data of at least 175,000 residents or 25,000 residents with more than 50 percent of gross revenue coming from the sale of personal information. The 175,000 qualification is higher than other state laws.  

On-ramp time: While most states are giving business owners and data controllers some time to prepare, Tennessee provided companies with two-plus years to get up to speed. 

Cure period: Many state privacy laws provide a cure period—that is, a period of time for violators to course correct after being notified of their violations. The Tennessee privacy law has a 60-day cure period, which is among the longest times provided out of any other state privacy law. In addition, the right to cure doesn’t sunset as it does with some other state laws. 

Affirmative defense: Notably, the TIPA is the first privacy act to provide businesses with the possibility of an affirmative defense. Essentially, an affirmative defense is evidence that a defendent may introduce to negate or mitigate their liability. In the case of the TIPA, businesses can proactively defend against potential future violations if they create a written privacy program that follows the National Institute of Standards and Technology (NIST) privacy framework or other similar policies or procedures designed to safeguard consumer privacy. As of this writing, no other U.S. privacy law offers this protection.  

It’s worth noting that the Tennessee privacy act is considered to be relatively business friendly. On the spectrum of business friendliness versus consumer friendliness, its closer to the Utah Consumer Privacy Act (UCPA) and the Iowa Consumer Data Protection Act (ICDPA) than its counterparts in California, the California Privacy Rights Act), and Indiana’s Consumer Data Protection Act (INCDPA).  

Enforcement of TIPA 

Tennessee’s privacy act is enforceable by the state attorney general. In either case, you’ll be notified before any enforcement action is taken. 

If your organization addresses the violation within the 60-day cure period, there will be no penalty. Furthermore, you’ll have to develop a written statement affirming that the violation has been cured and promising not to make a similar violation in the future. 

If the violation has not been cured or if you breach the written statement, then the attorney general may penalize your organization by seeking an injunction, declatory judgment, and other relief. 

In addition, a court can issue fines up to $7,500 per violation, which has become a standard penalty among the U.S. privacy laws. However, the TIPA also allows courts to triple the actual damages caused if the violation was willful. 

As is usually the case with U.S. privacy laws, there is no private right of action. 

Staying Compliant with Tennessee’s Privacy Act 

The good news for companies already maintaining compliance with other state laws is that —given the business friendliness of TIPA—controllers should be able to adapt with relative ease. However, as new comprehensive privacy acts take effect, it's more important than ever to adopt a scalable privacy framework that enables you to become compliant with even the most stringent laws.   

Maintain awareness by keeping track of laws that may impact your company. Subscribing to Oasno’s newsletter can help. We also recommend reviewing the law’s text with legal counsel to help determine if you’re in compliance, and if not, what steps to take.  

Finally, consider a data privacy platform like Osano. Osano provides customizable consent management, data subject access request automation, vendor management tools, automated privacy assessments, and more. Schedule a demo of Osano today to see how we can help your organization achieve and maintain TIPA compliance. 

FAQs about Tennessee’s Comprehensive Privacy Law  

Does the TIPA Require Opt-in or Opt-out Consent?  

Tennessee’s privacy law is opt-out, which means consent is not required before the collection of processing of personal information. However, opt-in consent is required when processing sensitive personal information, which includes personal information collected from a known child.  

What Does the Tennessee Privacy Law Say About the Global Privacy Control (GPC)? 

The Tennessee Information Protection Act does not have a universal opt-out clause or mention the GPC signal, which is used to automatically send a request to opt out of the collection of certain personal information.  

Who Enforces the Tennessee Information Protection Act? 

The state attorney general has exclusive authority to enforce TIPA. 

How Does TIPA Define Sensitive Information? 

Under the TIPA, sensitive data includes personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. It also includes genetic or biometric data, personal information collected from a known child, and precise geolocation data.  

Can Controllers Process Sensitive Data?  

Controllers cannot process sensitive data without opt-in consent. In the case of a known child, data must be processed in accordance with COPPA.