ON THIS PAGE
- What Is the Tennessee Information Protection Act (TIPA)?
- TIPA Compliance
- Who does the Tennessee Information Protection Act Apply to?
- Notable Exemptions of TIPA
- Responsibilities of the Data Controller vs. Data Processor
- Consumer Rights under the TIPA
- Enforcement of TIPA
- TIPA’s Differences from Other US Privacy Laws
- TIPA Key Terms and Definitions
- How to Target Tennessee Consumers?
- Frequently Asked Questions
Tennessee Information Protection Act (TIPA) was signed into law on May 11, 2023, and the final version of the text was published on May 24.
TIPA takes force on July 1, 2025, which gives organizations around two years to prepare for the requirements of this new data privacy law.
TIPA is similar to the Virginia Consumer Data Protection Act (VCDPA), Utah Consumer Privacy Act (UCPA), and the Connecticut Data Privacy Act (CTDPA), which are quite business-friendly. However, with some important privacy protections for consumers, it is less consumer-friendly than the California Consumer Privacy Act (CCPA), its amending California Privacy Rights Act (CPRA), or the Colorado Privacy Act (CPA).
Read this article to get key provisions of TIPA and learn the important compliance requirements for businesses.
What Is the Tennessee Information Protection Act (TIPA)?
The Tennessee Information Protection Act (TIPA) is a data privacy law of the US state of Tennessee. It targets businesses and organizations that do business in the state and collect and process personal information and aims to protect the personal data of Tennessee residents from unauthorized access and disclosure.
Under TIPA, implied (opt-out) cookie consent is enough, which means consent is not required before the collection or processing of personal information. However, explicit (opt-in) consent is required when processing sensitive personal information and personal information collected from a known child.
The TIPA requires organizations to be transparent with consumers about the collection and processing of their personal data. This could be done by publishing a privacy policy.
- The TIPA Privacy Policy must provide the following information:
- Why do you collect and process personal data?
- What categories of data do you process?
- What categories of data do you sell?
- The categories of third parties to whom you sell or share data, if any.
- Details on consumer rights and how to exercise them.
TIPA Compliance
TIPA compliance is the process of ensuring that your business meets the Tennessee privacy law’s requirements regarding the collection, analysis, and selling of personal information. To TIPA compliance you have to create your business Privacy Policy and treat the TIPA consumers' personal information according to the law.
Use CookieScript Consent Management Platform to create a Privacy Policy for your business, and to be TIPA and other privacy laws compliant. We regularly update the latest privacy regulations, so you do not miss changes or new privacy laws coming into force.
Who does the Tennessee Information Protection Act Apply to?
The Tennessee Information Protection will apply to businesses and organizations that conduct business in the state or provide products or services that are targeted to Tennessee residents, exceed $25 million in annual revenue, and meet at least one of these criteria:
- During a calendar year, controls or processes the personal information of at least 175,000 consumers.
- Controls or processes personal information of at least 25,000 consumers and derives more than 50 percent of gross revenue from the sale of personal information.
Notable Exemptions of TIPA
Like the other state data privacy laws, TIPA provides some both at the entity and the data level.
Entity-based exemptions. TIPA exempts government entities, nonprofits, institutions of higher education, and covered entities and business associates governed by privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
State agencies, financial institutions, and those subject to the federal Gramm-Leach Bliley Act, and insurance companies are also exempt from compliance. Please note, that TIPA is the first state privacy law to feature an entity-level exception for insurance companies, entirely exempting all insurance companies licensed under Tennessee law.
Data-based exemptions. TIPA does not apply to personal information processed or maintained in the course of employment, including information provided by an individual applying to, or acting as an employee, agent or independent contractor of a controller, processor of third party, as well as emergency contact information and data used to administer benefits.
The law also explicitly excludes natural persons acting in a commercial or employment context.
Data that is publicly available, aggregated, or de-identified is not considered personal information and is also exempt from compliance.
Information governed by the GLBA, the Fair Credit Reporting Act (FCRA), and information governed by the Family and Educational Rights and Privacy Act (FERPA), among others, is also exempt from the law.
TIPA also has a variety of exemptions specific to health data, including HIPAA, the Health Care Quality Improvement Act (HCQIA), and the Patient Safety and Quality Improvement Act (PSQIA). There are also a number of exceptions specifically related to personal information collected, processed, or sold in connection with certain types of research, such as human subject research and public or peer-reviewed scientific or statistical research in the public interest.
