TIPA Compliance Checklist: Tennessee Privacy Law

Tennessee Information Protection Act (TIPA) compliance, under Tenn. Code Ann. 47-18-3201 et seq., centers on one move that no other state privacy law rewards: building a written privacy program that reasonably conforms to the NIST Privacy Framework. Under 47-18-3213 and 47-18-3214, that program is not just good hygiene; it is an affirmative defense to a TIPA claim. The law took effect July 1, 2025, and applies only to larger businesses that clear a $25,000,000 revenue gate.

As of 2026, the Tennessee Attorney General and Reporter enforces TIPA exclusively under 47-18-3212, with a permanent 60-day cure period, civil penalties up to $7,500 per violation, and discretionary treble damages for willful or knowing violations. There is no private right of action. This checklist walks through the practical steps, anchored on the NIST-conforming program that earns the affirmative defense.

Jurisdiction scope: This covers Tennessee's Tennessee Information Protection Act (Tenn. Code Ann. 47-18-3201 et seq.). It is general legal information, not legal advice.

Step 1: Confirm whether TIPA applies to your business

Before spending on compliance, determine whether TIPA even reaches your organization. The threshold in 47-18-3202 is among the highest in the country, so many businesses fall outside it.

TIPA applies to a person that conducts business in Tennessee or produces products or services targeted to Tennessee residents and that exceeds $25,000,000 in revenue. That revenue gate is a hard floor: below it, TIPA does not apply regardless of data volume.

A business that clears the revenue gate is covered only if it also meets a data trigger: controlling or processing the data of at least 175,000 consumers, or at least 25,000 consumers while deriving more than 50 percent of gross revenue from selling personal information. A "consumer" under 47-18-3201 is a Tennessee resident acting in a personal context.

Also check the entity-level exemptions in 47-18-3210. Government bodies, GLBA-covered financial institutions and their affiliates, licensed insurers, HIPAA covered entities and business associates, nonprofit organizations, and institutions of higher education are exempt. The what-is-TIPA overview explains these carve-outs in more depth.

Step 2: Build a NIST-conforming written privacy program

The centerpiece of TIPA compliance is the written privacy program in 47-18-3213, because it unlocks the affirmative defense in 47-18-3214. No other state privacy law offers this, so the NIST program is the single highest-leverage investment a covered Tennessee business can make.

Under 47-18-3213(a), the program must reasonably conform to the NIST privacy framework titled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0." The NIST Privacy Framework organizes privacy risk management into five functions: Identify, Govern, Control, Communicate, and Protect. A conforming program documents how the business inventories data, sets governance and policy, controls data processing, communicates with consumers, and protects information.

The program must also provide consumers the substantive rights TIPA guarantees, under 47-18-3213(b), and disclose the commercial purposes for which the business processes personal information, under 47-18-3213(d). When NIST publishes a revision to the framework, 47-18-3213(a)(2) requires the business to conform its program to the revision within one year of the revision's publication date. Keeping the program current is part of the obligation, not a one-time task.

Step 3: Scale the program to your business

A NIST-conforming program does not have to be identical for every company. Under 47-18-3213(c), the appropriate scale and scope of the program is judged against five factors, so the defense is calibrated to the business rather than imposed as a flat standard.

The five factors are the size and complexity of the business, the nature and scope of its activities, the sensitivity of the personal information it processes, the cost and availability of tools to improve privacy protections and data governance, and compliance with a comparable state or federal law. A large data broker handling sensitive data is expected to do more than a smaller covered business with limited processing.

This scale-with-size standard is a practical asset. It means a business that already complies with a comparable law, such as another state's comprehensive privacy statute, can lean on that work, and that a smaller covered business is not held to an enterprise-grade program it cannot resource. Document how the program maps to each of the five factors, because that mapping is what shows the program was appropriate when the affirmative defense is raised.

Step 4: Publish a compliant privacy notice and request channels

TIPA requires transparency through a privacy notice and accessible request methods. Under 47-18-3204(c), upon an authenticated consumer request a controller must provide a reasonably accessible, clear, and meaningful privacy notice.

