Tennessee Data Privacy Laws: TIPA Consumer Rights Guide (2026)
Tennessee has positioned itself as a state that takes consumer data privacy seriously while maintaining a business-friendly regulatory framework. The Tennessee Information Protection Act (TIPA) represents the state's comprehensive approach to data privacy, joining a growing list of states that have enacted broad consumer privacy protections.
This guide covers both TIPA and Tennessee's data breach notification law, including the rights available to Tennessee residents, the obligations placed on businesses, and the penalties for noncompliance.
Tennessee Information Protection Act (TIPA) Overview
Governor Bill Lee signed the Tennessee Information Protection Act into law on May 11, 2023. The law took effect on July 1, 2025, making Tennessee the eighth state to implement comprehensive consumer data privacy legislation.
TIPA is codified at Tenn. Code Ann. 47-18-3201 et seq. and was enacted as Public Chapter No. 408. The law is closely modeled on the Virginia Consumer Data Protection Act (VCDPA) but includes several provisions unique to Tennessee, most notably an affirmative defense tied to the NIST Privacy Framework.
In April 2025, the Tennessee Attorney General's office issued guidance for businesses and consumers to help with compliance ahead of the July 2025 effective date.
Who Must Comply With TIPA
TIPA applies to persons that conduct business in Tennessee or produce products or services that are targeted to Tennessee residents. To fall within TIPA's scope, a business must meet all three of these requirements.
Revenue threshold. The business must exceed $25 million in annual revenue. Tennessee follows Utah's approach in setting a revenue floor, which effectively excludes small businesses from TIPA's reach.
Consumer data threshold. The business must meet one of two alternative tests. Under the first test, the business controls or processes the personal information of at least 25,000 Tennessee consumers and derives more than 50% of its gross revenue from the sale of personal information. Under the second test, the business controls or processes the personal information of at least 175,000 Tennessee consumers during a calendar year.
The 175,000-consumer threshold is higher than Virginia's 100,000-consumer threshold, which narrows the pool of covered entities compared to some other state privacy laws.
Who Is Exempt From TIPA
TIPA provides entity-level exemptions for several categories of organizations:
- State and local government entities
- Licensed insurance companies (a provision unique among state privacy laws)
- Nonprofit organizations
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), Title V
- Entities covered by the Health Insurance Portability and Accountability Act (HIPAA)
- Institutions of higher education
TIPA also exempts specific categories of data regulated under other federal laws. These include data governed by the Fair Credit Reporting Act (FCRA), the Children's Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), the Driver's Privacy Protection Act, and the Farm Credit Act, among others. Employee and job applicant data used within the employment context is also exempt.
Consumer Rights Under TIPA
Tennessee residents gain five core privacy rights under TIPA. These rights apply to personal information that is linked or reasonably linkable to an identified or identifiable individual.
Right to Confirm and Access
Consumers can confirm whether a controller is processing their personal information. If processing is occurring, consumers have the right to access that data.
Right to Correct
Consumers can request correction of inaccuracies in their personal information, taking into account the nature of the data and the purposes of the processing.
Right to Delete
Consumers can request deletion of their personal information provided by or obtained about them. Exceptions apply for aggregated and de-identified data.
Right to Data Portability
Consumers can obtain a copy of their personal information in a portable and readily usable format that allows them to transmit the data to another entity without hindrance.
Right to Opt Out
Consumers can opt out of the processing of their personal information for three specific purposes:
- Sale of personal information. TIPA defines "sale" as the exchange of personal information for monetary consideration by the controller to a third party. This definition is narrower than some state laws because it only covers monetary exchanges, not the sharing of data for other forms of valuable consideration.
- Targeted advertising. Consumers can stop controllers from using their data to deliver personalized advertisements based on personal information obtained from their activities across nonaffiliated websites or applications.
- Profiling. Consumers can opt out of automated processing that produces legal effects or similarly significant effects concerning the consumer.
TIPA does not require businesses to recognize universal opt-out mechanisms such as Global Privacy Control (GPC), unlike Colorado and Connecticut.
How to Exercise These Rights
Controllers must respond to authenticated consumer requests within 45 days of receipt. An additional 45-day extension is available if the controller provides the consumer with notice of the delay and an explanation of the reason. If a controller declines to act on a request, the consumer has the right to appeal. The controller must respond to an appeal within 60 days.
Controllers cannot charge a fee for processing requests unless the requests are manifestly unfounded, excessive, or repetitive. Controllers also cannot discriminate against consumers who exercise their rights, though offering different pricing through loyalty or rewards programs is permitted.
Business Obligations Under TIPA
Privacy Notice Requirements
Controllers must provide consumers with a reasonably accessible and clear privacy notice. The notice must disclose the categories of personal information processed, the purposes of processing, how consumers can exercise their rights, the categories of personal information shared with third parties, the categories of those third parties, and an active method for consumers to submit requests without being required to create an account.
Data Minimization
Controllers must limit their collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed. This obligation applies to both the scope and duration of data retention.
Purpose Limitation
Processing personal information for purposes beyond those reasonably necessary for and compatible with the originally disclosed purpose requires obtaining additional consumer consent.
