Tennessee was the 8th US state to pass an official data privacy law, calling it the Tennessee Information Protection Act (TIPA) — it joins Indiana, Iowa, and Texas as the latest states to enact this style of legislation.
In this TIPA guide, I walk you through the ins and outs of the new Tennessee data privacy law so you know if your business needs to prepare for these regulations and what steps to take to achieve full compliance.
- What Is the Tennessee Information Protection Act (TIPA)?
- TIPA Key Terms and Definitions
- What Does the Tennessee Information Protection Act Cover?
- Requirements of the Tennessee Information Protection Act
- Tennessee's Law vs. Other States’ Data Privacy Laws: Similarities and Differences
- How Will Businesses Be Impacted By TIPA?
- How Will Consumers Be Impacted By TIPA?
- Who Must Comply With the Tennessee's New Data Privacy Law?
- How Can Businesses Prepare For TIPA?
- How Will the TIPA Be Enforced?
- Fines and Penalties Under the Tennessee Information Protection Act
- How Will Termly Help With TIPA Compliance?
- Summary
What Is the Tennessee Information Protection Act (TIPA)?
The Tennessee Information Protection Act — or TIPA — is a data protection and privacy law that was passed in the U.S. state of Tennessee.
It targets companies that do business in the state by collecting and processing personal information and aims to give rights back to Tennessee residents over how that data gets collected, processed, and used.
TIPA Effective Date
The Tennessee Information Protection Act enters into action on July 1, 2025, which gives businesses around two years to prepare for this new state law.
Decisionmakers signed TIPA into law on May 11, 2023, and the final version of the text was published on May 24.
TIPA Key Terms and Definitions
The Tennessee Information Protection Act defines key terms in Section 47-18-3201, Parts (1) through (30) of the law.
Below, you can read through some of these definitions:
- Consumer: A natural person who is a resident of this state acting only in a personal context; and does not include a natural person acting in a commercial or employment context.
- Data controller: A natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information.
- Data processor: A natural or legal entity that processes personal information on behalf of a controller.
- Personal data: Information that is linked or reasonably linkable to an identified or identifiable natural person; and does not include information that is publicly available information or de-identified or aggregated consumer information.
-
Sensitive data: A category of personal information that includes:
- Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- The personal information collected from a known child; or
- Precise geolocation data
-
Biometric data: Data generated by automatic measurement of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics that are used to identify a specific individual.
- It does not include a physical or digital photograph, video recording, audio recording, data generated from a photograph or video, or audio recording, or information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA.
- Pseudonymous data: Personal information that cannot be attributed to a specific natural person without the use of additional information, so long as the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable natural person.
- Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer; and May include a written statement, including a statement written by electronic means, or an unambiguous, affirmative action.
What Does the Tennessee Information Protection Act Cover?
The TIPA covers the personal information of Tennessee consumers that gets processed by a data controller or processor.
According to Section 47-18-3208 Part (f) of this new state law, entities can only process personal information to the extent that the processing is:
-
Reasonably necessary and proportionate to the purposes listed as ‘legal bases’ under the Tennessee Information Protection Act.
- In addition to legal bases for processing, TIPA outlines scenarios in which a controller or processor can process data, such as complying with laws and regulations, complying with criminal investigations, or defending legal claims.
- Adequate, relevant, and limited to what is necessary relative to the specific purposes (legal bases) outlined by TIPA 3208 parts (a-e).
Requirements of the Tennessee Information Protection Act
Under the TIPA, businesses must provide certain rights to their consumers and meet specific obligations outlined by the law, which I will explain in depth in the following few sections.
Responsibilities of the Data Controller vs. Data Processor
Data controllers and data processors have slightly different responsibilities under the TIPA.
According to Section 47-18-3204 of the law, transparency is one of the responsibilities of the data controller.
If your business qualifies as one, then you:
- Must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purpose for which data is processed, as disclosed to the consumer.
- Must not process personal data for purposes beyond what is reasonably necessary to achieve the objectives for the processing, as disclosed to the consumer, unless you obtain consumer consent.
- Must establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
- Must not be required to delete aggregated or de-identified information, provided it is not linked to a specific consumer.
- Must not process personal data in violation of a state or federal law that prohibits discrimination against consumers.
- Must not process sensitive personal data concerning a consumer without obtaining their consent, or, if the data comes from a known child, processing it following the Children’s Online Privacy Protection Act (COPPA)
Data controllers must also provide a reasonable, accessible privacy notice to consumers, as addressed later in the guide.
