Tennessee Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Tennessee takes a layered approach to biometric privacy. Rather than a single dedicated biometric statute like Illinois's BIPA or Texas's CUBI, the state regulates biometric data through its comprehensive consumer privacy law and a separate student data protection statute.

The centerpiece of Tennessee's biometric data protections is the Tennessee Information Protection Act (TIPA), signed by Governor Bill Lee on May 11, 2023, and effective July 1, 2025. TIPA places biometric identifiers in the highest protection category under the law and requires businesses to obtain affirmative consent before collecting or processing them.

For an overview of Tennessee's broader privacy framework, see the parent guide to [Tennessee Data Privacy Laws](/us-laws/data-privacy-laws/tennessee-data-privacy-laws).

How TIPA Defines Biometric Data

TIPA defines biometric data under Tenn. Code Ann. Section 47-18-3302 as data generated by automatic measurements of an individual's biological characteristics that are used to identify a specific individual. The statute lists these examples:

• Fingerprints
• Voiceprints
• Eye retinas
• Irises
• Other unique biological patterns or characteristics

The law draws a clear boundary around what does not qualify. A physical or digital photograph, a video or audio recording, or data generated from those recordings is not biometric data unless specifically processed to identify a particular individual.

TIPA also excludes information collected, used, or stored for health care treatment, payment, or operations under HIPAA from the biometric data definition.

This definition closely mirrors the approach used in Connecticut, Virginia, and several other state comprehensive privacy laws. It is narrower than the definition in Illinois's BIPA, which covers a broader set of biometric identifiers without the same exclusions.

Sensitive Data Classification and Consent Requirements

Under TIPA, biometric data processed for the purpose of uniquely identifying an individual qualifies as "sensitive data." This is the highest protection tier in the law.

Other categories of sensitive data under Section 47-18-3302 include:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnoses
• Sexual orientation
• Citizenship or immigration status
• Genetic data processed for identification
• Precise geolocation data (within a radius of 1,750 feet)
• Personal data collected from a known child under 13

Consent requirement. Controllers must obtain a consumer's opt-in consent before processing sensitive data, including biometric data. Under Section 47-18-3305, this consent must be "a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." A buried clause in a terms-of-service agreement does not meet this standard.

Consent may be obtained electronically or through any other unambiguous affirmative action.

Who Must Comply With TIPA

TIPA applies to businesses that conduct business in Tennessee or produce products or services targeted to Tennessee residents and meet all of these criteria:

• Exceed $25 million in annual revenue, AND
• Meet one of the following:
  • Control or process personal data of 175,000 or more Tennessee consumers during a calendar year, OR
  • Control or process personal data of 25,000 or more Tennessee consumers and derive over 50% of gross revenue from the sale of personal data

These thresholds are higher than many other state privacy laws. Smaller businesses that handle biometric data but fall below these revenue and consumer count thresholds are not covered by TIPA.

Key Exemptions

TIPA carves out several categories of entities and data from coverage.

Entity exemptions:

• Government entities
• State-licensed insurance companies (Tennessee is the only state to provide this exemption)
• Nonprofit organizations
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• HIPAA-covered entities and their business associates
• Institutions of higher education

Data exemptions:

• Data regulated under HIPAA
• Data governed by the Fair Credit Reporting Act (FCRA)
• Data covered by the Family Educational Rights and Privacy Act (FERPA)
• Data under the Driver's Privacy Protection Act (DPPA)
• Data regulated under COPPA

Employee data exemption. TIPA excludes persons acting in a commercial or employment context from the definition of "consumer." This means that if your employer collects fingerprints for a timekeeping system or uses facial recognition for building access, TIPA does not apply to that collection.

Tennessee does not currently have a separate law regulating employer use of biometric data, though the pending Consumer Biometric Data Protection Act would address this gap if enacted.

Consumer Rights Over Biometric Data

Because biometric data is sensitive personal data under TIPA, Tennessee consumers have these rights under Section 47-18-3304:

Right to confirm and access. You can ask any covered business whether it is processing your biometric data and request access to that data.

Right to correct. If a business holds inaccurate biometric data about you, you can request a correction.

Right to delete. You can request that a business delete the biometric data it holds about you.

Right to data portability. You can obtain a copy of your biometric data in a portable and readily usable format.

Right to opt out. You can opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.

Right to non-discrimination. Businesses cannot penalize you for exercising any of these rights by denying goods or services, charging different prices, or providing a different quality of service.

Right to appeal. If a business refuses your request, you can appeal that decision.

Businesses must respond to consumer rights requests within a reasonable timeframe. Controllers must provide secure and reliable methods for consumers to submit requests and cannot require consumers to create a new account.

Data Protection Assessments

Controllers that process sensitive data, including biometric data, must conduct data protection assessments under Section 47-18-3307. These assessments apply to processing activities created or generated on or after July 1, 2024.

A data protection assessment must weigh the benefits of the processing against the potential risks to the consumer, including risks of:

• Unfair or deceptive treatment or unlawful disparate impact
• Financial, physical, or reputational injury
• Intrusion upon solitude or seclusion
• Other substantial injury

The Tennessee Attorney General can request these assessments during an investigation.

