On July 1, 2025, Tennessee officially joined the growing list of states enacting consumer privacy laws with the Tennessee Information Protection Act (TIPA). Inspired by the California Consumer Privacy Act, TIPA introduces a new set of obligations and rights that certain businesses must now navigate. Here’s what you need to know.
Who’s Affected?
TIPA applies to businesses that:
- Operate in Tennessee or offer products/services to Tennessee residents, and
- Generate over $25 million in annual revenue, and either:
- Handle data on 175,000+ Tennessee residents, or
- Handle data on 25,000+ residents and make over 50% of revenue from selling personal data.
Who’s exempt? Government bodies, financial institutions (covered by the Gramm-Leach-Bliley Act), healthcare entities (regulated under HIPAA), nonprofits, and higher education institutions.
What data is excluded? Employment-related data, data regulated by federal acts like HIPAA, the Fair Credit Reporting Act, and education or agricultural data laws.
TIPA also excludes de-identified and pseudonymous data and does not apply to consumers acting in a business or employment context.
Key Consumer Rights
TIPA gives Tennessee residents more control over their personal data. Consumers can:
- Access, correct, or delete their personal information.
- Learn what data is sold and to whom.
- Opt out of:
- The sale of their personal data,
- Use of data for targeted advertising, and
- Profiling or automated processing to make predictions or decisions.
Timing matters: Businesses (or “controllers”) must respond to consumer requests within 45 days—with one optional extension of another 45 days. If a request is denied, an appeal process must be clearly explained. Appeals must be resolved within 60 days, and if denied again, consumers must be referred to the Tennessee Attorney General’s office.
What Businesses Must Do
To comply with TIPA, businesses must:
- Get consent to process sensitive data (racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship/immigration status).
- Provide a clear and accessible privacy notice.
- Maintain reasonable data security practices.
- Avoid unfair discrimination.
- Limit data collection to what’s strictly necessary.
The privacy notice must include:
- Types of personal data collected.
- Purpose of data use.
- Instructions on how consumers can exercise their rights.
- Categories of data sold.
- Who the data is sold to.
- Right to opt out of sales and targeted ads.
Vendor contracts (with “processors”) must also be tightened. These contracts need:
- Confidentiality agreements,
- Data return or deletion clauses,
- Audit provisions (or third-party assessments), and
- Detailed processing procedures.
Risk Assessment: A Legal Must
Before processing data for any of the following, you must conduct and document a Data Protection Assessment:
- Targeted advertising,
- Sensitive data processing,
- Data sales, or
- Profiling that could lead to significant harm.
If you’re already doing this under another state law, that may suffice—if the assessment is similarly comprehensive. These requirements apply only to data collected on or after July 1, 2024.
Enforcement: No Private Lawsuits, but Big Penalties
Only the Tennessee Attorney General enforces TIPA. If your business is found in violation and doesn’t fix the issue within 60 days, you could face:
- $7,500 per violation in civil penalties,
- Triple damages for willful or knowing violations, and
- Attorney’s fees and investigative costs.
Consumers can’t sue businesses directly under this law, but noncompliance can still get expensive fast.
A Unique Shield: The NIST Privacy Framework
TIPA appears to be the first law of its kind in the U.S. to offer a formal affirmative defense. If your business is accused of violating TIPA, you can defend yourself—but your privacy program must reasonably conform with the NIST Privacy Framework. What counts as “reasonable conformity”? It depends on:
- The size and complexity of your business,
- The nature of your data activities,
- Sensitivity of the data,
- Available tools for data protection, and
- Compliance with other state or federal privacy laws.
Final Thoughts
TIPA is another sign that privacy compliance is no longer optional. With each state setting its own rules, creating a one-size-fits-all approach is harder than ever. But understanding what sets TIPA apart is key to staying compliant.
