Tennessee Data Privacy Laws: TIPA Consumer Rights Guide (2026)

Tennessee's Information Protection Act, codified at Tenn. Code Ann. sections 47-18-3201 to 47-18-3213, gives consumers the right to access, correct, delete, and port their personal data, and to opt out of data sales and targeted advertising. The law took effect July 1, 2025, and is enforced exclusively by the Tennessee Attorney General.

The Tennessee Information Protection Act (TIPA) became effective July 1, 2025, making Tennessee the eighth state to implement comprehensive consumer data privacy legislation. TIPA is codified at Tenn. Code Ann. §§ 47-18-3201 to 47-18-3213 and gives Tennessee residents meaningful control over how businesses collect and use their personal information.

This guide covers TIPA and four related Tennessee privacy regimes: the ELVIS Act (AI voice and likeness protection), the data breach notification statute, the Identity Theft Deterrence Act, and the federal overlay that applies to all Tennessee businesses regardless of TIPA coverage.

Tennessee Information Protection Act (TIPA) Overview

Governor Bill Lee signed TIPA on May 11, 2023. The law was enacted as Public Chapter No. 408 and modeled closely on the Virginia Consumer Data Protection Act (VCDPA), but with several provisions unique to Tennessee, most notably the NIST Privacy Framework affirmative defense.

In April 2025, the Tennessee Attorney General's office issued guidance for businesses and consumers ahead of the July 1, 2025 effective date. As of May 2026, no formal TIPA enforcement actions have been publicly announced; the AG's office has focused on compliance guidance rather than punitive enforcement during the law's first year.

Who Must Comply With TIPA

TIPA applies to persons that conduct business in Tennessee or produce products or services targeted to Tennessee residents, provided the business meets all three of the following requirements.

Revenue threshold. The business must exceed $25 million in annual revenue. This floor effectively excludes most small businesses from TIPA's reach, following Utah's model rather than Virginia's (which has no revenue floor).

Consumer data threshold. The business must satisfy one of two alternative tests. Under the first, the business controls or processes the personal information of at least 175,000 Tennessee consumers during a calendar year. Under the second, the business controls or processes personal information of at least 25,000 Tennessee consumers while deriving more than 50% of its gross revenue from selling that data.

The 175,000-consumer threshold is higher than Virginia's 100,000-consumer threshold, which narrows the scope of covered entities.

Who Is Exempt From TIPA

TIPA provides entity-level exemptions for:

• State and local government entities
• Licensed insurance companies (unique to Tennessee among state privacy laws)
• Nonprofit organizations
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), Title V
• Entities covered by HIPAA
• Institutions of higher education

TIPA also exempts specific categories of data regulated under the FCRA, COPPA, FERPA, the Driver's Privacy Protection Act, and the Farm Credit Act. Employee and job applicant data used within the employment context is also exempt.

Consumer Rights Under TIPA

Tennessee residents gain five core privacy rights under TIPA. These rights apply to personal information that is linked or reasonably linkable to an identified or identifiable individual.

Right to Confirm and Access

Consumers can confirm whether a controller is processing their personal information and, if so, access that data.

Right to Correct

Consumers can request correction of inaccuracies in their personal information, taking into account the nature of the data and the purposes of processing.

Right to Delete

Consumers can request deletion of their personal information provided by or obtained about them. Exceptions apply for aggregated and de-identified data.

Right to Data Portability

Consumers can obtain a copy of their personal information in a portable and readily usable format that allows transmission to another entity without hindrance.

Right to Opt Out

Consumers can opt out of processing for three specific purposes:

• Sale of personal information. TIPA defines "sale" as the exchange of personal information for monetary consideration by the controller to a third party. This is narrower than some state laws because it covers only monetary exchanges, not non-monetary data sharing.
• Targeted advertising. Consumers can stop controllers from using their data to deliver personalized advertisements based on activity across nonaffiliated websites or applications.
• Profiling. Consumers can opt out of automated processing that produces legal effects or similarly significant effects concerning the consumer.

TIPA does not require businesses to recognize universal opt-out mechanisms such as Global Privacy Control (GPC), unlike Colorado and Connecticut.