Responsibilities of the Data Controller vs. Data Processor
Like other state data privacy laws, the Tennessee Information Protection Act defines the data controllers — those determining the purpose and means of processing personal data, and data processors—those who process the personal data on the controller’s behalf.
Data controllers and data processors have slightly different responsibilities under the TIPA.
Requirements for data controllers:
- Data minimization. Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purpose for which data was collected and processed, as disclosed to the consumer.
- Avoid secondary use. Controllers must not process personal data for purposes beyond what is reasonably necessary to achieve the objectives for the processing unless they obtain consumer consent.
- Data security. Controllers must establish and implement reasonable administrative, technical, and physical data security practices.
- Nondiscrimination. Controllers must not process personal data in violation of a state or federal law that prohibits discrimination against consumers. This does not prevent controllers from offering different prices or goods to consumers exercising the right to opt out as part of a loyalty or rewards program.
- Consent for sensitive data. Controllers must not process sensitive personal data concerning a consumer without obtaining their consent. If the consumer is a child, the controller must process the child’s sensitive data in accordance with COPPA.
- Processor agreements. Controllers are required to sign contracts with processors that, among other things, provide instructions for the data processing and safety, and the rights and obligations of both parties. Processors must establish a duty of confidentiality for personal data, delete or return all personal data to the controller upon the controller’s request at the end of the provision of services, making personal data available upon controller request, arrange for cooperation with the controller’s assessor or independent assessor; and mandate conditions for subcontractor engagement.
- Transparency and purpose specification. Controllers must provide a clear and easily accessible privacy notice, disclosing the categories of data processed; the purpose of the processing; the consumer rights; the categories of data the controller sells to or shares with third parties; the identity of these third parties, if any; and a reliable means for consumers to submit a request about their personal data. If a controller is selling personal information or using it for targeted advertising, the controller must clearly disclose it and provide means of how the consumer may opt out of it.
- Data protection assessments. Controllers must perform a data protection assessment before engaging in certain processing activities, including processing for targeted advertising; selling personal data; and processing personal data for profiling, in the event the profiling presents a reasonably foreseeable risk of certain legal, financial, physical, reputational or deceptive harms; processing sensitive data; and other processing presenting a heightened risk of harm to consumers. TIPA allows the use of assessments conducted for other state laws, provided they have a reasonably comparable scope and effect. Assessments must be conducted for processing generated no earlier than July 1, 2024. There is no requirement to conduct assessments prior to TIPA’s effective date of January 1, 2025.
Controllers under TIPA have 45 days to respond to consumer requests, similar to the timelines of other state privacy laws. Businesses also have the option for a 45-day extension provided they properly inform the consumer.
Requirements for data processors:
Data processors must adhere to controller instructions and assist controllers with their obligations. This includes entering into a binding contract, responding to consumer requests, and providing necessary information for the controller to conduct a Data Protection Assessment (DPA).
Consumer Rights under the TIPA
Tennessee’s privacy law grants the following consumer rights:
- Know about the processing.
- Access personal data.
- Delete personal information.
- Obtain a copy of personal information.
- Correct data.
- opt-out of a controller’s processing of personal information for the purposes of selling it to a third party, targeted advertising, or profiling.
When a consumer requests their personal data, businesses have 45 days to respond with a 45-day extension period provided the consumer is informed of the extension and the reason it is needed. If businesses decline to respond to consumer requests, they must still notify the consumer and provide instructions for how to appeal the decision.
Information must be provided free of charge up to twice annually. The TIPA outlines that the controller may charge a “reasonable fee” to cover administrative costs of complying with the request, especially when requests are unfounded, technically infeasible, excessive, or repetitive.
Enforcement of TIPA
The state attorney general has exclusive authority to enforce the Tennessee Data Privacy Act.
Your organization has the right to address the violation within the 60-day cure period. You must also prepare a written statement affirming that the violation has been cured and promising not to repeat a similar violation in the future. If you fulfill these requirements, there will be no penalty.
If your organization does not cure the violation or if you breach the written statement, then the attorney general may penalize your organization by seeking an injunction, declaratory judgment, or by issuing a fine of up to $7,500 per violation. In addition, the TIPA also allows courts to triple the actual damages caused if the violation was made on purpose.
