TIPA Consumer Rights: Tennessee Data Privacy Rights

The Tennessee Information Protection Act (TIPA), Tenn. Code Ann. 47-18-3201 et seq., gives Tennessee residents five core data rights as of its July 1, 2025 effective date: to access their personal information, correct inaccuracies, delete it, obtain a portable copy, and opt out of its sale, targeted advertising, and certain profiling. A consumer exercises these rights by submitting a request to the controller under 47-18-3203.

A controller must respond within 45 days, may extend once by another 45 days when reasonably necessary, and must offer a no-cost appeal process if it declines a request. As of 2026, the Tennessee Attorney General and Reporter enforces these rights exclusively under 47-18-3212; there is no private right of action, and a covered business that maintains a NIST-conforming written privacy program has an affirmative defense under 47-18-3214.

Jurisdiction scope: This covers Tennessee's Tennessee Information Protection Act (Tenn. Code Ann. 47-18-3201 et seq.). It is general legal information, not legal advice.

The five core consumer rights under 47-18-3203

TIPA's consumer rights are set out in 47-18-3203. A consumer may invoke them at any time by submitting a request to a controller that specifies which rights the consumer wishes to exercise. A parent or legal guardian may invoke these rights on behalf of a known child whose data is being processed.

The right to confirm and access, under 47-18-3203(a)(2)(A), lets a consumer confirm whether a controller is processing the consumer's personal information and access that information. This is the foundational transparency right, and it usually precedes any decision to correct or delete.

The right to correct, under 47-18-3203(a)(2)(B), lets a consumer fix inaccuracies in the consumer's personal information, taking into account the nature of the data and the purposes of the processing. The right to delete, under 47-18-3203(a)(2)(C), lets a consumer delete personal information that the controller provided or obtained about the consumer, though a business need not delete data it holds only as aggregate or de-identified data not linked to a specific consumer.

The right to portability, under 47-18-3203(a)(2)(D), lets a consumer obtain a copy of the personal information the consumer previously provided, in a portable and, where technically feasible, readily usable format that allows the consumer to transmit it to another controller. For the full controller-side obligations behind these rights, see the Tennessee data privacy laws hub.

The opt-out rights: sale, targeted advertising, and profiling

Beyond access and correction, TIPA gives consumers the right to opt out of three kinds of processing. As confirmed by the enacted text and the Tennessee Attorney General, a consumer may opt out of the sale of personal information, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The opt-out from sale is the most concrete. Under 47-18-3203(d), a consumer's opt-out prohibits the controller from selling personal information about that consumer going forward. "Sale" under 47-18-3201 means the exchange of personal information for monetary or other valuable consideration to a third party, with several carve-outs, such as transfers to a processor acting for the controller and transfers a consumer directs.

Targeted advertising and profiling are defined in 47-18-3201. Targeted advertising means displaying ads selected based on a consumer's activity over time and across nonaffiliated sites or apps, and excludes contextual ads and first-party advertising within a controller's own properties. Profiling means automated processing used to evaluate or predict personal aspects such as economic situation, health, preferences, behavior, location, or movements. A controller that sells data or runs targeted advertising must, under 47-18-3204(d), clearly and conspicuously disclose that processing and how to opt out.

How to submit a request and how a controller must respond

A consumer submits a request through a method the controller designates. Under 47-18-3204(e), a controller must provide and describe in its privacy notice at least one of four methods: a toll-free telephone number, an email address, a web form, or a clear and conspicuous link on its homepage. A controller cannot force a consumer to create a new account to make a request, though it may require the consumer to use an existing account.

The controller must authenticate the request. "Authenticate" under 47-18-3201 means verifying by reasonable means that the person making the request is the consumer entitled to exercise the right. If the controller cannot authenticate a request using commercially reasonable efforts, it may decline to act and may ask the consumer for additional information reasonably necessary to verify identity, under 47-18-3203(b)(4).