Data processors under the TIPA must adhere to all instructions outlined by the controller and assist them in meeting the obligations outlined by this state law, including:
- Taking into account the nature of the processing and the information available to the processor to fulfill consumer requests regarding their rights
- Providing the appropriate information to enable a controller to conduct a Data Processing Assessment (DPA)
Contractual Obligations Between Data Controllers and Processors
According to Section 47-18-3205 (b) of the TIPA, a contract must be in place governing the processor’s data processing practices on behalf of the controller.
The contract must require that the processor:
- Ensures each person processing the personal data is subject to a duty of confidentiality
- Deletes or returns all data to the controller as requested at the end of the contract terms, at the controller’s direction
- Makes available all information in their possession upon the reasonable request of the controller to demonstrate compliance with TIPA obligations
- Allows and cooperates with reasonable assessments by the controller or the designated assessor
- Requires any subcontractors via a written contract to meet the same obligations as the processor concerning the personal data
Consent and the TIPA
Data controllers under the TIPA cannot process personal information beyond what is reasonably necessary and compatible with whatever purposes were disclosed in their privacy policy unless they obtain consumer consent, as explained in Section 47-18-3204 Part (a)(2).
Legal consent must be a clear, affirmative action that’s freely given, specific, informed, and unambiguous.
You also must obtain consent to process sensitive personal data about your consumers.
Opt-out Rights Regarding Data Processing
The Tennessee Information Protection Act grants consumers the right to opt out of certain types of data processing in Section 47-18-3203. Part (a)(2)(E).
Specifically, controllers must provide a way for people to opt out of:
- The selling of their personal information
- Targeted advertising
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
It’s up to the data controller to determine the process for allowing users to follow through on this right. However, whatever method you implement must be clearly described in the privacy policy you present to consumers.
Every controller must be able to comply with a directly submitted request specifying which consumer rights the consumer wants to invoke.
Finally, a known child’s parent or legal guardian may invoke consumer rights on the child’s behalf.
Authenticated Consumer Requests
Under the TIPA, consumers can invoke their rights by submitting a request to the controller, and there are some guidelines your business must follow to assist with this process, as outlined in Section 47-18-3203 Parts (a) and (b).
Legally, you must:
- Respond to the request without undue delay, but at least within 45 days of receipt of the request (this can extend to another 45 days depending on the complexity of the request, so long as you inform the consumer of the delay).
- Inform the consumer without undue delay or at least within 45 days if you decline their request. Provide a description of why the request was denied.
- Provide the information to the consumer free of charge up to twice per year.
- If the controller cannot authenticate the request using commercially reasonable efforts, you’re not required to comply with it and may request additional information from the consumer to assist with authentication.
- Not require your consumer to create a new account to exercise their rights, as written in Part 47-18-3204 Section (e)(2) of the law.
You must also create a process for consumers to submit an appeal if you refuse one of their requests. The appeal process must be conspicuous, available to them at no cost, and similar to whatever method you use to let them submit the request.
You then have 60 days to inform the consumer in writing about what action you’ll take (or not take) in response to their appeal.
Data Protection Assessments
The Tennessee Information Protection Act states in Section 47-18-3206(a)(1-5) that data controllers must conduct data protection assessments (DPA) for each of the following types of processing activities:
- Processing personal information for targeted advertising
- Selling personal information
- Processing personal information for the purpose of profiling where it presents a foreseeable risk of unfair or deceptive treatment, financial, physical or reputational injury, physical, or other intrusions upon the solitude of one’s private affairs or concerns, or other substantial injuries
- Processing sensitive personal data
- Processing activities involving data that presents a heightened risk of harm to consumers
These DPAs must weigh the direct and indirect benefits of data processing for the controller, the consumer, and other stakeholders against the possible risks to the rights of the associated consumers.
It also should factor in a business’s use of de-identified data, the consumers’ expectations, and the context of the processing.
Tennessee’s Law vs. Other States’ Data Privacy Laws: Similarities and Differences
Currently, in the U.S., four states have active data privacy laws in place, with a few more entering into action over the next year or so. They all share some similarities with the TIPA but differ in significant ways.
To help you out, I created a table for you that compares the following U.S. laws and bills to the Tennessee Information Protection Act:
- California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
- Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
- Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
- Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
- Oregon Consumer Privacy Act (OCPA) — effective July 1, 2024
- Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
- Utah Consumer Privacy Act (UCPA) — currently in force
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
Check it out below.
| State Law | Opt-in consent for certain types of data processing | Opt-out consent for certain types of data processing | Must present users with a privacy policy (or notice) | Requires Data Protection Assessments | Outlines Contractual Obligation with Third-Party Processors | Allows for civil lawsuits or private right of action | Must honor Global Privacy Controls/browser privacy settings |
| TIPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| CCPA/CPRA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| CPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| CTDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| Indiana CDPA | ✓ | ✓ | ✓ | ✓ | |||
| Iowa CDPA | ✓ | ✓ | ✓ | ||||
| MCDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| OCPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| TDPSA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| UCPA | ✓ | ✓ | ✓ | ||||
| VCDPA | ✓ | ✓ | ✓ | ✓ |
Are There Other Privacy Related Laws in Tennessee?
