Tennessee Information Protection Act: First Look & Summary

Tennessee was the 8th U.S. state to pass an official data privacy law, called the Tennessee Information Protection Act (TIPA).

In this TIPA guide, I describe who this law applies to, how it impacts businesses and consumers, and the steps to take to achieve full compliance.

Table of Contents

What Is the Tennessee Information Protection Act (TIPA)?
TIPA Key Terms and Definitions
What Does the Tennessee Information Protection Act Cover?
Requirements of the Tennessee Information Protection Act
Tennessee's Law vs. Other States’ Data Privacy Laws: Similarities and Differences
How Will Businesses Be Impacted by TIPA?
How Will Consumers Be Impacted by TIPA?
Who Must Comply With the Tennessee's New Data Privacy Law?
How Can Businesses Prepare for TIPA?
How Will the TIPA Be Enforced?
Fines and Penalties Under the Tennessee Information Protection Act
How Will Termly Help With TIPA Compliance?
Summary

What Is the Tennessee Information Protection Act (TIPA)?

The Tennessee Information Protection Act — or TIPA — is a data protection and privacy law that was passed in the U.S. state of Tennessee.

It targets companies that do business in the state by collecting and processing personal information and aims to give rights back to Tennessee residents over how that data gets collected, processed, and used.

TIPA Effective Date

The Tennessee Information Protection Act enters into action on July 1, 2025.

Decision-makers signed TIPA into law on May 11, 2023, and the final version of the text was published on May 24.

TIPA Key Terms and Definitions

The Tennessee Information Protection Act defines key terms in Section 47-18-3201, Parts (1) through (30) of the law, some of which I’ve provided for you below.

Consumer: A natural person who is a resident of this state acting only in a personal context; and does not include a natural person acting in a commercial or employment context.
Data controller: A natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information.
Data processor: A natural or legal entity that processes personal information on behalf of a controller.
Personal data: Information that is linked or reasonably linkable to an identified or identifiable natural person; and does not include information that is publicly available information or de-identified or aggregated consumer information.
Sensitive data: A category of personal information that includes:
- Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
- The personal information collected from a known child; or
- Precise geolocation data
Biometric data: Data generated by automatic measurement of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics that are used to identify a specific individual.
- It does not include a physical or digital photograph, video recording, audio recording, data generated from a photograph or video, or audio recording, or information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA.
Pseudonymous data: Personal information that cannot be attributed to a specific natural person without the use of additional information, so long as the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable natural person.
Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer; and May include a written statement, including a statement written by electronic means, or an unambiguous, affirmative action.

What Does the Tennessee Information Protection Act Cover?

The TIPA covers the personal information of Tennessee consumers that gets processed by a data controller or processor.

According to Section 47-18-3208 Part (f) of this new state law, entities can only process personal information to the extent that the processing is:

Reasonably necessary and proportionate to the purposes listed as ‘legal bases’ under the Tennessee Information Protection Act.
Adequate, relevant, and limited to what is necessary relative to the specific purposes (legal bases) outlined by TIPA 3208 parts (a-e).

In addition to legal bases for processing, TIPA outlines scenarios in which a controller or processor can process data, such as complying with laws and regulations, complying with criminal investigations, or defending legal claims.

Requirements of the Tennessee Information Protection Act

Under the TIPA, businesses must provide certain rights to their consumers and meet specific obligations outlined by the law, which I will explain in depth in the following few sections.

Responsibilities of the Data Controller vs. Data Processor

Data controllers and processors have slightly different responsibilities under the TIPA.

According to Section 47-18-3204 of the law, transparency is one of the responsibilities of the data controller and these businesses must do the following:

Must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purpose for which data is processed, as disclosed to the consumer.
Must not process personal data for purposes beyond what is reasonably necessary to achieve the objectives for the processing, as disclosed to the consumer, unless you obtain consumer consent.
Must establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
Must not be required to delete aggregated or de-identified information, provided it is not linked to a specific consumer.
Must not process personal data in violation of a state or federal law that prohibits discrimination against consumers.
Must not process sensitive personal data concerning a consumer without obtaining their consent, or, if the data comes from a known child, processing it following the Children’s Online Privacy Protection Act (COPPA)

They should also provide a reasonable, accessible privacy notice to consumers, as addressed later in the guide.

Data processors under the TIPA must adhere to all instructions outlined by the controller and assist them in meeting the obligations outlined by this state law, including:

Taking into account the nature of the processing and the information available to the processor to fulfill consumer requests regarding their rights
Providing details to enable a controller to conduct a Data Processing Assessment (DPA)

Contractual Obligations Between Data Controllers and Processors

According to Section 47-18-3205 (b) of the TIPA, a contract must be in place governing the processor’s data processing practices on behalf of the controller.