How to Exercise These Rights

Controllers must respond to authenticated consumer requests within 45 days of receipt. An additional 45-day extension is available when the controller provides notice and explanation of the delay. If a controller declines a request, the consumer has the right to appeal; the controller must respond to the appeal within 60 days.

Controllers cannot charge fees for processing requests unless they are manifestly unfounded, excessive, or repetitive. Discrimination against consumers who exercise their rights is prohibited, though loyalty or rewards programs offering different pricing remain permitted.

Business Obligations Under TIPA

Privacy Notice Requirements

Controllers must provide a reasonably accessible and clear privacy notice disclosing: categories of personal information processed; purposes of processing; how consumers can exercise their rights; categories of personal information shared with third parties; categories of those third parties; and an active method for consumers to submit requests without being required to create an account.

Data Minimization

Controllers must limit collection of personal information to what is adequate, relevant, and reasonably necessary in relation to disclosed purposes. This applies to both the scope and duration of data retention.

Purpose Limitation

Processing personal information for purposes beyond those reasonably necessary for and compatible with the originally disclosed purpose requires obtaining additional consumer consent.

Security Safeguards

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal information at issue.

Data Protection Assessments

Controllers must conduct and document data protection assessments before engaging in high-risk processing activities, including: targeted advertising; selling personal information; profiling that presents a reasonably foreseeable risk of harm; processing sensitive data; and any other processing presenting a heightened risk to consumers.

The assessment requirement applied to processing activities created or generated on or after July 1, 2024. Assessments conducted under other state privacy laws with reasonably comparable scope satisfy this requirement.

Processor Contracts

When a controller engages a processor, TIPA requires a binding written contract specifying the nature, purpose, type of data, duration, and the rights and obligations of both parties. Processors must maintain confidentiality, delete or return data upon request, make data available for controller assessments, and engage subprocessors only under equivalent written obligations.

Sensitive Data Protections

TIPA creates heightened protections for sensitive data. Controllers must obtain the consumer's opt-in consent through a "clear affirmative act" before processing any sensitive data.

Categories of Sensitive Data

The NIST Privacy Framework Affirmative Defense

One of TIPA's most significant provisions is the affirmative defense available to businesses that align their privacy practices with the NIST Privacy Framework.

How the Defense Works

A controller or processor may assert an affirmative defense against a TIPA enforcement action if it voluntarily creates, maintains, and complies with a written privacy program that reasonably conforms to the NIST Privacy Framework, specifically "A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0."

The privacy program must be updated regularly and must provide individuals with the substantive rights established under TIPA. Tennessee is the first state to formally incorporate the NIST Privacy Framework into its data privacy enforcement structure.

NIST Privacy Framework Core Functions

The NIST Privacy Framework is organized around five core functions:

• Identify. Understanding organizational privacy risk management processes and the data lifecycle
• Govern. Developing and implementing governance structures for privacy risk management
• Control. Developing and implementing policies for managing data processing activities
• Communicate. Fostering awareness of data processing practices among staff and stakeholders
• Protect. Implementing data processing safeguards to prevent cybersecurity-related privacy events

Qualifying Standards

Businesses are not limited to the NIST framework. TIPA also accepts programs conforming to "other documented policies, standards, and procedures designed to safeguard consumer privacy," including the APEC Cross Border Privacy Rules or APEC Privacy Recognition for Processors systems.

Scaling Requirements

The privacy program must be proportionate to the business. TIPA requires organizations to consider business size and complexity, the nature and scope of activities, the sensitivity of personal information processed, the cost and availability of privacy protection tools, and compliance with comparable state or federal laws. Businesses have two years after any revision to the NIST Privacy Framework to update their own programs.

Enforcement and Penalties

Attorney General Authority

The Tennessee Attorney General and Reporter holds exclusive authority to enforce TIPA. No private right of action exists under the law, and TIPA explicitly prohibits class action lawsuits based on its provisions.