That notice must include the categories of personal information processed, the purpose for processing, how consumers may exercise their rights including how to appeal a decision, the categories of personal information the controller sells to third parties if any, the categories of third parties it sells to if any, and the right to opt out of sale along with the ability to request deletion or correction. If the controller sells data or runs targeted advertising, 47-18-3204(d) requires a clear and conspicuous disclosure of that processing and how to opt out.

Stand up at least one request channel under 47-18-3204(e): a toll-free telephone number, an email address, a web form, or a clear and conspicuous link on the homepage. The channel must be able to authenticate the consumer, and the business cannot require a consumer to create a new account to exercise rights.

Step 5: Get opt-in consent for sensitive data and run the rights workflow

Two operational systems sit at the core of day-to-day compliance: a sensitive-data consent gate and a consumer-rights response workflow.

For sensitive data, 47-18-3204(a)(6) bars processing without the consumer's consent. Build a consent-capture mechanism that meets the TIPA definition of consent: a clear affirmative act signifying freely given, specific, informed, and unambiguous agreement. Sensitive data under 47-18-3201 includes data revealing race or ethnicity, religion, a health diagnosis, sexual orientation, or immigration status, plus genetic or biometric identifiers, a known child's data, and precise geolocation within 1,750 feet. For a known child, comply with the federal Children's Online Privacy Protection Act.

For consumer rights, build a workflow that meets the 47-18-3203 deadlines. Respond to requests within 45 days, with one allowed 45-day extension if you notify the consumer and the reason within the first 45 days. Provide a free, conspicuous appeal process and respond to appeals within 60 days, and on a denied appeal point the consumer to the Attorney General complaint process. The TIPA consumer rights guide details each right and deadline.

Step 6: Run data protection assessments and processor contracts

TIPA requires documented risk assessments for higher-risk processing and binding contracts with vendors that process data on your behalf.

Under 47-18-3206(a), a controller must conduct and document a data protection assessment for each of these activities: processing personal information for targeted advertising, the sale of personal information, profiling that presents a reasonably foreseeable risk of harm, the processing of sensitive data, and any processing that presents a heightened risk of harm to consumers. The assessment must weigh the benefits of the processing against the risks to consumers, factoring in safeguards, de-identification, and consumer expectations. The Attorney General may request these assessments during an investigation, and they remain confidential and privileged.

Under 47-18-3205, a contract between a controller and a processor must govern the processor's data handling. The contract must set out processing instructions, nature and purpose, data type, and duration, and it must require the processor to keep data confidential, delete or return data at the end of services, demonstrate compliance on request, allow assessments, and bind any subcontractor to the same obligations. Map your vendors and bring each processor contract into line.

Step 7: Prepare for enforcement, cure, and penalties

Even a well-built program should account for how enforcement works, because the cure process and the affirmative defense both shape exposure. The Attorney General and Reporter has exclusive enforcement authority under 47-18-3212(a), and there is no private right of action under 47-18-3212(h).

Before suing, the Attorney General must give 60 days' written notice identifying the specific provisions allegedly violated, under 47-18-3212(b). If the business cures within that window and provides a written statement that the violations are cured and will not recur, the AG may not bring an action. Unlike some states that let their cure period sunset, Tennessee's 60-day cure is permanent, so the grace window does not expire.

If a business does not cure, penalties can be significant. A court may impose a civil penalty of up to $7,500 per violation under 47-18-3212(d), and each provision violated and each consumer affected count as separate violations. Under 47-18-3212(g), a court may, in its discretion, award treble damages where the controller or processor willfully or knowingly violated TIPA. This is where the NIST program pays off again: a conforming program under 47-18-3213 supplies the affirmative defense in 47-18-3214, the strongest structural protection TIPA offers a covered business.

Related guides

• Tennessee data privacy laws parent hub
• What is the TIPA?
• TIPA consumer rights
• State data privacy law comparison
• What is the CCPA?

Sources