The contract must require that the processor:

Ensures each person processing the personal data is subject to a duty of confidentiality
Deletes or returns all data to the controller as requested at the end of the contract terms, at the controller’s direction
Makes available all information in their possession upon the reasonable request of the controller to demonstrate compliance with TIPA obligations
Cooperates with reasonable assessments by the controller or the designated assessor
Requires any subcontractors via a written contract to meet the same obligations as the processor concerning the personal data

Consent and the TIPA

Data controllers under the TIPA cannot process personal information beyond what is reasonably necessary and compatible with whatever purposes were disclosed in their privacy policy unless they obtain consumer consent, as explained in Section 47-18-3204 Part (a)(2).

Legal consent must be a clear, affirmative action that’s freely given, specific, informed, and unambiguous.

You also must obtain consent to process sensitive personal data about your consumers.

Opt-out Rights Regarding Data Processing

The Tennessee Information Protection Act grants consumers the right to opt out of certain types of data processing in Section 47-18-3203. Part (a)(2)(E).

Specifically, controllers must provide a way for people to opt out of:

The selling of their personal information
Targeted advertising
Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer

It’s up to the data controller to determine the process for allowing users to follow through on this right. However, whatever method you implement must be clearly described in the privacy policy you present to consumers.

Every controller must be able to comply with a directly submitted request specifying which consumer rights the consumer wants to invoke.

Finally, a known child’s legal guardian may invoke consumer rights on the child’s behalf.

Authenticated Consumer Requests

Under the TIPA, consumers can invoke their rights by submitting a request to the controller, and there are some guidelines your business must follow to assist with this process, as outlined in Section 47-18-3203 Parts (a) and (b).

Legally, you must:

Respond to the request without undue delay, but at least within 45 days of receipt of the request (this can extend to another 45 days depending on the complexity of the request, so long as you inform the consumer of the delay).
Inform the consumer without undue delay or at least within 45 days if you decline their request. Provide a description of why the request was denied.
Provide the information to the consumer free of charge up to twice per year.
If the controller cannot authenticate the request using commercially reasonable efforts, you’re not required to comply with it and may request additional information from the consumer to assist with authentication.
Not require your consumer to create a new account to exercise their rights, as written in Part 47-18-3204 Section (e)(2) of the law.

You must also create a process for consumers to submit an appeal if you refuse one of their requests. The appeal process must be conspicuous, available to them at no cost, and similar to whatever method you use to let them submit the request.

You then have 60 days to inform the consumer in writing about what action you’ll take (or not take) in response to their appeal.

Data Protection Assessments

The Tennessee Information Protection Act states in Section 47-18-3206(a)(1-5) that data controllers must conduct data protection assessments (DPA) for each of the following types of processing activities:

Processing personal information for targeted advertising
Selling personal information
Processing personal information for the purpose of profiling where it presents a foreseeable risk of unfair or deceptive treatment, financial, physical or reputational injury, physical, or other intrusions upon the solitude of one’s private affairs or concerns, or other substantial injuries
Processing sensitive personal data
Processing activities involving data that presents a heightened risk of harm to consumers

These DPAs must weigh the direct and indirect benefits of data processing against the possible risks to the rights of the associated consumers.

It also should factor in a business’s use of de-identified data, the consumers’ expectations, and the context of the processing.

Tennessee’s Law vs. Other States’ Data Privacy Laws: Similarities and Differences

Currently, in the U.S., seven states have active data privacy laws in place, with a several more entering into action over the next year. They all share some similarities with the TIPA but differ in significant ways.

To help you out, I created a table for you that compares the following U.S. laws and bills to the Tennessee Information Protection Act:

California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
Colorado Privacy Act (CPA) — currently in force
Connecticut Data Privacy Act (CTDPA) — currently in force
Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
Florida Digital Bill of Rights (FDBR) — currently in force
Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
Kentucky Consumer Data Protection Act (KCDPA) — effective Jan. 1, 2026
Maryland Online Data Privacy Act (MODPA) — effective Oct. 1, 2025
Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
New Hampshire Data Privacy Law (NHDPL) — effective Jan. 1, 2025
New Jersey Data Privacy Act (NJDPA) — effective Jan. 15, 2025
Oregon Consumer Privacy Act (OCPA) — currently in force
Texas Data Privacy and Security Act (TDPSA) — currently in force
Utah Consumer Privacy Act (UCPA) — currently in force
Virginia Consumer Data Protection Act (VCDPA) — currently in force

Check it out below.