60-Day Cure Period

Before the AG can take any enforcement action, the AG must provide written notice identifying the specific violations. The business then has 60 days to cure. TIPA's cure period does not have a sunset date, meaning it will remain in effect indefinitely unless the legislature amends the law. Virginia, Utah, and Indiana provide only 30-day cure periods.

If the controller or processor cures violations within 60 days and provides the AG with an express written statement that violations have been cured and will not recur, no enforcement action proceeds.

Penalty Structure

Failure to maintain a compliant privacy program constitutes an unfair and deceptive trade practice under Tennessee's Consumer Protection Act, though only the Attorney General can pursue that claim.

Enforcement Status

As of May 2026, the Tennessee AG has not publicly announced any formal enforcement actions under TIPA. The AG's office has focused on compliance guidance and education during the law's first year of operation.

Tennessee ELVIS Act: AI Voice and Likeness Protection

Governor Lee signed the Ensuring Likeness Voice and Image Security Act (ELVIS Act) on March 21, 2024. The law became effective July 1, 2024, making Tennessee the first state to specifically address AI-generated voice cloning in the context of right-of-publicity protections. The ELVIS Act is codified at Tenn. Code Ann. §§ 47-25-1101 to 47-25-1108.

What the ELVIS Act Prohibits

The ELVIS Act extends Tennessee's existing right-of-publicity law to cover artificial intelligence. The law prohibits using an AI system to produce a "voice replica" of an individual without authorization. A voice replica means a sound recording produced using the individual's voice data in a way that is indistinguishable from an authentic recording of that individual.

The ELVIS Act extends liability not only to those who directly create infringing AI-generated content but also to entities that knowingly publish, distribute, or provide underlying AI technologies whose primary purpose is facilitating unauthorized voice replications.

Who Is Protected

The ELVIS Act protects any individual, not just professional musicians, against unauthorized commercial use of their name, photograph, voice, or likeness. The law strengthens existing Tennessee right-of-publicity protections under Tenn. Code Ann. § 47-25-1105 by explicitly including AI-generated replicas within the scope of prohibited uses.

Enforcement and Penalties

Unlike TIPA, the ELVIS Act allows private individuals to bring civil lawsuits. Enforcement includes:

• Injunctive relief to stop unauthorized use
• Actual damages and lost profits attributable to unauthorized use
• Impoundment or destruction of materials created in violation of the Act
• Criminal enforcement as a Class A misdemeanor, carrying penalties up to 11 months and 29 days of incarceration and fines up to $2,500 per offense

Why the ELVIS Act Matters Beyond Music

The ELVIS Act is named in honor of Elvis Presley, whose estate is headquartered in Memphis, but its protections extend to any individual. The law has significant implications for businesses using AI voice synthesis, deepfake technology, or generative AI tools that incorporate an identifiable person's voice characteristics without consent. Any platform or developer deploying AI-generated audio in Tennessee should review compliance with the Act.

Tennessee Data Breach Notification Law

Separate from TIPA, Tennessee maintains a data breach notification statute under Tenn. Code Ann. § 47-18-2107. This law predates TIPA and establishes notification requirements when personal information is compromised.

When Notification Is Required

Notification is required when the unauthorized acquisition of computerized data materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. The law applies to any person or business that conducts business in Tennessee and owns or licenses computerized data containing personal information.

Definition of Personal Information

Under the breach notification statute, personal information means an individual's first name or first initial and last name combined with one or more of the following:

• Social Security number
• Driver's license number
• Account number, credit card number, or debit card number combined with any required security code, access code, or password permitting access to a financial account

Information lawfully available from government records or redacted to the point of being unusable is not covered.

Notification Timeline

Disclosure must be made no later than 45 days from the discovery or notification of the breach. A law enforcement delay is permitted if notification would impede a criminal investigation, but notification must occur within 45 days after law enforcement determines it will not compromise the investigation.

Who Must Be Notified

Affected consumers. Written or electronic notice must be sent to all Tennessee residents whose personal information was or is reasonably believed to have been acquired by an unauthorized person.

Third-party data holders. Entities maintaining personal information they do not own must notify the data owner or licensee within 45 days of discovering the breach.

