Tennessee Information Protection Act (TIPA): A Comprehensive Data Privacy Law Checklist

Tennessee has introduced the Tennessee Information Protection Act (TIPA), a significant data privacy bill, potentially bringing forth a set of obligations that could impact your business operations related to the processing of personal information.

In the absence of a federal law on data protection, some US states have taken a step forward to protect consumers' data. Tennessee is one of the few states that has passed a state data privacy law.

You must learn thoroughly about the specific provisions of this bill to ensure compliance and adapt your business practices accordingly.

What is the Tennessee Information Protection Act (TIPA)?

The Tennessee Information Protection Act, commonly referred to as TIPA, is the consumer data privacy law within the state of Tennessee. This Act is in harmony with the trends and frameworks of data protection legislation previously enacted by various other US states.

Officially ratified on May 11, 2023, TIPA will come into full effect starting July 1, 2025.

What is personal data under Tennessee's data protection law?

Under the TIPA, personal information is any data that can identify an individual, either directly or indirectly.

This broad definition covers a wide range of types of data. It includes everything from basic identifiers like a person's name, Social Security number, and telephone number to more complex and indirect forms of identification such as IP addresses, internet browsing history, purchase history, health-related information sourced from fitness tracking applications, precise geolocation details, and various other data elements that could potentially reveal an individual's identity.

What is sensitive data under TIPA?

TIPA makes a difference between personal data and sensitive personal data. The following categories of personal information are sensitive:

• Data revealing an individual’s racial origin, ethnic origin, sexual orientation, citizenship or immigration status, or health diagnosis
• Child’s data
• Precise geolocation data
• Genetic or biometric data to identify a person
• Personal information collected from a known child

These categories of data have special treatment under the law. In particular, they may require a data protection assessment and obtaining consent before collection.

To whom does Tennessee's privacy act apply?

TIPA applies to persons who conducts business in Tennessee by producing products or services that are targeted to Tennessee residents, and that:

• exceed $25 million in revenue; and
• either (1) control or process personal information of at least 25,000 consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information, or (2) during a calendar year, control or process the personal information of at least 175,000 consumers.

It does not apply to all businesses, but only to those that meet these specific thresholds. It follows the same trend as other US state privacy acts.

In addition, TIPA does not apply to government entities, nonprofits, HIPAA, the Health Information Technology for Economic and Clinical Health Act,, higher educational institutions (public or private), insurance companies licensed under state law, and Gramm-Leach-Bliley Act-regulated entities and data. TIPA also does not apply to certain classes of data including health records, scientific research data, consumer credit-reporting data, personal motor vehicle record, insurance data, data regulated by the Family Educational Rights and Privacy Act or federal Farm Credit Act, and employment-related information.

How does TIPA compare to other comprehensive privacy laws?

TIPA is very similar to other US state laws that are comprehensive for US data privacy standards. It sets thresholds for applicability, grants rights to consumers, and requires businesses to meet certain standards in personal information processing.

When it comes to data protection laws worldwide, the protection provided by TIPA is still far from the strictness of the General Data Protection Regulation (GDPR), LGPD, and other data protection laws from outside the United States.

Taking effect July 1, 2025, TIPA is more similar to the Virginia Consumer Data Protection Act (VCDPA), and the more “business-friendly” family of state privacy laws such the Utah Consumer Privacy Act (UCPA), and the Iowa Act Relating to Consumer Data Protection (ICDPA). While TIPA extends important privacy protections to consumers, several key provisions signal that it is less consumer friendly than the California Consumer Privacy Act (CCPA) and its amending California Privacy Rights Act (CPRA), the Indiana Consumer Data Protection Act (INCDPA) or the Colorado Privacy Act (CPA). In this article, we highlight key provisions of TIPA and dive into the important compliance requirements that businesses need to know.

How can businesses comply with TIPA?

TIPA requires businesses to be transparent to consumers, to take into account all the risks before processing the data, to have written contracts with service providers, and to respond to consumer requests.

Like most of the other state privacy laws, TIPA distinguishes a controller (an entity that determines the purpose and means of processing personal information) from a processor (an entity that processes personal information on behalf of a controller).

Under the provisions of TIPA, a controller or processor must also create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0."

In the following paragraphs, we'll get into each significant duty imposed by this law.

Data Processing Agreements

Like other privacy legislation, the Tennessee Information Protection Act requires data processors to process personal information exclusively based on written and formal contracts with the controller. This contract, known as the data processing agreement, serves as the governing document between the controller and the processor, outlining the terms and conditions of the data processing activities.

It contains at least:

• The identity of the business and the service provider processing data on behalf of the business
• The nature and purposes of processing
• Categories of personal data to be processed
• The duration of processing
• Rights and duties of both parties, including confidentiality provisions
• Obligation to delete data upon the controller’s request
• Require the processor to prove compliance to the controller, upon request.
• Provisions on hiring subcontractors

Data processing without a written contract is invalid and a violation of the law.

Privacy Policy

The TIPA requires businesses to be transparent with consumers about the processing of personal data, which includes publishing a privacy policy.

The TIPA privacy policy contains at least:

• Why do you process personal data?
• The categories of data processed
• The categories of data you sell, if applicable
• The categories of third parties to whom you sell data, if applicable
• Details on consumer rights and how to exercise them

Feel free to include more information, but make sure you include at least these elements.

Consent for Data Processing

Under the provisions of TIPA, a controller must not process sensitive data concerning a consumer without obtaining the consumer's consent. Not for all the data, but only for the sensitive personal data. 

This consent needs to be freely given, unambiguous, specific, and informed.

In instances where the data of a known minor is being collected for processing, the parental consent guidelines as stipulated by the Children's Online Privacy Protection Act (COPPA) are good enough.

Universal Opt-Out Mechanisms

The Tennessee Information Protection Act remains silent regarding universal opt-out mechanisms, implying no obligatory adherence to such systems under the Act.

Nonetheless, you must provide consumers with the option to opt out. You have to establish methods for that and inform consumers on how to use these methods.

Data Protection Assessment

The data protection assessment constitutes a critical process wherein the controller evaluates the potential risks associated with data processing for consumers. This vital exercise offers a clear perspective on the inherent risks present in your data processing activities, along with guidance on the necessary steps to effectively mitigate these identified risks.

Businesses are required to conduct and document a data protection assessment for:

• Sale of personal data
• Processing of sensitive data
• Processing data for targeted advertising
• Processing of data for profiling
• Any other processing that poses a heightened risk to consumers.

What rights do Tennessee consumers have?

TIPA grants Tennessee consumers the following rights:

• Know about the processing
• Access personal data
• Delete their personal information.
• Data portability
• Correct data
• Opt out of:
  - Processing for the purposes of targeted advertising
  - Profiling
  - Sale of their personal information

Should a consumer request to exercise any of these rights, you have to respond—no questions asked.

Consumer Requests

Consumers can submit their requests through any of the channels outlined in your privacy notice. Upon receipt of such requests, you have a standard response timeframe of 45 days.

However, in scenarios where the requests are more complex, this deadline may be extended by an additional 45 days to ensure a comprehensive response.

What are the penalties for TIPA non-compliance?

TIPA allows the Tennessee attorney general to investigate anyone who has engaged in "or is about to engage" in a violation and bring an action for declaratory, injunctive and monetary relief, including USD 7,500 in civil penalties for each violation of the law (in situations where a company fails to remedy the violation within the statutory cure period), as well as attorney's fees and investigative costs.