State Law	Opt-in consent for certain types of data processing	Opt-out consent for certain types of data processing	Must present users with a privacy policy (or notice)	Requires Data Protection Assessments	Outlines Contractual Obligation with Third-Party Processors	Allows for civil lawsuits or private right of action	Must honor Global Privacy Controls/browser privacy settings
TIPA	✓	✓	✓	✓	✓
CCPA/CPRA	✓	✓	✓	✓	✓	✓	✓
CPA		✓	✓	✓	✓		✓
CTDPA		✓	✓	✓	✓		✓
Indiana CDPA		✓	✓	✓	✓
Iowa CDPA		✓	✓		✓
KCDPA	✓	✓	✓	✓	✓
MN CDPA	✓	✓	✓	✓	✓		✓
MT CDPA		✓	✓	✓	✓		✓
MODPA	✓	✓	✓	✓	✓		✓
NHDPL	✓	✓	✓	✓	✓		✓
NJDPA	✓	✓	✓	✓	✓		✓
OCPA		✓	✓	✓	✓		✓
TDPSA		✓	✓	✓	✓		✓
UCPA		✓	✓		✓
VCDPA		✓	✓	✓	✓

Are There Other Privacy Related Laws in Tennessee?

Tennessee doesn’t have any other data privacy-focused laws in place, but, like every other U.S. state, it does recognize the common law tort of invasion of privacy, allowing individuals to bring lawsuits against others who unlawfully intrude into their private affairs.

The state also has a data breach notification law described in the Tennessee Code, amended in 2017.

It requires entities to notify consumers of a breach of encrypted and nonencrypted data and was the first state in the U.S. to put this into law.

Additionally, on April 28, 2023, the Genetic Information Privacy Act was signed and entered into force on July 1, 2023. This act prevents insurance providers from requiring people who receive health coverage to disclose genetic information about themselves or their families.

It also prevents insurance providers from disclosing genetic information about an individual without written authorization.

Some aspects of the Tennessee Consumer Protection Act govern privacy-adjacent protections, like protecting consumers’ personal data from videotape sellers or service providers.

How Will Businesses Be Impacted by TIPA?

The TIPA will impact businesses in several ways.

Along with preparing for the data protection assessments and contractual obligations previously mentioned, businesses that qualify as data controllers must also update their privacy policies and cookie policies to account for the necessary information required by the law.

How Will the TIPA Affect My Privacy Policy?

To comply with TIPA, you may need to add additional information to your privacy policy.

Notably, Section 47-18-3204 Part (c) of the law states that controllers must provide consumers with a privacy notice that describes:

What categories of personal information the controller processes
The purpose for processing the personal information
How they can exercise their rights, including how to appeal a controller’s decision regarding a request
The categories of personal information the controller shares with third parties, if any
The categories of third parties, if any, the controller shared the personal information with

Additionally, Section 47-18-3213 Parts (a) (1) and (2) explains details about a voluntary privacy program that can act as an affirmative defense for a controller or processor should a cause for action for a violation occur.

In other words, it can provide a proper legal defense for your business if someone claims you’re violating the law.

The affirmative defense? A privacy policy that:

Conforms to the National Institute of Standards and Technology (NIST) privacy framework titled “A Tool for Improving Privacy Through Enterprise Risk Management Version 1.0” or other documented policies, standards, and procedures designed to safeguard consumer privacy; and
Is updated to reasonably confirm with the subsequent revision of the NIST or comparable privacy framework within two years of the publication date stated in the most recent revision to the NIST or similar framework
Provides a person with substantive rights required by the TIPA

However, this voluntary privacy program impacts more than just your privacy policy, as it should also consider the following conditions:

The size and complexity of your business
The nature and scope of the activities of your business
The sensitivity of the information processed
The cost and availability of tools to improve privacy protections and data governance
If you comply with comparable state or federal laws

How Will the TIPA Affect My Cookie Policy?

The Tennessee Information Protection Act impacts your cookie policy in two possible ways.

First, because TIPA uses a broad description of personal data, internet cookies will likely fall under the legal definition and you must follow the same obligations you implement for other data processing activities, like transparency and explaining your legal basis.

Consumers under this law also have the right to opt out of targeted advertising, and targeted ads usually involve using internet cookies. Update your cookie policy to disclose this right.

How Will Consumers Be Impacted by TIPA?

The Tennessee Information Protection Act impacts consumers by granting them new rights over how their personal information gets used or processed.

Specifically, Part 47-18-3203 (a) Section (1) states that consumers may invoke their rights by submitting a request to the data controller specifying which right they wish to act upon.

Tennessee residents under 47-18-3203 (a) Section (2) have the right to:

Confirm if a controller is processing their personal information and access it.
Correct inaccuracies in their information.
Delete the personal information provided by or obtained about the consumer (however, the controller does not need to delete aggregated or de-identified information).
Obtain a portable copy of their personal information.
Opt out of selling their data, targeted advertising, and profiling.

According to Part 47-18-3204 Section (c), consumers also have the right to know:

What categories of personal information the controller processes
The purpose for processing the personal information
How they can exercise their rights, including how to appeal a controller’s decision regarding a request
The categories of personal information the controller shares with third parties, if any
The categories of third parties, if any, the controller shared the personal information with

Who Does the TIPA Apply To?