Consumer reporting agencies. If the breach affects more than 1,000 Tennessee residents, the information holder must notify all nationwide consumer reporting agencies of the timing, distribution, and content of the notices.

Substitute Notification

When the cost of notification exceeds $250,000, the affected class exceeds 500,000 persons, or the information holder lacks sufficient contact information, substitute notification is permitted. Substitute notification requires email notice where addresses are available, conspicuous posting on the entity's website, and notification to major statewide media outlets.

Encryption Safe Harbor

Encrypted data is not subject to the notification requirement if the encryption conforms to the current version of FIPS 140-2 and the encryption key was not also acquired, released, or used without authorization. A good-faith acquisition by an employee or agent of the information holder does not trigger the notification requirement, provided the information is not used for an unauthorized purpose.

Breach Notification Exemptions

Entities already subject to and in compliance with GLBA or HIPAA are exempt from Tennessee's breach notification requirements.

Federal Privacy Overlay

Several federal laws apply to Tennessee businesses regardless of whether TIPA covers them.

TAKE IT DOWN Act (2025)

Congress passed the Tools to Address Known Exploitation by Immobilizing Technological Deepfakes On Websites and Networks Act (TAKE IT DOWN Act), Pub. L. 119-12, and President Trump signed it on May 19, 2025. The criminal prohibition on publishing nonconsensual intimate imagery (NCII) took effect immediately upon signing. Covered platforms had one year to establish notice-and-removal processes, making the platform takedown obligation effective May 19, 2026, enforced by the FTC with fines of up to $53,088 per violation per day.

The TAKE IT DOWN Act requires covered platforms to remove reported NCII within 48 hours of receiving a valid request. The law covers both real imagery and AI-generated synthetic NCII, complementing the ELVIS Act's AI-specific protections at the federal level.

HIPAA

The Health Insurance Portability and Accountability Act applies to covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates. HIPAA-covered entities in Tennessee must comply with both the HIPAA Privacy Rule and Security Rule and are exempt from TIPA and Tennessee's breach notification law.

Gramm-Leach-Bliley Act (GLBA)

GLBA governs how financial institutions collect, use, and protect customer financial information. Financial institutions subject to GLBA are exempt from TIPA and from Tennessee's breach notification statute. The FTC's Safeguards Rule (revised 2023) sets specific technical security requirements for non-bank financial institutions.

Fair Credit Reporting Act (FCRA)

The FCRA governs consumer reporting agencies and the use of consumer reports. Consumer reporting information is exempt from TIPA's coverage. Tennessee consumers disputing credit report errors have rights under the FCRA independent of TIPA.

COPPA

The Children's Online Privacy Protection Act covers online collection of personal information from children under 13. TIPA's sensitive data category for children's data expressly requires compliance with COPPA. COPPA-covered data is exempt from TIPA.

FTC Act Section 5

The Federal Trade Commission can pursue unfair or deceptive data practices under Section 5 of the FTC Act against businesses that violate their own privacy policies or engage in deceptive data collection, regardless of TIPA coverage.

American Privacy Rights Act (APRA)

Congress introduced the bipartisan American Privacy Rights Act in April 2024. The bill passed the House subcommittee but stalled in full committee and expired at the end of the 118th Congress in January 2025. The bill has not been reintroduced in the 119th Congress as of May 2026. There is no federal comprehensive privacy law; the US continues to operate under a patchwork of state laws.

Practical Compliance Steps for Businesses

Businesses covered by TIPA should prioritize the following steps.

Step 1: Confirm coverage. Verify that annual revenue exceeds $25 million and that the business meets one of the two consumer-data thresholds. Many small and mid-sized Tennessee businesses fall below the thresholds.

Step 2: Conduct a data inventory. Map what personal information the business collects, where it is stored, how it is used, and with whom it is shared. The data inventory is the foundation for all other compliance obligations.

Step 3: Update the privacy notice. The notice must disclose categories of data collected, purposes, consumer rights, third-party sharing, and an active method for submitting rights requests.

