TIPA- Tennessee Information Protection Act: Everything You Need to Know

Tennessee Privacy Law at a Glance

• Live as of July 1, 2025
  
• Applies to businesses over $25M
  
• Covers 175k+ or 25k+ consumers (with data sales)
  
• Consumer rights: access, delete, correct, opt out
  
• Targeted ads and profiling need an opt-out
  
• Assessments required for high-risk processing
  
• NIST-aligned programs get legal protection
  
• Controllers and processors need contracts

July 2025 Update: Tennessee’s Privacy Law Is Now in Effect

Initially passed in 2023, TIPA places new obligations on businesses and grants a defined set of rights to Tennessee residents.

In May 2025, the Tennessee Attorney General’s Office released updated FAQs and official guidance for both consumers and businesses. The guidance clarified several important provisions, including:

• Scope: TIPA applies to companies with annual revenue exceeding $25 million and that meet specific data-processing thresholds.
  
• Rights: Consumers can access, correct, delete, and port their data, as well as opt out of profiling, targeted advertising, and data sales.
  
• Enforcement: The Attorney General has exclusive enforcement power, with a 60-day cure period for violations.
  
• Affirmative Defense: Companies that align with the NIST Privacy Framework (v1.0) and maintain an updated privacy program may use that as a legal defense.
  
• Timing of Assessments: Data protection assessments are required only for processing initiated on or after July 1, 2024.
  

If your business processes data from Tennessee residents or targets the Tennessee market, now is the time to ensure your privacy program aligns with these requirements.

Read on for a full breakdown of what the law means, how it works, and what your business needs to do to comply.

Cool Fact: First Same-Date Privacy Laws

Tennessee and Montana passed privacy laws on the same date, April 21, 2023.

Background to the Tennessee Information Protection Act

In Tennessee, the House unanimously passed HB 1181 by a vote of 90-0 earlier in April, and the companion bill SB 73 passed in the Senate as well. The bill introduces the “Tennessee Information Protection Act” and is tentatively set to go into effect on July 1, 2024.

The Tennessee Information Protection Act is like a familiar snowflake in the flurry of state privacy laws that are drifting during the last year or so. They’re all unique but have so much in common.

It has a new requirement, though, that has not been seen before in other consumer data protection laws. The law requires that covered Tennessee businesses comply with the NIST privacy framework and goes so far as to require any future revision of the standard. In an interesting twist, the law provides an affirmative defense to violation charges against entities that comply with the NIST standard, as described. 

In the next sections, we’ll bring you some key takeaways from the new Tennessee privacy act.

How the Bill Defines Personal Information

Under the Tennessee Consumer Privacy Act, personal information is defined as information that relates to or describes a particular individual or that is capable of being linked with a specific person. This includes:

• Real names
• Unique identifier
• IP address
• Email address
• Social security number
• Passport number
• Drivers license number
• Signatures
• Physical character description
• Address
• Phone number
• Insurance policy number
• Credit or debit card number
• Financial information
• Health-related information
• Employment history 
• Records of personal property
• Purchasing or consuming history
• Biometric data
• Internet network activity like browsing history, search history, and interactions with a website or app
• Geolocation data

Scope of the Tennessee Privacy Bill

The Tennessee Data Privacy Law covers people who conduct business in this state or produce products or services that are targeted to residents of Tennessee and that:

• Has annual revenue over $25 million, and
• Meets one of the following thresholds:
  • Controls or processes the personal information of at least 175,000 Tennessee consumers during a calendar year, or
  • Controls/processes data of at least 25,000 Tennessee consumers and derives 50% or more of gross annual revenue from selling that data.

