Guide to the Tennessee Information Protection Act (TIPA)

The Tennessee Information Protection Act (TIPA) is an extensive privacy legislation of Tennessee that confers rights upon consumers, imposes obligations on businesses, and prescribes penalties for violations of the provisions.

Official text: Tennessee Information Protection Act

Effective date: July 1, 2025

Personal information is an important commodity as well as a potential liability in this digital privacy era. Many states in the US have already enacted their privacy laws and now Tennessee is ready to take its place in the digital privacy setting. The Tennessee Information Protection Act enshrines the rights of consumers, the duties of businesses, and other related provisions.

TIPA requires businesses to provide privacy notices, conduct data protection assessments, and provide opt-ins for sensitive information and opt-outs for targeted advertising, profiling, and sale of personal information. It also introduces the concept of affirmative defense, which allows businesses to avoid penalties for certain violations if they can prove that they have taken reasonable security measures to safeguard personal information. 

The Attorney General and reporter are the enforcement authority of TIPA. Penalties for each violation can go up to $7500 with possible treble damages in case of intentional violations.

TIPA applies to for-profit businesses based in Tennessee or elsewhere that target the residents of Tennessee, and generate an annual revenue of at least $25 million; and

• Controls/processes personal information of 25,000 consumers or more and derives more than 50% of its gross revenue from the sale of personal information; or
• Controls/processes the personal information of at least 175,000 consumers in a year. 

A consumer is a natural person who is a resident of Texas and acts in a personal context and not in a commercial/employment context.

The law also provides salient exemptions to the entities and protected health information covered under HIPAA, financial information covered under the Gramm-Leach-Bliley Act, state agencies, information covered under the DPPA of 1994, institutions for higher education, etc. 

TIPA does not apply to de-identified data and public information.

Any information that can identify an individual is personal information. 

The law defines personal information as any information that is linked or is reasonably linkable to an identified or identifiable natural person. For example, IP addresses, cookie IDs, etc are personal information under the act.

However, aggregate/de-identified data and publicly available information are not personal information. This means that your business can use information in a de-identified format for lawful purposes.

What is publicly available information?

• Any information that is published through government records 
• Any information that is publicized to the general public by the consumer or by anyone to whom the consumer disclosed the information, but not limited to a specific audience.

What is de-identified data?

A de-identified data is quite the opposite of personal information. Any information that cannot be reasonably linked to an identifiable or identified natural person/ to a device linked to that person is known as de-identified data.

Businesses need not delete de-identified data if it is incapable of identifying a natural person.

What is sensitive data?

The law affords special protection to sensitive data. Businesses cannot process sensitive data unless they obtain consent from the consumers. 

The following personal information comes under the category of sensitive data:

• Reveals any of the following:
  • Racial/ethnic origin
  • Religious beliefs
  • Mental/physical health diagnosis
  • Sexual orientation
  • Citizenship/immigration status

• Biometric or genetic data being processed to identify an individual. 
• Personal information of a known child (individual under 13 years of age).
• Precise geolocation    

Under TIPA, businesses have the following obligations to meet:

Data minimization

Personal information has become an important and valuable commodity, therefore businesses cannot collect and use them arbitrarily. Adopt a data minimization policy where your business will only collect the personal information of consumers to what is needed for the specified purpose.

Purpose limitation

Businesses must restrict the use of personal information to what is required and relevant for fulfilling the specific purpose disclosed to the consumer. Do not process/handle personal information for a different purpose without obtaining the consumer’s consent.

Opt-outs

Just like other US privacy laws, TIPA also impels businesses to allow consumers to opt out of certain activities. Therefore businesses must provide mechanisms for the consumers to opt out of targeted advertising, sale of personal information, and profiling. You should also reveal to the consumer in your privacy notice whether you sell personal information or process it for targeted advertising.

Privacy notice

Provide an unambiguous and accessible privacy notice to your consumers. If you sell or process personal information for targeted advertising, it should be informed to the consumer along with a link to opt-out. Also, include how consumers can submit requests to exercise their rights established under the act. 

We will discuss the specific requirements in the later section.

Consent

Businesses cannot process sensitive data without obtaining the consent of the consumer. Similarly, the consent of parents or legal guardians is necessary for processing the information of children under 13. For this purpose, the provisions regarding verifiable consent under The Children’s Online Privacy Protection Act must be observed.

Data protection assessments

Businesses are required to conduct data protection assessments of the processing of sensitive data, personal information used for profiling, targeted advertising, sale, or processing of personal information that involves an augmented risk of harm. The assessment records must be kept confidential.

Consumer requests and response plan

Set up an effective responsive plan to consumer requests as well as appeals. Respond to and deliver the requests within 45 days. You can extend the response time to an additional 45 days if necessary. The act prescribes businesses to deliver consumer requests free of charge twice a year. 