The Tennessee Information Protection Act applies to natural persons who are residents of Tennessee acting in a personal context.

It does not protect people in Tennessee for commercial or employment purposes. This scope is clearly described in 47-18-3201, Section (7) Parts (A) and (B) of the law.

Who Must Comply With the Tennessee’s New Data Privacy Law?

You must comply with the TIPA if you do business in Tennessee or produce products or services targeting residents of the state, earn more than $25 million in annual revenue, and either:

Control or process the personal information of at least 25,000 Tennessee consumers and derive 50% of your gross annual revenue from the sale of that information or
Process or control the personal information of at least 175,000 Tennessee consumers during a calendar year

Like many other data protection regulations, this means that the TIPA has an extraterritorial scope and impacts businesses outside Tennessee.

Who Is Exempt From the TIPA?

The following entities, organizations, and groups are exempt and don’t need to comply with the Tennessee Information Protection Act:

Political subdivisions of the State, as well as bodies, authorities, boards, bureaus, commissions, districts, or other agencies of the State
Financial institutions, affiliates of a financial institution, or any data subject to title V of the Gramm Leach Bliley Act (GLBA)
Covered entities or business associates governed by the privacy, security, and breach notification rules outlined by the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA)
Non-profits
Higher-education institutions
Health information protected under HIPAA
Patient identifying information

Additionally, if you don’t do business in the U.S. and are sure no one from Tennessee buys your products or uses your services, then you’re exempt from the TIPA.

You also don’t need to follow the law if your business doesn’t meet the $25 million annual revenue threshold.

How Can Businesses Prepare for TIPA?

Businesses can prepare for the TIPA by updating their privacy and cookie policy to account for all new rights granted to Tennessee consumers under the law, including their right to be informed about specific aspects of your data processing activities.

You also must provide a way for your Tennessee consumers to opt out of selling their personal information, profiling, and targeted advertising.

To achieve this, use a Consent Management Platform (CMP) with a preference center for each specific type of data processing.

Data controllers must also present users with a way to submit verifiable consumer requests, so consider posting a Data Subject Access Request (DSAR or SAR) form on your website or app.

How Will the TIPA Be Enforced?

Currently, the Tennessee Attorney General has the exclusive authority to enforce all provisions outlined by the TIPA.

The Attorney General or reporter has a reasonable cause to believe that a data controller or processor is violating the TIPA by either conducting their own inquiry or responding to a consumer or public complaint.

Before any action, the Attorney General or reporter must give the entity a 60-day written notice identifying which TIPA provisions they allegedly violated.

No further action occurs if the processor or controller can successfully cure the violations and provide the Attorney General with an express written notice.

Fines and Penalties Under the Tennessee Information Protection Act

If a controller or processor fails to cure their alleged violations of the TIPA within the 60-day notice period, the Attorney General or reporter may bring the entity to court to seek:

A declaratory judgment that the entity’s act or practice violations the Tennessee Information Protection Act
Injunctive relief (including preliminary and permanent injunctions to prevent additional violations and to compel compliance with the TIPA)
Civil penalties of up to $7,500 per violation, or treble damages if the controller or processor willfully or knowingly violations the act
Other relief as determined by the court

However, consumers cannot pursue a private right of action or a class action lawsuit.

How Will Termly Help With TIPA Compliance?

We’ve already implemented the appropriate updates to our tools to help your business meet several of the requirements outlined by the Tennessee Information Protection Act.

Specifically, you can use our privacy policy generator and consent management platform, to simplify your compliance with Tennessee’s new law before it enters into action in 2025.

Our team stays updated on new, changing, and evolving data privacy laws, acts, and bills worldwide. And trust me, a lot is happening these days.

So keep a lookout for our future announcements, as I’m sure there’s plenty more to come.

Summary

If your business qualifies as either a data controller or processor under the new Tennessee Information Protection Act, you should prepare to make a few changes to ensure compliance before July 1, 2025.

For example, remember to update your privacy and cookie policies to meet all transparency and notification requirements outlined by the law.

Provide a way for consumers to opt out of the sale of their data, targeted advertising, and profiling, and perform data protection assessments following TIPA guidelines.

Make the entire compliance process easier on your business, by trying Termly.

More about the author

Written by Josh Langeland, CIPM

Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author

Data Privacy Compliance: Everything Businesses Need To Know

GDPR for Dummies

Termly vs. Cookiebot: Comparing Features and Services

Termly vs Usercentrics: Comparing Features and Services

Privacy Policy for Nonprofits

CCPA: California Consumer Privacy Act Explained

CalOPPA: The California Online Privacy Protection Act Explained

South Africa's Protection of Personal Information Act (POPIA) Explained

5 Step GDPR Compliance Checklist For All Businesses