Listen to this post

July 1 marked the official enforcement date of the Tennessee Information Protection Act (TIPA), the state’s comprehensive consumer privacy law. Signed into law in 2023, TIPA grants consumers specific rights concerning their personal information and regulates covered businesses and service providers that collect, use, share, or otherwise process consumers’ personal information. With all TIPA provisions now enforceable, it is important for regulated companies to understand the law’s comprehensive requirements.

Covered businesses and organizations

TIPA regulates entities that conduct business in Tennessee or produce products or services targeted to Tennessee residents, exceed $25 million in revenue, and meet one of the below criteria:

  • Control or process information of 25,000 or more Tennessee consumers per year and derive more than 50% of gross revenue from the sale of personal information; or
  • Control or process information of at least 175,000 Tennessee consumers during a calendar year.

Consumer Rights

TIPA grants consumers (Tennessee residents acting in a personal context only) the rights to confirm, access, correct, delete, or obtain a copy of their personal information, or opt out of specific uses of their data (such as selling data to third parties, using data for targeted advertising, or profiling consumers in certain instances). Companies must respond to authenticated consumer requests within 45 days, with a possible 45-day extension, and they must establish an appeal process for request denials. Controllers, which TIPA defines as companies that (alone or jointly) determine the purpose and means of processing personal information, must also offer a secure and reliable means for consumers to exercise their rights without requiring consumers to create a new account.

Company Responsibilities

Companies must limit data collection and processing to what is necessary, maintain appropriate data security practices, and avoid discrimination. Companies must provide a clear and accessible privacy notice detailing their practices, and, if selling personal information or using it for targeted advertising, disclose these practices and provide an opt-out option.

Opt-In for Sensitive Personal Information

TIPA prohibits processing sensitive personal information without first obtaining informed consent. Sensitive personal information is defined broadly and includes any personal information that reveals a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. Sensitive information also includes any data collected from a known child younger than age 13, precise geolocation data (i.e., within a 1,750-foot radius), and the processing of genetic or biometric data for the purposes of identifying an individual.

Controller-Processor Requirements

Processors must adhere to companies’ instructions and assist them in meeting their obligations, including responding to consumer rights requests and providing necessary information for data protection assessments. Contracts between companies and processors must outline data processing procedures, including confidentiality, data deletion or return, compliance demonstration, assessments, and subcontractor engagement. The determination of whether a person is acting as a company or processor depends on the context and specific processing of personal information.

Data Protection Assessments

Companies must conduct and document data protection assessments for specific data processing activities involving personal information. These assessments must weigh the benefits and risks of processing, with certain factors considered. Assessments apply to processing of personal data created or generated on or after July 1, 2024, and in investigations by the Tennessee attorney general, are to be treated as confidential and exempt from public disclosure without a waiver of attorney-client privilege or work product protection.

Major Similarities to CCPA

TIPA shares many similarities with the California Consumer Privacy Act (CCPA), including:

  • Similar consumer rights;
  • Contractual requirements between controllers and processors; and
  • Requiring data protection assessments for certain processing activities.

Affirmative Defense

TIPA provides for an “affirmative defense” against violations of the law by adhering to a written privacy policy that conforms to the NIST Privacy Framework or comparable standards. The privacy program’s scale and scope must be appropriate based on factors such as business size, activities, personal information sensitivity, available tools, and compliance with other laws. In addition, certifications from the Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules and Privacy Recognition for Processors systems may be considered in evaluating the program.

Enforcement

The Tennessee attorney general retains exclusive enforcement authority, and TIPA expressly states that there is no private right of action. The Tennessee attorney general must provide 60 days’ written notice and an opportunity to cure before initiating enforcement action. If the alleged violations are not cured, the Tennessee attorney general may file an action and seek declaratory and/or injunctive relief, civil penalties up to $7,500 for each violation, reasonable attorneys’ fees and investigative costs, and treble damages in the case of a willful or knowing violation.

Exemptions

The law includes numerous exemptions, including:

  • Government entities;
  • Financial institutions, their affiliates, and data subject to the Gramm-Leach-Bliley Act (GLBA);
  • Insurance companies;
  • Covered entities, business associates, and protected health information governed by the Health Insurance Portability and Accountability Act (HIPAA) and/or the Health Information Technology for Economic and Clinical Health Act (HITECH);
  • Nonprofit organizations;
  • Higher education institutions; and
  • Personal information that is subject to other laws, such as the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and the Fair Credit Reporting Act (FCRA).