Once a request is authenticated, the clock starts. Under 47-18-3203(b)(1), the controller must respond without undue delay and in all cases within 45 days of receipt. The controller may extend that window once, by an additional 45 days, when reasonably necessary given the complexity and number of requests, but only if it informs the consumer of the extension and the reason within the original 45-day period.

Responses are free up to twice a year per consumer. Under 47-18-3203(b)(3), if requests are manifestly unfounded, technically infeasible, excessive, or repetitive, the controller may charge a reasonable fee or decline to act, and the controller bears the burden of proving the request fits one of those categories.

The 45-day timeline and required disclosures

The 45-day response deadline applies whether the controller grants or denies the request. If a controller declines to take action, 47-18-3203(b)(2) requires it to tell the consumer, within 45 days, the justification for declining and the instructions for how to appeal.

This dual structure, a 45-day action deadline plus a separate appeal track, is common to the Virginia-model state privacy laws that TIPA closely follows. What sets the overall enforcement picture apart in Tennessee is the affirmative defense, covered below, rather than the response timeline itself.

The appeal process under 47-18-3203(c)

TIPA requires a real appeal channel, not just a one-time decision. Under 47-18-3203(c), a controller must establish a process for a consumer to appeal the controller's refusal to take action on a request. The appeal process must be conspicuous, available at no cost, and similar to the process for submitting the original request.

The controller must act on the appeal quickly. Within 60 days of receiving an appeal, the controller must inform the consumer in writing of the action taken or not taken, including a written explanation of the reasons for the decision.

If the controller denies the appeal, it must give the consumer a way to escalate. The statute requires the controller to provide an online mechanism, if available, or another method through which the consumer may contact the Attorney General and Reporter to file a complaint. That escalation path matters because TIPA has no private right of action, so the Attorney General is the consumer's route to enforcement.

Sensitive data and the opt-in consent right

For sensitive data, TIPA flips the default. Rather than letting a consumer opt out, 47-18-3204(a)(6) bars a controller from processing sensitive data at all without first obtaining the consumer's consent. This opt-in model gives consumers control over the most personal categories before any processing begins.

Sensitive data is defined in 47-18-3201 to include personal information revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. It also covers genetic or biometric data processed to uniquely identify a person, personal information collected from a known child, and precise geolocation data, which the statute defines as locating a person within a radius of 1,750 feet.

"Consent" is defined narrowly. It must be a clear affirmative act signifying freely given, specific, informed, and unambiguous agreement. For a known child, the controller must comply with the federal Children's Online Privacy Protection Act instead. The TIPA compliance checklist covers how a controller should build and document consent capture.

Enforcement, the affirmative defense, and no private right of action

TIPA gives the Attorney General and Reporter exclusive enforcement authority under 47-18-3212(a). A consumer cannot sue under TIPA: 47-18-3212(h) states that a violation may not serve as the basis for, or be subject to, a private right of action, including a class action. The consumer's recourse is to file a complaint with the Attorney General, which is exactly where a denied appeal must direct the consumer.

Before the Attorney General can sue, the controller gets a chance to fix the problem. Under 47-18-3212(b), the AG must give 60 days' written notice identifying the specific provisions allegedly violated. If the controller cures within that window and provides a written statement that the violations are cured and will not recur, the AG may not bring an action. That 60-day cure period is permanent, with no sunset date.

The affirmative defense shapes how rights are enforced in practice. Under 47-18-3214, a controller or processor that creates, maintains, and complies with a written privacy program reasonably conforming to the NIST Privacy Framework, as described in 47-18-3213, has an affirmative defense to a TIPA claim. So even where a consumer's right was arguably mishandled, a covered business with a conforming NIST program can raise that program as a defense. This is unique to Tennessee among state privacy laws as of 2026, and it is why what TIPA is and the compliance posture of a business are tightly linked to how consumer rights play out.

Related guides

• Tennessee data privacy laws parent hub
• What is the TIPA?
• TIPA compliance checklist
• State data privacy law comparison
• What is the CCPA?

Sources