Personal Information Rights for Consumers

1. A consumer may submit a request to a controller specifying the right they wish to invoke under the law.
2. A controller must comply with an authenticated consumer request to:
   1. Confirm whether a controller is processing the consumer’s personal information and be allowed to access it
   2. Correct inaccuracies in their personal information
   3. Delete personal information, unless it is used as aggregate or de-identified data by a business
   4. Obtain a copy of the consumer’s personal information that was provided to the controller by the consumer
   5. Request specified information regarding personal information that a controller sold or disclosed
   6. Opt-out of a controller selling their personal information 
   7. As noted in the bill, consumers should receive a response from a controller within 45 days of the receipt of the request, with some exceptions for an extension

Key Controller Responsibilities

8. Controllers shall limit the collection of personal information to what is adequate and relevant
9. The controller must not process personal information for purposes that are beyond what is reasonably necessary with the disclosed purpose for processing the information
10. Controllers must establish, implement and maintain reasonable data security practices, as described in detail in the bill
11. Controllers are not required to delete information that is used as aggregate or de-identified data
12. Controllers can not discriminate against a consumer for exercising their rights under this law
13. Controllers can not process sensitive data without obtaining consent from the consumer, or, regarding children, per COPPA

Key Processor Requirements

1. Processors must adhere to the instructions of a controller and shall assist the controller in fulfilling its obligations under the law.
2. Processes must sign a contract with a controller that governs their data processing procedures.

Data Protection Assessments

Controllers shall conduct and document a data protection assessment of each of the following processing activities involving personal information:

1. The processing of personal information for targeted advertising
2. The sale of personal information
3. The processing of personal information for purposes of profiling, where profiling presents certain specified risks
4. Processing of sensitive data

Privacy Programs

Controllers and processors are required to create a written privacy program that conforms to the NIST privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.”, and to subsequent revisions that will be published in the future. 

This requirement is a first-of-its-kind inclusion in a state privacy law. It essentially means that a state legislature is basing its state privacy requirements on a federal standard, rather than trying to prescribe those standards themselves.  

Affirmative Defense

One notable point is that the bill would create an affirmative defense for businesses that create, maintain, and implement a privacy program that aligns with the National Institute of Standards and Technology (NIST) privacy framework, as specified in the section above. What this means is that if a business is suspected to violate certain parts of the law, having the required privacy program in place can act as a defense to the attorney general’s violation claim. 

The Terms of Affirmative Defense are:

• The policy must be reasonably updated within 2 years of NIST revisions
• The program must provide substantive TIPA rights to consumers
• It must align with the scale and scope of the business

What This Means for Tennessee Businesses

“Most businesses will be able to leverage the data privacy and security programs built for other state law requirements,” Baker Donelson Partner Andy Droke, CIPP/US, said. “However, for those Tennessee businesses that have not previously had to comply with other state privacy laws, this will be a significant undertaking, and they should start developing a strategy now.”

Stay with Centraleyes as we keep you updated on the complex patchwork design of comprehensive US state privacy laws.

FAQs

Does TIPA apply to businesses outside Tennessee?

Yes. If your company targets Tennessee residents and meets the revenue and data thresholds, you’re in scope, regardless of your headquarters location.

What happens if I ignore TIPA?

The Tennessee Attorney General can investigate and enforce violations. You’ll be given 60 days to resolve the issue before any legal action is taken, but repeat offenses may result in penalties.

Do I need a Data Protection Assessment for profiling that started last year?

No. Assessments are only required for processing that begins after July 1, 2024.

Is there a template for a TIPA privacy notice?

Not officially, but your notice must clearly explain what data you collect, why, how users can exercise their rights, and with whom you share the data.

Does using a vendor count as “selling” personal data?

Not necessarily. Sharing data with a service provider under contract, where they act on your instructions, doesn’t count as a sale under TIPA.

Can I use cookie banners to manage opt-outs?

You can, but they must clearly allow users to opt out of targeted advertising, profiling, and data sales, and provide this information in a way that is easy to understand.

How is TIPA different from other state privacy laws?

TIPA is the first U.S. law to offer a formal affirmative defense if your company follows the NIST Privacy Framework, a big incentive for privacy-forward businesses.