What You Need To Know About Tennessee’s New Privacy Law

Tennessee’s Information Protection Act (TIPA) is set to take effect on July 1, 2025, making it the sixth state privacy law in 2025 to roll out in what’s shaping up to be a very active year for U.S. privacy regulation. Signed into law in May 2023, TIPA follows a similar path to Virginia, Utah, and Iowa with a business-friendly structure, but it introduces some key differences that make it stand out.

We’re here to guide you through the steps to ensure compliance and readiness for TIPA.

Understand the TIPA | Scope of Application | Rights Granted to Consumers | Key Obligations for Businesses Under Tennessee’s Privacy Law | Enforcement of TIPA | How DataGrail Can Help

Understanding the TIPA

Like other state privacy laws, TIPA provides rights such as access, deletion, and the ability to opt out of certain data processing activities.One of TIPA’s most distinctive features is its adoption of the National Institute of Standards and Technology (NIST) Privacy Framework. Tennessee is the first state to formally recognize this voluntary framework as a compliance tool. Aligning with the NIST Privacy Framework can serve as an affirmative defense against enforcement, offering a structured yet flexible way to manage privacy risks.

TIPA also includes two business-friendly provisions worth noting:

• Entity-Level exemption for insurance companies: Unlike most privacy laws that only exempt specific types of data, TIPA fully exempts state-licensed insurance companies from the law, an unusual and significant carve-out.
• Extended cure period with no sunset: TIPA gives businesses 60 days to fix violations after receiving notice from the Tennessee Attorney General. This is one of the most generous cure periods nationwide, second only to Iowa’s 90 days. What makes it even more notable is that the cure period doesn’t “sunset” (expire) over time. In contrast, other state laws like the CCPA included cure periods that were temporary, known as sunset provisions, which eventually phased out.
   

Scope of Application

Not every business operating in Tennessee will be covered under TIPA as TIPA sets a relatively high threshold for applicability. To fall within the law’s scope, a company must do business in Tennessee or offer products or services to Tennessee residents and meet specific size and data processing thresholds.

First, the business must have annual revenue over $25 million. From there, it must also meet one of the following conditions:

• Handle the personal data of at least 175,000 Tennessee consumers in a year, or
• Handle the personal data of at least 25,000 consumers and make over 50% of its revenue from selling personal data.

It’s important to note that TIPA defines “sale of personal information” as an exchange of data for something of value, but with some notable exceptions. Internal uses (like sharing data with a processor or affiliate), disclosures required to complete a transaction requested by the consumer, or data made public by the consumer themselves don’t count as “sales” under the law.

Exemptions
The Tennessee Information Protection Act (TIPA) includes several broad exemptions from its scope. Entities that fall into the following categories are not subject to TIPA’s requirements:

• Government agencies
• Nonprofit organizations
• Higher education institutions
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)

In addition to these common exemptions, TIPA stands out for fully exempting all insurance providers that are licensed in the state of Tennessee, a carve-out not found in most other state privacy laws.

Rights Granted to Consumers

The Tennessee law provides consumers with several rights to safeguard their personal data and manage how it is used:

1. Right to Access: Consumers can confirm whether their personal data is being processed by a business and request access to their data, with certain limitations.
2. Right to Deletion: Consumers can ask businesses to delete their personal data, whether it was provided by the consumer or collected about them, though some exceptions apply.
3. Right to Correction: Consumers can request that any inaccuracies in their personal data be corrected, considering the nature of the data and its intended use.
4. Right to Data Portability: Consumers can request a copy of the personal data they previously shared with a business, provided in a usable format, subject to some exceptions.
5. Right to Opt-Out: Consumers can opt out of having their personal data used for sales, targeted advertising, or profiling.

Key Obligations for Businesses Under Tennessee’s Privacy Law

As Tennessee’s privacy law, the Tennessee Information Protection Act (TIPA), takes effect, businesses will need to ensure compliance with a wide range of controller and processor obligations. Here’s a breakdown of key responsibilities:

Controllers’ Responsibilities

Controllers—those who determine the purposes and means of processing personal data—are required to:

• Limit Data Collection and Use: Collect only personal data that is adequate, relevant, and reasonably necessary for the disclosed purposes. Controllers must not process personal data for secondary purposes unless they first obtain the consumer’s explicit consent.
• Implement Data Security Measures: Establish, implement, and maintain reasonable administrative, technical, and physical security practices to protect personal data. These safeguards should be proportionate to the volume and nature of the data collected.
• Provide Clear Privacy Notices: Deliver a reasonably accessible, clear, and meaningful privacy notice that includes:
  • The categories of personal data being processed
  • The purpose(s) for processing
  • Instructions for how consumers can exercise their privacy rights
  • Whether personal data is sold or used for targeted advertising
  • The categories of third parties receiving such data
  • A reliable method for submitting consumer requests (without requiring a new account)
• Respect Consumer Rights: Ensure mechanisms are in place to allow consumers to exercise their rights, such as accessing, correcting, deleting, and obtaining copies of their data. Controllers must respond to consumer requests within 45 days, with a possible 45-day extension if necessary and with proper notice to the consumer.
• Enable Opt-Out Mechanisms: Provide consumers with the ability to opt out of the sale of their personal data, targeted advertising, and profiling in certain high-risk contexts. Clear and conspicuous disclosures are required when such activities occur.
• Obtain Opt-In Consent for Sensitive Data: Controllers must secure consumer consent before processing sensitive personal data. For known children, such data must be processed in accordance with the Children’s Online Privacy Protection Act (COPPA).
• Conduct Data Protection Assessments: Before engaging in certain types of high-risk processing—including selling data, targeted advertising, profiling with a foreseeable risk of harm, and processing sensitive data—controllers must conduct and document data protection assessments. Assessments conducted for other state laws may be reused if they are reasonably comparable in scope. This requirement applies to processing activities initiated on or after July 1, 2024.
• ​​Special Consideration: Pseudonymous Data: Under TIPA, data is considered pseudonymous if it can’t identify someone without access to separately stored identifiers. When a business uses strong technical and organizational safeguards to keep those identifiers apart, consumer rights like access and deletion don’t apply. 
• Avoid Discrimination: Controllers may not process personal data in violation of state or federal anti-discrimination laws and cannot retaliate against consumers for exercising their rights under TIPA. However, loyalty programs and similar incentives are permitted when tied to opt-out decisions.