Tennessee doesn’t have any other data privacy-focused laws in place. However, like every other U.S. state, it does recognize the common law tort of invasion of privacy. This recognition allows individuals to bring lawsuits against others who unlawfully intrude into their private affairs.
The state also has a data breach notification law described in the Tennessee Code, amended in 2017.
It requires entities to notify consumers of a breach of encrypted and nonencrypted data and was the first state in the U.S. to put this into law.
Additionally, on April 28, 2023, the Genetic Information Privacy Act was signed and entered into force on July 1, 2023. This act prevents insurance providers from requiring people who receive health coverage to disclose genetic information about themselves or their families.
It also prevents insurance providers from disclosing genetic information about an individual without written authorization.
Some aspects of the Tennessee Consumer Protection Act govern privacy-adjacent protections, like protecting consumers’ personal data from videotape sellers or service providers.
How Will Businesses Be Impacted By TIPA?
The TIPA will impact businesses in several ways.
Along with preparing for the data protection assessments and contractual obligations previously mentioned, businesses that qualify as data controllers must also update their privacy policies and cookie policies to account for the necessary information required by the law.
How Will the TIPA Affect My Privacy Policy?
To comply with TIPA, you may need to add additional information to your privacy policy.
Notably, Section 47-18-3204 Part (c) of the law states that controllers must provide consumers with a privacy notice that describes:
- What categories of personal information the controller processes
- The purpose for processing the personal information
- How they can exercise their rights, including how to appeal a controller’s decision regarding a request
- The categories of personal information the controller shares with third parties, if any
- The categories of third parties, if any, the controller shared the personal information with
Additionally, Section 47-18-3213 Parts (a) (1) and (2) explains details about a voluntary privacy program that can act as an affirmative defense for a controller or processor should a cause for action for a violation occur — in other words, it can provide a proper legal defense for your business if someone claims you’re violating the law.
The affirmative defense? A privacy policy that:
- Conforms to the National Institute of Standards and Technology (NIST) privacy framework titled “A Tool for Improving Privacy Through Enterprise Risk Management Version 1.0” or other documented policies, standards, and procedures designed to safeguard consumer privacy; and
- Is updated to reasonably confirm with the subsequent revision of the NIST or comparable privacy framework within two years of the publication date stated in the most recent revision to the NIST or similar framework
- Provides a person with substantive rights required by the TIPA
However, this voluntary privacy program impacts more than just your privacy policy, as it should also consider the following conditions:
- The size and complexity of your business
- The nature and scope of the activities of your business
- The sensitivity of the information processed
- The cost and availability of tools to improve privacy protections and data governance
- If you comply with comparable state or federal laws
How Will the TIPA Affect My Cookie Policy?
The Tennessee Information Protection Act impacts your cookie policy in two possible ways.
First, because TIPA uses a broad description of personal data, internet cookies will likely fall under the legal definition. To use cookies, you must follow the same obligations you implement for your other data processing activities, like informing your users about which ones you use and explaining your legal basis.
Additionally, consumers under this law have the right to opt out of targeted advertising, and targeted ads usually involve using internet cookies. You’ll have to update your cookie policy to disclose this right.
How Will Consumers Be Impacted By TIPA?
The Tennessee Information Protection Act impacts consumers by granting them new rights over how their personal information gets used or processed.
Specifically, Part 47-18-3203 (a) Section (1) states that consumers may invoke their rights by submitting a request to the data controller specifying which right they wish to act upon.
Tennessee residents under 47-18-3203 (a) Section (2) have the right to:
- Confirm if a controller is processing their personal information and gain access to that information.
- Correct inaccuracies in their information.
- Delete the personal information provided by or obtained about the consumer (however, the controller does not need to delete aggregated or de-identified information).
- Obtain a portable copy of their personal information.
- Opt out of selling their data, targeted advertising, and profiling.
According to Part 47-18-3204 Section (c), consumers also have the right to know:
- What categories of personal information the controller processes
- The purpose for processing the personal information
- How they can exercise their rights, including how to appeal a controller’s decision regarding a request
- The categories of personal information the controller shares with third parties, if any
- The categories of third parties, if any, the controller shared the personal information with
Who Does the TIPA Apply To?
The Tennessee Information Protection Act applies to natural persons who are residents of Tennessee acting in a personal context.