If a consumer request is declined, it should be informed to the consumer promptly. Provide the process for appeal conspicuously and respond to such appeals within 60 days. If the appeal is also declined, the consumer should be informed of it along with a method to submit a complaint to the Attorney General.

Non-discrimination

Do not discriminate among the consumers based on their exercise of consumer rights. In other words, businesses should refrain from denying products, reducing quality, and increasing the prices of their products just because they choose to exercise their rights. Nevertheless, businesses can provide products at different prices, rates, quantities, or selections of goods or even provide them chargeless based on their participation in discounts, premiums, club cards, or loyalty programs.

Businesses are also allowed to deny products if the personal information required for that service is not maintained by them.

Security measures

Implement data security measures to protect the confidentiality and integrity of the personal information managed by the business. The security measures must be proportionate to the volume and characteristics of the information. Use encryption, access control, back up and disaster recovery plans wherever necessary.

Contractual relationship

Data processors are obliged to follow the directions of data controllers like businesses. Therefore, having a contractual relationship with your data processors and determining each party’s rights and obligations necessitates maintaining personal data confidentiality by everyone engaged in the processing.

Right to confirm/access

All consumers under TIPA have the right to confirm whether their data is being processed by the controllers/businesses. They can also access their data which is being processed by the businesses.

Right to correct

Consumers can request that businesses correct any inaccuracies in their personal information. For this, the purpose of processing and the category of information can be taken into account.

Right to delete

Consumers are conferred with the right to request the deletion of their personal information by businesses. Users can request businesses to delete the personal information provided by them and those obtained from other sources. Businesses are not under any obligation to delete aggregated or de-identified data that cannot be traced back to the consumer.

Right to portability

Consumers can obtain their personal information stored by businesses in a readily accessible and portable manner. This means a hassle-free import, export, and sharing of personal data not only within the organization but also to different service providers/processors by the user.

Right to opt-out

Consumers have the right to opt out of targeted advertising, sale of personal data, and profiling. 

Consent is an integral part of TIPA. Businesses are obliged to procure the consent of consumers before processing sensitive data. They must also obtain the consent of legal guardians/parents to process the personal information of a known child. 

Consent is an affirmative action that denotes the agreement of a consumer to process his personal information. For consent to be valid, it should be freely given, specific, unambiguous, and informed. It can also be a statement or a clear affirmative action by the consumer.

 

A privacy notice is not just a step towards privacy law compliance but also a step towards achieving your customers’ trust. Businesses covered under TIPA are obliged to provide a privacy notice conspicuously to their consumers and should contain the following information. 

• Categories of personal information handled by the business.
• The specific purpose of processing personal information.
• Process/methods for exercising consumer rights and that of appeal.
• Categories of personal information sold to third parties.
• Categories of third parties to whom the personal information is sold.
• Reveal whether the business sells or processes personal information for targeted advertising. If yes, provide opt-out links.
• Methods for submitting consumer requests.

Learn more about Privacy Policy Template.

If there is a reasonable cause to believe there has been a violation of the act, the enforcement agency may initiate legal proceedings after providing a 60-day cure period. If the business that received such notice cures the violation within the prescribed period and gives notice to that effect, no legal action will arise.

However, if the violation continues or is not cured within 60 days, the agency may seek the following:

• Declaratory judgment as to whether there has been a violation or not
• Injunction
• Civil penalties of up to $7500 for a single violation
• Attorney’s fees and other expenses incurred.
• Any other appropriate relief.

If the violation was found to be intentional, the court may impose treble damages, which means the amount of penalty may be tripled from the standard $7500.

TIPA provides for an affirmative defense of a voluntary privacy program, a novel addition to the US privacy laws.

Under TIPA, maintaining a privacy framework that confirms NIST standards or other policies developed to safeguard consumer privacy rights will act as an affirmative defense. Businesses should also update their privacy programs every two years to catch up with the latest revisions of NIST or other privacy frameworks.

Under TIPA, The privacy framework should be based on the following factors:

• Size and complexities of business
• Nature and scope of the business and its activities
• Sensitivity of the Personal information processed.
• Expense incurred and availability of privacy protection tools and data governance.
• Compliance with applicable laws.

A good privacy program speaks for itself. It will help to secure your customer’s trust and move you one step closer to privacy and data security.

• Practice data minimization and purpose limitation
• Provide a clear and conspicuous privacy notice
• Implement opt-out mechanisms to opt out of targeted advertising, sale of personal data, and profiling
• Implement data security measures
• Respond to consumer requests promptly
• Do not process sensitive data without consent
• Conduct data protection assessments
• Have effective and convenient methods to submit consumer requests and appeals.
• Do not discriminate against consumers solely based on the exercise of consumer rights.
• Deliver consumer requests promptly.
• Have a contractual relationship with data processors and third parties.