Processors’ Responsibilities

Processors—those who process personal data on behalf of controllers—are required to:

• Execute Data Processing Agreements: Enter into binding contracts with controllers that outline:
  • The nature and purpose of processing
  • The instructions and limits placed on processing
  • Confidentiality obligations for personnel
  • Requirements to delete or return data at the end of service
  • Assistance in fulfilling consumer requests and compliance requirements
  • Subcontractor restrictions, including required contract terms for downstream processors
  • Cooperation with audits or assessments by or on behalf of the controller

• Maintain Data Security: Adopt and uphold appropriate safeguards to protect the personal data they handle, consistent with the obligations passed down by the controller.
• Support Compliance: Assist controllers in responding to consumer rights requests, conducting data protection assessments, and upholding security and privacy obligations as defined under TIPA.

Both controllers and processors should be aware that failure to comply with these requirements can lead to enforcement by the Tennessee Attorney General and potential penalties.

Enforcement of TIPA

The Tennessee Information Protection Act (TIPA) will be enforced exclusively by the Tennessee Attorney General. Unlike California’s CCPA, TIPA does not provide a private right of action, meaning consumers cannot sue companies directly for violations. Instead, enforcement is carried out solely by the state.

60-Day Cure Period

One of the most business-friendly features of the Tennessee Information Protection Act (TIPA) is its 60-day cure period. Before bringing a formal enforcement action, the Attorney General must provide 60 days’ written notice to the business alleged to be in violation. During this time, the controller or processor has the opportunity to cure the violation and submit written confirmation that the issue has been resolved and that no further similar violations will occur. If the business cures the violation within this window, no enforcement action will be taken—unless the issue recurs or was not fully resolved.

Unlike many other state privacy laws, TIPA’s cure period does not include a sunset clause. A “sunset clause” is a legal provision that causes a law or part of it to automatically expire after a set time unless extended by new legislation.

In contrast, California’s original 30-day cure period under the CCPA was eliminated under the CPRA. Now, whether to offer a cure window is left to the discretion of the California Privacy Protection Agency.

With its ongoing and guaranteed cure period, TIPA gives businesses more breathing room to come into compliance, making it one of the more lenient state privacy laws on the books.

Penalties

If a business fails to remedy the violation within the cure period, the Attorney General may bring an action seeking:

• Declaratory and injunctive relief
• Civil penalties of up to $7,500 per violation
• Reasonable attorney’s fees and investigative costs

In cases of willful or knowing violations, courts may also award treble damages, tripling the financial penalty at the court’s discretion.

Affirmative Defense for Businesses

TIPA provides a notable affirmative defense: a business will not be liable if it can demonstrate that it maintains and complies with a written privacy program that:

1. Reasonably conforms to the NIST Privacy Framework: “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0”, or another comparable framework;
2. Is updated to align with revisions to the NIST or comparable framework within two years of any official update;
3. Provides consumers with the substantive rights required under TIPA.

This provision gives businesses an incentive to adopt and maintain structured, risk-based privacy programs aligned with recognized national standards.

Compliance Timeline

Although the requirement to conduct Data Protection Assessments (DPAs) begins July 1, 2024, TIPA enforcement will begin on July 1, 2025. Businesses have until that date to bring their operations into compliance.

How DataGrail Can Help

Navigating state privacy laws like Tennessee Information Protection Act (TIPA) can be complex. That’s where DataGrail comes in.

Our platform is designed to simplify compliance with TIPA and other evolving state privacy laws. Here’s how DataGrail can help your business stay compliant:

• Operationalize the NIST Privacy Framework: TIPA uniquely allows businesses to claim an affirmative defense if they adopt and maintain a privacy program that reasonably conforms to the NIST Privacy Framework. DataGrail’s platform helps you build and demonstrate a structured, risk-based privacy program that aligns with NIST principles—supporting your business in qualifying for this key protection.
• Automate Consumer Rights Requests: Easily manage consumer requests for access, deletion, and opt-out, all while ensuring timely responses in line with TIPA deadlines.
• Ensure Vendor Compliance: Stay on top of third-party compliance with TIPA obligations, keeping all your data handling practices secure and compliant.

With DataGrail’s Request Manager, businesses can efficiently handle data subject access requests (DSARs), deletion requests, and opt-out actions. This means you’re covered not just for TIPA, but also for other major laws like CCPA and GDPR.

By using DataGrail, your business can stay ahead of privacy laws, reduce risk, and maintain trust with your customers.

Request a demo here.   

Want to learn more? Check out our Guide to State Privacy Laws to discover how these regulations will impact your business and ensure your compliance strategy is up to date.

Additionally, join Privacy Basecamp, our exclusive community of privacy professionals, to connect, share resources, and discuss best practices in privacy management. Stay updated on the latest state privacy legislation and engage with experts in the field.

For questions, reach out to your CSM or email [email protected]. Interested in seeing the platform? Request a demo here.