Get exclusive insights on privacy laws, compliance strategies, and product updates delivered to your inbox
Learn about the Tennessee Information Protection Act (TIPA), its impact on businesses in Tennessee, consumer rights, sensitive data, data processing agreements, privacy notices, and more. Ensure compliance to avoid fines of up to $7,500 per violation. Get all the details here.
Tennessee has enacted a data privacy bill that could impose certain obligations on your business, and it is essential for you to familiarize yourself with its provisions.
The Tennessee Information Protection Act (TIPA) serves as the consumer data privacy law in the state of Tennessee. It aligns with the patterns established by other U.S. states that had previously implemented data protection legislation. TIPA was officially signed into law on May 11, 2023, and its provisions are set to take effect from July 1, 2025.
TIPA applies to businesses that meet certain criteria and are either based in Tennessee or target Tennessee consumers. These criteria include:
It's important to note that TIPA does not apply to all businesses, but only to those that meet these specific thresholds.
Under TIPA, there are certain organizations and types of personal data that are exempt from its requirements. Exempt organizations include:
Additionally, there is a long list of exempt types of data, which includes but is not limited to:
Any information identifying an individual, directly or indirectly, is personal information under the Tennessee Information Protection Act.
That includes anything from a personal name, Social Security Number, and phone number to IP addresses, browsing history, purchase history, health data from fitness tracker apps, geolocation, and other data that could indirectly point out an individual.
Sensitive data under the TIPA includes:
Sensitive data has a special regime under the TIPA. It must not be collected without consent and must be subject to a Data Protection Assessment.
A controller is the company that decides about processing. The processor is the company that processes data on behalf of the controller.
If you run a SaaS company and have Google Analytics installed on your website, you are the controller. You decide that you want analytics data, and you make the decision to use GA and share the data with Google for processing purposes. Google, in this case, is your data processor.
The controller has the following TIPA duties:
The processor, on the other hand, must:
The TIPA, like other privacy laws, requires processors to process data only upon written instructions and a contract with the controller. The data processing agreement is the contract between the controller and processor that governs the processing.
It contains at least:
The privacy notice, also known as the privacy policy, is compliant with the Tennessee data protection law if it contains at least the following:
You can always add more information to increase transparency, but it is not required.
You must obtain explicit consumer consent for the processing of sensitive personal data.
The consent must be freely given, specific, informed, and unambiguous.
When you collect the information of a known child for processing, you can rely on the parental consent standards set out in COPPA.
The TIPA does not mention anything about universal opt-out mechanisms; therefore, you are not obliged to conform to them.
However, you must allow consumers to opt out through your designated methods.
Data Protection Assessment is a process where the controller assesses the risks of processing for consumers. This exercise will give you an idea of what the risks of your processing activities are and what you need to do to mitigate those risks.
Businesses are required to conduct and document a Data Protection Assessment for:
TIPA grants consumers certain rights related to their own personal data. They can exercise these rights by submitting requests to you, which you must honor to avoid penalties.
TIPA grants the rights to:
Consumers can submit requests using any of the methods designated in your privacy notice. Once received, you have 45 days to respond. In more complex cases, the deadline can be prolonged for 45 more days.
The Tennessee Attorney General is competent to enforce the TIPA.
Consistent with other laws, businesses will get a cure period to remedy the violations before getting a fine. The cure period is 60 days. The fines are up to the usual $7,500 per violation.
It is important to note that the business under investigation has an affirmative defense if it has a written privacy program according to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0" or other documented policies, standards, and procedures designed to safeguard consumer privacy.
Explore more privacy compliance insights and best practices