Security Safeguards
Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices. These practices must be appropriate to the volume and nature of the personal information at issue.
Data Protection Assessments
Controllers must conduct and document data protection assessments before engaging in certain high-risk processing activities. These activities include processing data for targeted advertising, selling personal information, profiling that presents a reasonably foreseeable risk of harm, processing sensitive data, and any other processing that presents a heightened risk of harm to consumers.
The assessment requirement applied to processing activities created or generated on or after July 1, 2024. Assessments conducted under other state privacy laws with reasonably comparable scope and effect satisfy this requirement.
Processor Contracts
When a controller engages a processor to handle personal information, TIPA requires a binding written contract. The contract must specify the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. Processors must maintain confidentiality, delete or return data upon request, make data available for controller assessments, and engage subprocessors only under equivalent written obligations.
Sensitive Data Protections
TIPA creates heightened protections for sensitive data. Controllers must obtain the consumer's opt-in consent through a "clear affirmative act" before processing any sensitive data.
Categories of Sensitive Data
| Category | Description |
|---|---|
| Racial or ethnic origin | Personal information revealing racial or ethnic background |
| Religious beliefs | Data disclosing religious faith or practices |
| Mental or physical health | Health diagnosis information |
| Sexual orientation | Data revealing sexual orientation |
| Citizenship or immigration status | Information about citizenship or immigration standing |
| Genetic data | Genetic information used to uniquely identify an individual |
| Biometric data | Fingerprints, voiceprints, retina or iris scans, and other unique biological characteristics used for identification purposes. Does not include photographs, video or audio recordings, or data generated from them |
| Precise geolocation | Location data accurate within a 1,750-foot radius, derived from GPS or similar technology |
| Children's data | Personal information collected from a known child under age 13, which must be processed in accordance with COPPA |
The NIST Privacy Framework Affirmative Defense
One of TIPA's most significant and unique provisions is the affirmative defense available to businesses that align their privacy practices with the National Institute of Standards and Technology (NIST) Privacy Framework.
How the Defense Works
A controller or processor may assert an affirmative defense against a TIPA enforcement action if it voluntarily creates, maintains, and complies with a written privacy program that reasonably conforms to the NIST Privacy Framework, specifically "A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0."
The privacy program must also be updated regularly and must provide individuals with the substantive rights established under TIPA.
Tennessee is the first state to formally incorporate the NIST Privacy Framework into its data privacy enforcement structure. This provision creates a meaningful incentive for businesses to invest in structured privacy compliance programs.
NIST Privacy Framework Core Functions
The NIST Privacy Framework is organized around five core functions:
- Identify. Understanding organizational privacy risk management processes and the data lifecycle
- Govern. Developing and implementing governance structures for privacy risk management
- Control. Developing and implementing policies for managing data processing activities
- Communicate. Fostering awareness of data processing practices among staff and stakeholders
- Protect. Implementing data processing safeguards to prevent cybersecurity-related privacy events
Qualifying Standards
Businesses are not limited to the NIST framework. TIPA also accepts programs that conform to "other documented policies, standards, and procedures designed to safeguard consumer privacy," including the APEC Cross Border Privacy Rules or APEC Privacy Recognition for Processors systems.
Scaling Requirements
The privacy program must be proportionate to the business. TIPA requires organizations to consider business size and complexity, the nature and scope of activities, the sensitivity of the personal information processed, the cost and availability of privacy protection tools, and compliance with comparable state or federal laws.
Businesses have two years after any revision to the NIST Privacy Framework to update their own programs to reflect the changes.
Enforcement and Penalties
Attorney General Authority
The Tennessee Attorney General and Reporter holds exclusive authority to enforce TIPA. No private right of action exists under the law. TIPA explicitly prohibits class action lawsuits based on its provisions.
60-Day Cure Period
Before the Attorney General can take any enforcement action, the AG must provide the business with written notice identifying the specific violations. The business then has 60 days to cure the alleged violations.
This cure period is among the longest in state privacy laws. Virginia, Utah, and Indiana each provide only 30 days. Importantly, TIPA's cure period does not have a sunset date, meaning it will remain in effect indefinitely unless the legislature amends it.
If the controller or processor cures the violations within the 60-day window and provides the Attorney General with express written statement that the violations have been cured and that no further violations will occur, no enforcement action proceeds.
Penalty Structure
| Violation Type | Maximum Penalty |
|---|---|
| Standard violation (after cure period) | $7,500 per violation |
| Willful or knowing violation | Treble damages (up to $22,500 per violation) |
| Additional remedies | Injunctive relief, declaratory relief, attorney's fees, and investigative costs |
Failure to maintain a compliant privacy program constitutes an unfair and deceptive trade practice under Tennessee's Consumer Protection Act, though only the Attorney General can pursue this claim.
Enforcement Status
As of early 2026, the Tennessee Attorney General has not publicly announced any enforcement actions under TIPA. The AG's office has focused on providing compliance guidance to businesses, suggesting a measured approach to initial enforcement.
Tennessee Data Breach Notification Law
Separate from TIPA, Tennessee maintains a data breach notification statute under Tenn. Code Ann. 47-18-2107. This law predates TIPA and establishes notification requirements when personal information is compromised in a data breach.
