What Is the TIPA? Tennessee Information Protection Act

The Tennessee Information Protection Act (TIPA), codified at Tenn. Code Ann. 47-18-3201 et seq., is Tennessee's comprehensive consumer data privacy law. It was enacted as House Bill 1181 (Public Chapter 408), signed by Governor Bill Lee on May 11, 2023, and took effect July 1, 2025, giving Tennessee residents rights to access, correct, delete, and port their personal information and to opt out of its sale, targeted advertising, and certain profiling.

As of 2026, the Tennessee Attorney General and Reporter holds exclusive enforcement authority and may seek civil penalties of up to $7,500 per violation, plus treble damages for willful or knowing violations. TIPA's signature feature is found nowhere else in the country: a controller or processor that maintains a written privacy program reasonably conforming to the NIST Privacy Framework gets an affirmative defense to a TIPA claim.

Jurisdiction scope: This covers Tennessee's Tennessee Information Protection Act (Tenn. Code Ann. 47-18-3201 et seq.). It is general legal information, not legal advice.

What the TIPA is: statute, enactment, and effective date

The Tennessee Information Protection Act is Tennessee's first comprehensive consumer data privacy law. It is codified at Tennessee Code Annotated Sections 47-18-3201 through 47-18-3214, within the state's broader consumer protection chapter. The General Assembly passed it as House Bill 1181 during the 2023 session, and it was enacted as Public Chapter 408.

Governor Bill Lee signed TIPA into law on May 11, 2023. The legislature gave businesses a long runway: the act did not take effect until July 1, 2025. As of 2026, that date has passed, so every covered business is now fully subject to TIPA.

The law as introduced went through significant amendment before passage. The enacted version raised the applicability thresholds, lowered the maximum civil penalty from $15,000 to $7,500, and kept the NIST Privacy Framework affirmative defense that became its defining feature. The codified text in 47-18-3201 et seq. reflects those final choices, and that is the version in force today.

For the controller and processor obligations, privacy notice rules, and data protection assessment requirements in detail, see the Tennessee data privacy laws parent page.

Who the TIPA covers: one of the highest thresholds in the country

TIPA's applicability test lives in 47-18-3202, and it is far narrower than most state privacy laws. The law applies to a person that conducts business in Tennessee, or that produces products or services targeted to Tennessee residents, but only if that person clears a revenue gate and a data-volume trigger.

The revenue gate comes first. A business is covered only if it exceeds $25,000,000 in revenue. A company below that figure is outside TIPA no matter how much consumer data it processes. That single gate removes most small and mid-size businesses from the law's reach.

A business that clears the revenue gate is covered only if it also meets one of two data-volume triggers. The first is controlling or processing the personal information of at least 175,000 consumers during a calendar year. The second is controlling or processing the data of at least 25,000 consumers while deriving more than 50 percent of gross revenue from the sale of personal information.

Those numbers matter because they sit at the high end nationally. Most state privacy laws use a 100,000-consumer trigger or have no revenue floor at all. Tennessee paired a $25 million revenue gate with a 175,000-consumer trigger, so the combined bar is among the steepest of any state privacy statute as of 2026. A "consumer" under 47-18-3201 is a Tennessee resident acting in a personal context, not in a commercial or employment context.

TIPA's exemptions: broad entity-level carve-outs

TIPA exempts whole categories of organizations at the entity level under 47-18-3210, a structure that pulls many businesses out of the law regardless of how much data they hold. Several of these exemptions are sweeping.

State and local government bodies are exempt. So are financial institutions, their affiliates, and data subject to Title V of the federal Gramm-Leach-Bliley Act. Insurance companies licensed under Tennessee Title 56 and insurance producers are also carved out.

The health-care exemptions are extensive. Covered entities and business associates governed by HIPAA are exempt, as is protected health information and several other categories of health and research data. Nonprofit organizations are exempt, and so are institutions of higher education. These entity-level carve-outs mean an organization can be wholly outside TIPA based on what it is, not just based on the specific data it handles.

The practical effect is that TIPA's covered population is smaller than its peer laws in two ways at once: the high revenue-and-volume thresholds screen out smaller companies, and the broad entity exemptions remove whole sectors. A business should still map its status against 47-18-3210 rather than assume coverage, because the exemptions are framed around specific federal regimes and licensed roles.

The opt-in sensitive-data rule

Sensitive data carries a stricter rule than ordinary personal information. Under 47-18-3204(a)(6), a controller may not process sensitive data concerning a consumer without first obtaining the consumer's consent. This is an opt-in model: the default is no processing until the consumer affirmatively agrees.

Sensitive data is defined in 47-18-3201. It includes personal information revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. It also includes genetic or biometric data processed to uniquely identify a person, personal information collected from a known child, and precise geolocation data.

"Consent" under TIPA is not a buried checkbox. The statute defines it as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement. For a known child, the controller must instead follow the federal Children's Online Privacy Protection Act. Because the consent gate sits in front of an entire category of data, getting the definition of sensitive data right is an operational priority for covered businesses.

The NIST Privacy Framework affirmative defense: TIPA's signature feature

TIPA's most distinctive provision, and the one that sets it apart from every other state privacy law, is the NIST Privacy Framework affirmative defense. Two sections work together to create it. Section 47-18-3213 requires a written privacy program, and 47-18-3214 turns compliance with that program into an affirmative defense to a TIPA claim.

Under 47-18-3213(a), a controller or processor must create, maintain, and comply with a written privacy program that reasonably conforms to the NIST privacy framework titled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0." When NIST publishes a revision, the business must conform its program to the revised framework within one year of the publication date. The program must provide consumers the substantive rights TIPA guarantees and must disclose the commercial purposes for which the business processes personal information.

The defense itself is in 47-18-3214: a controller or processor "has an affirmative defense to a cause of action for a violation of this part" if it creates, maintains, and complies with a written privacy program as described in 47-18-3213. No other state privacy law as of 2026 ties a documented privacy framework to an affirmative defense in this way. Tennessee is the first and, so far, the only state to formally write the NIST Privacy Framework into its enforcement structure.

The defense scales with the business. Under 47-18-3213(c), the appropriate scale and scope of a program turns on the size and complexity of the business, the nature and scope of its activities, the sensitivity of the personal information it processes, the cost and availability of privacy tools, and compliance with comparable state or federal law. A small covered business is not held to the same program as a large data broker. The TIPA compliance checklist guide walks through how to build a conforming program.

TIPA vs. CCPA: the key differences

Tennessee's TIPA and California's CCPA are often compared by companies that operate nationally. The state data privacy law comparison page covers the broader multistate picture, but several differences between TIPA and California's CCPA stand out.

The most consequential difference is the coverage structure. California's thresholds are disjunctive, so meeting any one of them brings a business in; a company can be covered on revenue alone or data volume alone. Tennessee's are conjunctive: a business must clear the $25 million revenue gate and a data trigger. That conjunctive design, plus the higher 175,000-consumer figure, makes TIPA's net much smaller than the CCPA's.

The second major difference is the NIST affirmative defense, which California does not offer. A TIPA-covered business that builds a conforming NIST program gains a defense that has no analog in the CCPA or in any other state law as of 2026.

Related guides

• Tennessee data privacy laws parent hub
• TIPA consumer rights
• TIPA compliance checklist
• State data privacy law comparison
• What is the CCPA?

Sources