Step 4: Build a consumer rights workflow. Establish intake, authentication, and response processes for the five TIPA consumer rights. Build the 45-day response window and 45-day extension into the workflow. Create an internal appeal process with a 60-day response window.

Step 5: Review processor agreements. Audit all data-processor contracts to confirm they contain the required TIPA provisions. Update agreements with vendors, cloud services, and analytics providers.

Step 6: Conduct data protection assessments. Before any new targeted-advertising, data-sale, profiling, or sensitive-data processing activity, document a written assessment of the activity's purpose, necessity, and risk.

Step 7: Build a NIST Privacy Framework program. Organizations seeking the affirmative defense should document a written privacy program organized around the five NIST core functions (Identify, Govern, Control, Communicate, Protect) and calibrate the program to the organization's size and risk profile.

Step 8: Review the ELVIS Act for AI tools. Any business deploying AI voice synthesis, audio deepfakes, or generative audio tools should verify that the tool does not produce voice replicas of identifiable individuals without written authorization.

How Tennessee Residents Exercise Their Rights

Tennessee residents covered by TIPA can exercise their privacy rights directly with any covered business. To submit a request:

1. Identify the business's privacy notice, which must include an active method for submitting rights requests (email, web form, or toll-free number).
2. Submit an authenticated request specifying which right you are exercising (access, correction, deletion, portability, or opt-out).
3. The business must respond within 45 days, with a possible 45-day extension.
4. If the business denies the request, submit an appeal. The business must respond to the appeal within 60 days.
5. If a business fails to respond or improperly denies a valid request, file a complaint with the Tennessee Attorney General's Consumer Protection Division. The AG can investigate and pursue enforcement on the consumer's behalf.

For data breach notifications, Tennessee residents can report suspected breaches to the Tennessee Comptroller's office.

How TIPA Compares to Other State Privacy Laws

Tennessee's approach reflects a deliberate balance between consumer protection and business flexibility.

Higher applicability bar. The $25 million revenue threshold combined with the 175,000-consumer threshold means fewer businesses fall within TIPA's scope compared to Virginia (100,000 consumers, no revenue floor) or Colorado (100,000 consumers).

NIST safe harbor. No other state privacy law provides a formal affirmative defense tied to the NIST Privacy Framework, giving businesses a concrete roadmap for defensible compliance.

Extended cure period. The 60-day cure period without a sunset date is among the most generous in the country. Connecticut's cure period sunsetted on December 31, 2024. Colorado's sunsetted on January 1, 2025.

Insurance exemption. Tennessee is the only state to exempt licensed insurance companies at the entity level from its comprehensive privacy law.

No universal opt-out mandate. Unlike Colorado and Connecticut, TIPA does not require controllers to recognize browser-based privacy signals like Global Privacy Control.

Narrow sale definition. TIPA covers only monetary exchanges for personal information, excluding non-monetary data sharing arrangements that some states capture.

More Tennessee Laws

Looking for information on other Tennessee laws? Browse our collection of Tennessee legal guides:

• Tennessee Recording Laws
• Tennessee Surveillance Camera Laws
• Tennessee Background Check Laws
• Tennessee Sexting Laws
• Tennessee Whistleblower Laws
• Tennessee Dog Bite Laws
• Tennessee Hit and Run Laws
• Tennessee Statute of Limitations
• Tennessee Child Support Laws
• Tennessee Lemon Law
• Tennessee Car Seat Laws
• Tennessee Medical Records Retention Laws
• Tennessee Windshield Mounting Laws
• Tennessee AI Meeting Recording Laws
• Tennessee Alimony Laws
• Tennessee At-Will Employment Laws
• Tennessee Car Accident Laws
• Tennessee Child Custody Laws
• Tennessee Common Law Marriage Laws
• Tennessee Deepfake Laws
• Tennessee Divorce Laws
• Tennessee Emancipation Laws
• Tennessee Expungement Laws
• Tennessee Landlord-Tenant Laws

In-depth guides

• What Is the TIPA? Tennessee Information Protection Act
• TIPA Consumer Rights: Your Data Privacy Rights
• TIPA Compliance Checklist for Businesses (2026)