It does not protect people in Tennessee for commercial or employment purposes. This scope is clearly described in 47-18-3201, Section (7) Parts (A) and (B) of the law.
Who Must Comply With the Tennessee’s New Data Privacy Law?
You must comply with the TIPA if you do business in Tennessee or produce products or services targeting residents of the state, earn more than $25 million in annual revenue, and either:
- Control or process the personal information of at least 25,000 Tennessee consumers and derive 50% of your gross annual revenue from the sale of that information or
- Process or control the personal information of at least 175,000 Tennessee consumers during a calendar year
Like many other data protection regulations, this means that the TIPA has an extraterritorial scope and impacts businesses outside Tennessee.
Who Is Exempt From the TIPA?
The following entities, organizations, and groups are exempt and don’t need to comply with the Tennessee Information Protection Act:
- Political subdivisions of the State, as well as bodies, authorities, boards, bureaus, commissions, districts, or other agencies of the State
- Financial institutions, affiliates of a financial institution, or any data subject to title V of the Gramm Leach Bliley Act (GLBA)
- Covered entities or business associates governed by the privacy, security, and breach notification rules outlined by the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA)
- Non-profits
- Higher-education institutions
- Health information protected under HIPAA
- Patient identifying information
Additionally, if you don’t do business in the U.S. and are sure no one from Tennessee buys your products or uses your services, then you’re exempt from the TIPA.
You also don’t need to follow the law if your business doesn’t meet the $25 million annual revenue threshold.
How Can Businesses Prepare For TIPA?
Businesses can prepare for the TIPA by updating their privacy policy and cookie policy to account for all new rights granted to Tennessee consumers under the law, including their right to be informed about specific aspects of your data processing activities.
You also must set up a way for your Tennessee consumers to opt out of selling their personal information, profiling, and targeted advertising. You can do this with a Consent Management Platform (CMP) that provides users with a preference center for such specific types of data processing.
If you qualify as a data controller, you must create a way for your users to submit verifiable consumer requests. You can achieve this by posting a Data Subject Access Request (DSAR or SAR) form on your website or app.
How Will the TIPA Be Enforced?
Currently, the Tennessee Attorney General has the exclusive authority to enforce all provisions outlined by the TIPA.
The Attorney General or reporter has a reasonable cause to believe that a data controller or processor is violating the TIPA by either conducting their own inquiry or responding to a consumer or public complaint.
Before any action, the Attorney General or reporter must give the entity a 60-day written notice identifying which TIPA provisions they allegedly violated.
No further action occurs if the processor or controller can successfully cure the violations and provide the Attorney General with an express written notice.
Fines and Penalties Under the Tennessee Information Protection Act
If a controller or processor fails to cure their alleged violations of the TIPA within the 60-day notice period, the Attorney General or reporter may bring the entity to court to seek:
- A declaratory judgment that the entity’s act or practice violations the Tennessee Information Protection Act
- Injunctive relief (including preliminary and permanent injunctions to prevent additional violations and to compel compliance with the TIPA)
- Civil penalties of up to $7,500 per violation, or treble damages if the controller or processor willfully or knowingly violations the act
- Other relief as determined by the court
Consumers cannot pursue a private right of action or a class action lawsuit against an entity due to a TIPA violation.
How Will Termly Help With TIPA Compliance?
Here at Termly, we’re already planning to introduce the appropriate updates to our tools to help your business easily meet the requirements introduced by the Tennessee Information Protection Act.
We’ll send an email update to our customers if they need to take any steps to ensure their use of our privacy policy generator, consent management platform, or other relevant solutions comply with Tennessee’s new law when it enters into action in 2025.
Our team stays updated on new, changing, and evolving data privacy laws, acts, and bills worldwide. And trust me, a lot is happening these days.
So keep a lookout for our future announcements, as I’m sure there’s plenty more to come.
Summary
If your business qualifies as either a data controller or processor under the new Tennessee Information Protection Act, you should prepare to make the following changes to ensure compliance before July 1, 2025:
- Update your privacy policy with the appropriate data processing details and information about consumer rights (and how they can act on them)
- Provide a way for consumers to opt out of the sale of their data, targeted advertising, and profiling.
- Obtain affirmative consent from users before collecting any sensitive data.
- Perform data protection assessments following the guidelines described by the TIPA.
- Ensure data processors and controllers both sign contracts that meet all obligations outlined by the law.
More laws are on the horizon, especially in the U.S. If you want to make the entire process easier on your business, why not try Termly?
Understanding the ever-changing, complex aspects of privacy compliance is our job, so we can help make your job easier.
More about the author
Written by Josh Langeland, CIPM
Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author