The Pending Consumer Biometric Data Protection Act

Tennessee legislators have repeatedly attempted to pass a standalone biometric privacy law modeled on Illinois's BIPA. The Consumer Biometric Data Protection Act (HB 932/SB 339) was introduced in the 113th General Assembly in January 2023 but died in committee.

The bill was reintroduced in the 114th General Assembly (2025-2026) and remains pending in committee as of early 2026.

If enacted, this bill would go significantly beyond TIPA by:

• Requiring written notice and written consent before any collection of biometric identifiers
• Allowing employers to require biometric consent as a condition of employment
• Mandating a retention schedule with destruction of data within three years of the individual's last interaction or when the initial purpose is satisfied, whichever comes first
• Requiring reasonable security standards for storage and transmission of biometric data
• Creating a private right of action with liquidated damages of $1,000 per negligent violation and $5,000 per willful violation, plus attorney fees

The bill would also deem violations as unfair or deceptive practices under the Tennessee Consumer Protection Act of 1977.

Student Biometric Data Protections

Tennessee provides separate protections for student biometric data under TCA Section 49-1-706, part of the Data Accessibility, Transparency and Accountability Act.

This law requires that state agencies and educational institutions obtain written consent from parents or guardians (or from students aged 18 or older) before collecting any individual student biometric data. The protections extend to:

• Fingerprints
• Facial recognition data
• Eye retina or iris scans
• Analysis of facial expressions
• EEG brain wave patterns
• Heart rate variability and pulse data
• Other biometric measurements

No state agency or educational institution may pursue or accept any grant that requires collecting or reporting student biometric information in violation of the consent requirement.

Breach Notification and Biometric Data

Tennessee's breach notification law at TCA Section 47-18-2107 requires businesses to notify affected individuals when a security breach compromises their personal information.

Key requirements include:

• Notification must occur within 45 days of discovering the breach
• Notification may be delayed if law enforcement determines it would impede an investigation
• Breaches affecting more than 1,000 persons require notification to consumer reporting agencies
• Substitute notice is available when notification costs exceed $250,000 or the affected class exceeds 500,000 persons

While the statute defines personal information broadly, the inclusion of biometric data in any breach involving consumer records linked to personally identifiable information triggers the notification obligation.

Enforcement and Penalties

The Tennessee Attorney General has exclusive enforcement authority over TIPA. There is no private right of action, which means individual consumers cannot file lawsuits against businesses for TIPA violations.

The enforcement process works as follows:

1. The Attorney General identifies a potential violation, either through investigation or consumer complaint
2. The AG provides written notice to the business, identifying the specific provisions believed to have been violated
3. The business has 60 days to cure the alleged violation
4. If the business cures the violation and provides a written statement that it will not engage in further violations, the AG takes no action
5. If the business fails to cure, the AG can bring a civil action seeking penalties of up to $7,500 per violation
6. Treble damages may be awarded for willful or knowing violations
7. The AG can also recover attorney fees and investigative costs

The 60-day cure period does not sunset. Unlike privacy laws in some other states, TIPA's cure provision is permanent, giving businesses an ongoing opportunity to correct violations before facing penalties.

Consumers can report suspected TIPA violations to the Tennessee Division of Consumer Affairs through the Division's complaint portal.

The NIST Privacy Framework Defense

TIPA is the first state privacy law in the country to provide an explicit affirmative defense based on the NIST Privacy Framework. Controllers that maintain written privacy programs "reasonably conforming" to the NIST framework's five core functions can assert this defense in enforcement actions.

The five NIST core functions are:

1. Identify risk areas
2. Govern privacy policies
3. Control data processing activities
4. Communicate with consumers
5. Protect data through security measures

This defense must be scaled appropriately to the business's size, complexity, the sensitivity of the data being processed, and the tools available.

How Tennessee Compares to Other States

Tennessee's approach to biometric privacy falls in the middle of the spectrum among U.S. states.

Stronger than states with no protections. Many states still lack specific biometric data protections. Tennessee's classification of biometric data as sensitive data requiring consent puts it ahead of states like Georgia and Alabama, which have no dedicated biometric privacy statute and no comprehensive privacy law in effect.

Weaker than dedicated biometric privacy laws. States like Illinois, Texas, and Washington have standalone biometric privacy statutes with specific requirements for notice, consent, retention schedules, and data destruction. Illinois's BIPA includes a private right of action that has produced significant litigation and settlements.

Similar to other comprehensive privacy law states. Tennessee's approach closely mirrors states like Kentucky, Connecticut, Indiana, and Montana, which all classify biometric data as sensitive data within their comprehensive consumer privacy frameworks and require opt-in consent for processing.

More Tennessee Laws

• Tennessee Recording Laws
• Tennessee Recording Laws
• Tennessee Recording Laws
• Tennessee Data Privacy Laws
• Tennessee Recording Laws
• Tennessee Recording Laws
• Tennessee Recording Laws
• Tennessee Dog Bite Laws

Sources and References

This article references Tennessee statutes and official state government publications. For the full text of TIPA, see Public Chapter 408 from the Tennessee Secretary of State. For the bill text of the proposed Consumer Biometric Data Protection Act, see SB 339/HB 932 from the Tennessee General Assembly. For AG enforcement guidance, visit the Tennessee Attorney General consumer protection page.

This article provides general legal information about Tennessee biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Tennessee government sources.