Overview
The Tennessee Information Protection Act (TIPA) is a comprehensive state privacy law designed to provide Tennessee residents with greater control over their personal data while establishing clear compliance obligations for businesses. Signed into law in May 2023, TIPA takes effect on July 1, 2025.
TIPA is considered one of the most business-friendly U.S. privacy laws, with broad exemptions, an affirmative defense option for businesses, and no private right of action. However, it still imposes strict rules on data processing, consumer rights, and security measures.
Who Must Comply?
The TIPA applies to businesses that conduct business in Tennessee or target Tennessee residents and meet one of the following criteria:
β Process personal data of at least 175,000 Tennessee consumers annually
β Process personal data of at least 25,000 Tennessee consumers and derive over 50% of gross revenue from selling personal data
Exemptions:
The law does not apply to:
π« Government entities
π« Nonprofits
π« Financial institutions subject to GLBA
π« HIPAA-covered entities (hospitals, insurers, healthcare providers)
π« Higher education institutions
Key Consumer Rights Under TIPA
β Right to Access β Consumers can request a copy of their personal data.
β Right to Correct β Consumers can request corrections to inaccurate personal data.
β Right to Delete β Consumers can request the deletion of personal data.
β Right to Data Portability β Consumers can receive their data in a portable format.
β Right to Opt-Out β Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
Business Compliance Requirements
β Affirmative Defense Option β Businesses that implement a written privacy program aligned with industry standards (such as NIST or ISO 27701) may use it as a legal defense against enforcement actions.
β Obtain Opt-In Consent for Sensitive Data Processing β Companies must get explicit consumer consent before processing:
π Racial/ethnic origin
π Religious beliefs
π Biometric data
π Health conditions
π Childrenβs data
β Universal Opt-Out Mechanisms (Starting January 1, 2026) β Businesses must recognize Global Privacy Control (GPC) signals.
β Privacy Notices & Transparency β Businesses must provide clear, detailed privacy policies explaining data collection practices.
β Data Security & Protection β Companies must apply reasonable security measures to protect personal data from breaches.
β Risk Assessments β Businesses must conduct Data Protection Assessments (DPA) for:
π Targeted advertising
π Data sales
π Automated decision-making
Real-World Enforcement Cases
The Tennessee Attorney General is responsible for enforcing TIPA, with penalties of up to $7,500 per violation.
Since TIPA does not take effect until July 2025, enforcement cases are yet to be seen. However, Tennesseeβs law is expected to target data brokers, AI-driven profiling, and businesses failing to honor consumer opt-outs.
π Comparison with Other State Privacy Laws
The Tennessee TIPA is often seen as more business-friendly than laws like Californiaβs CPRA and Coloradoβs CPA because:
β
Affirmative Defense Available β Businesses with strong privacy programs can limit liability.
β
Higher Compliance Threshold (175,000 consumers) β Fewer businesses are affected.
β
No Private Right of Action β Consumers cannot sue companies directly.
Future of TIPA Regulation
π Expansion of opt-out mechanisms in 2026 to include AI-based decision-making.
π Tougher enforcement for businesses failing to honor privacy requests.
π Potential updates to align with a federal privacy law if passed.
Tennesseeβs TIPA is one of the most business-friendly privacy laws while still giving consumers key data rights. It serves as a model for future state and federal privacy frameworks.