When Notification Is Required
Notification is required when the unauthorized acquisition of computerized data materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. The law applies to any person or business that conducts business in Tennessee and owns or licenses computerized data containing personal information.
Definition of Personal Information
Under the breach notification statute, personal information means an individual's first name or first initial and last name combined with one or more of the following:
- Social Security number
- Driver's license number
- Account number, credit card number, or debit card number in combination with any required security code, access code, or password permitting access to a financial account
Information that is lawfully available from government records or that has been redacted to the point of being unusable is not considered personal information under this statute.
Notification Timeline
Disclosure must be made no later than 45 days from the discovery or notification of the breach. A law enforcement delay is permitted if notification would impede a criminal investigation, but notification must occur within 45 days after law enforcement determines it will not compromise the investigation.
Who Must Be Notified
Affected consumers. Written or electronic notice must be sent to all Tennessee residents whose personal information was or is reasonably believed to have been acquired by an unauthorized person.
Third-party data holders. Entities that maintain personal information they do not own must notify the data owner or licensee within 45 days of discovering the breach.
Consumer reporting agencies. If the breach affects more than 1,000 Tennessee residents, the information holder must notify all nationwide consumer reporting agencies of the timing, distribution, and content of the notices.
Substitute Notification
When the cost of notification exceeds $250,000, the affected class exceeds 500,000 persons, or the information holder lacks sufficient contact information, substitute notification is permitted. Substitute notification requires email notice where addresses are available, conspicuous posting on the entity's website, and notification to major statewide media outlets.
Encryption Safe Harbor
Encrypted data is not subject to the notification requirement if the encryption conforms to the current version of the Federal Information Processing Standard (FIPS) 140-2 and the encryption key was not also acquired, released, or used without authorization.
A good-faith acquisition of personal information by an employee or agent of the information holder does not trigger the notification requirement, provided the information is not used for an unauthorized purpose or subject to further unauthorized disclosure.
Breach Notification Exemptions
Entities already subject to and in compliance with the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA) are exempt from Tennessee's breach notification requirements.
How TIPA Compares to Other State Privacy Laws
Tennessee's approach to data privacy reflects a deliberate balance between consumer protection and business flexibility. Several features distinguish TIPA from other state privacy laws.
Higher applicability bar. The $25 million revenue threshold combined with the 175,000-consumer threshold means fewer businesses fall within TIPA's scope compared to states like Virginia (100,000 consumers, no revenue floor) or Colorado (100,000 consumers).
NIST safe harbor. No other state privacy law provides a formal affirmative defense tied to the NIST Privacy Framework. This provision gives businesses a concrete roadmap for building defensible privacy programs.
Extended cure period. The 60-day cure period without a sunset date is among the most generous in the country. Connecticut's cure period sunsets on December 31, 2024. Colorado's sunsets on January 1, 2025.
Insurance exemption. Tennessee is the only state to exempt licensed insurance companies at the entity level from its comprehensive privacy law.
No universal opt-out mandate. Unlike Colorado and Connecticut, TIPA does not require controllers to recognize browser-based privacy signals like Global Privacy Control.
Narrow sale definition. TIPA only covers the exchange of personal information for monetary consideration, excluding non-monetary data sharing arrangements that some states capture.
More Tennessee Laws
Looking for information on other Tennessee laws? Browse our collection of Tennessee legal guides:
- Tennessee Recording Laws
- Tennessee Surveillance Camera Laws
- Tennessee Background Check Laws
- Tennessee Sexting Laws
- Tennessee Whistleblower Laws
- Tennessee Dog Bite Laws
- Tennessee Hit and Run Laws
- Tennessee Statute of Limitations
- Tennessee Child Support Laws
- Tennessee Lemon Law
- Tennessee Car Seat Laws
- [Tennessee Medical Records Retention Laws
- Tennessee Windshield Mounting Laws
You can also explore data privacy laws in other states to compare how Tennessee's approach measures up across the country.
This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently through legislative amendments, regulatory guidance, and enforcement actions. Consult a licensed attorney in Tennessee for advice about your specific situation.
Sources and References
- Tennessee Attorney General's Office - Tips and Guidelines for TIPA Compliance (April 2025)(tn.gov).gov
- Tennessee General Assembly - HB1181 (Tennessee Information Protection Act, Public Chapter 408)(capitol.tn.gov).gov
- Tennessee General Assembly - SB0073 Bill Information(capitol.tn.gov).gov
- Tennessee Code Ann. 47-18-2107 - Release of Personal Consumer Information(law.justia.com)
- NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0(nist.gov).gov
- Tennessee Attorney General - File a Consumer Complaint(tn.gov).gov
- Tennessee Comptroller - Data Breach Online Submission(comptroller.tn.gov).gov
- Tennessee Department of Commerce and Insurance - Consumer Laws(tn.gov).gov
- Davis Wright Tremaine - Tennessee Information Protection Act Is Signed Into Law(dwt.com)
- Future of Privacy Forum - Tennessee Information Protection Act Analysis(fpf.org)