TIPA is just one of seven laws slated to go into effect this year. With three more laws going into effect next year, companies should review and determine whether laws such as TIPA apply to them and take steps to comply now that the law is in effect.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Erin Jane Illman Erin Jane Illman

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly…

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly advises clients on CCPA, GLBA, HIPAA, COPPA, CAN-SPAM, FCRA, security breach notification laws, and other U.S. state and federal privacy and data security requirements, and global data protection laws. In addition to providing proactive privacy and information security compliance and legal advice, Erin manages privacy-related enforcement actions and litigation. Her practice includes representing companies in reactive incident response situations, including insider cybersecurity threats, electronic and physical theft of trade secrets, and investigation, analysis, and notification efforts with respect to security incidents and breaches.

Read more about Erin Jane IllmanErin Jane's Linkedin Profile
Show more Show less
Photo of Brett Lawrence Brett Lawrence

Brett Lawrence is an associate in the Banking and Financial Services Practice Group who focuses his practice on data privacy and cybersecurity issues, insurance coverage, and other general and professional liability matters. He is a Certified Information Privacy Professional (CIPP/US) by the International…

Brett Lawrence is an associate in the Banking and Financial Services Practice Group who focuses his practice on data privacy and cybersecurity issues, insurance coverage, and other general and professional liability matters. He is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.

Read more about Brett Lawrence
Show more Show less
Photo of Amy Leopard Amy Leopard

Amy Leopard is a partner and leader in Bradley’s Health Information Technology, Privacy & Security practice. Amy advises clients on complex health IT matters at the intersection of healthcare, technology, and law. She is a Fellow in HIMSS and served on the Board…

Amy Leopard is a partner and leader in Bradley’s Health Information Technology, Privacy & Security practice. Amy advises clients on complex health IT matters at the intersection of healthcare, technology, and law. She is a Fellow in HIMSS and served on the Board of the American Health Law Association, where she chaired the AHLA Health IT Practice Group. Amy is nationally ranked in Chambers USA for Healthcare Privacy and Data Security. She is a regular thought leader and is a blog editor for Bradley’s Online and On Point blog.

Read more about Amy LeopardAmy's Linkedin Profile
Show more Show less
Photo of Eric Setterlund Eric Setterlund

Eric Setterlund serves as partner in Bradley’s Healthcare practice group and co-chair of the Cybersecurity and Privacy practice group. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief…

Eric Setterlund serves as partner in Bradley’s Healthcare practice group and co-chair of the Cybersecurity and Privacy practice group. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and data counsel for BlueCross BlueShield of Tennessee. He draws upon his real-world business and program management experience to provide his clients practical advice for complex regulatory and transactional matters.

Read more about Eric Setterlund
Show more Show less
Photo of Samuel Adams Samuel Adams

Samuel Adams is an attorney in the firm’s Banking & Financial Services Practice Group.

Prior to joining Bradley, Samuel served as policy counsel for the Future of Privacy Forum in Washington, D.C., where he was focused on advertising technologies and platforms, as well…

Samuel Adams is an attorney in the firm’s Banking & Financial Services Practice Group.

Prior to joining Bradley, Samuel served as policy counsel for the Future of Privacy Forum in Washington, D.C., where he was focused on advertising technologies and platforms, as well as U.S. policy and law. He advised a group of senior leaders from Fortune 500 companies, law firms, and other organizations to address the most pressing issues in technology and the shifting legal landscapes affecting privacy in digital advertising.

Read more about Samuel Adams
Show more Show less
Related Posts
Texas SB 140 and Text Marketing: What the State Just Told the Court — and What It Means for Your Business
Texas SB 140 and Text Marketing: What the State Just Told the Court — and What It Means for Your Business
September 30, 2025
The TCPA Landscape in 2025: Key Developments and Compliance Priorities
The TCPA Landscape in 2025: Key Developments and Compliance Priorities
May 14, 2025
New TCPA Consent Requirements Out the Window: What Businesses Need to Know
New TCPA Consent Requirements Out the Window: What Businesses Need to Know
January 31, 2025