Companies must comply with the TIPA until July 1, 2025, when the law goes into effect.
TIPA’s Differences from Other US privacy laws
In many aspects, TIPA is quite like other US privacy laws like VCDPA, CCPA, CPA, and others. However, the TIPA has several provisions that differ from other state laws:
- Applicability threshold. The applicability threshold is narrower compared with other state laws. The TIPA only applies to those that meet both a revenue threshold and that process data of at least 175,000 residents or 25,000 residents with more than 50 percent of gross revenue coming from the sale of personal information. The 175,000 qualification is one of the highest of all other state laws.
- Long preparation time. There are more than two years to prepare the Tennessee companies for the new data privacy requirements, which is much longer than required by privacy laws of other states.
- Long cure period. The Tennessee privacy law has a 60-day cure period - a period of time for companies to correct violations after being notified of them. This is among the longest times provided out of any other state privacy law.
- Affirmative defense. The TIPA is the first and the only data privacy law to provide businesses with the possibility of an affirmative defense. An affirmative defense is evidence that a defendant may introduce to negate or mitigate their liability. Businesses can proactively defend against potential future violations if they create a written privacy program that follows the National Institute of Standards and Technology (NIST) privacy framework or other similar policies or procedures designed to safeguard consumer privacy.
TIPA Key Terms and Definitions
The Tennessee Information Protection Act defines key terms in Section 47-18-3201, Parts (1) through (30) of the law. Below there are the key TIPA terms.
Consumer. A consumer is defined as a natural person who resides in Tennessee and is “acting only in a personal context." Like all state privacy laws except from CCPA, TIPA does not apply to the personal data of individuals acting in a commercial or employment context.
Data controller. A data controller is a natural person or legal entity that, alone or jointly with others, determines the purpose and means of processing personal information.
Data processor. Data processor is the natural person or legal entity that processes personal information on behalf of a controller.
Personal data. It’s information that is linked or reasonably linkable to an identified or identifiable natural person and does not include publicly available, de-identified, or aggregated consumer information.
Sensitive data. It’s a category of personal information that includes:
- Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, or immigration status.
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person.
- The personal information collected from a known child.
- Precise geolocation data.
Biometric data. It’s an information describing individual’s biological characteristics, such as a fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics that are used to identify a specific individual. Biometric data does not include a physical or digital photograph, video recording, audio recording, data generated from a photograph or video, or audio recording, or information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA.
Pseudonymous data. It’s personal information that cannot be attributed to a specific natural person without the use of additional information, so long as the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable natural person.
Consent. A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer, and may include a written statement, including a statement written by electronic means, or an unambiguous, affirmative action.
How to Target Tennessee Consumers?
There are some differencies between privacy laws of the US states. Different privacy laws could be complied with using a function of geo-targeting, the method of delivering different Cookie Banners and different privacy notices to consumers based on their geographic locations. Website visitors will be presented with the right banners, which are required for privacy laws compliance.
CookieScript Consent Management Platform offers geo-targeting, which allows you to comply with the TIPA and other privacy laws required by a particular US state.
Frequently Asked Questions
What Is the Tennessee Information Protection Act?
The Tennessee Information Protection Act (TIPA) is a data privacy law of the US state of Tennessee, that will take force on July 1, 2025. It targets businesses and organizations that do business in the state and collect and process personal information and aims to protect the personal data of Tennessee residents from unauthorized access and disclosure. Use CookieScript to be TIPA and other privacy laws compliant.
Does Tennessee have a Privacy Act?
Tennessee does not have a general privacy law in effect yet. However, the Tennessee Information Protection Act (TIPA) was signed into law on May 11, 2023, and will take force on July 1, 2025. TIPA is similar to the privacy laws passed in California, Virginia, and Colorado. Read CookieScript privacy laws to follow updates and be TIPA compliant.
What rights do Tennessee consumers have?
TIPA grants Tennessee consumers the following rights: know about the processing, access personal information, delete personal information, obtain a copy of personal information, correct data, and opt-out of a controller’s processing of personal information for the purposes of selling it to a third party, targeted advertising, or profiling. Use CookieScript to be TIPA and other privacy laws compliant.
Does the TIPA require explicit or implied Cookie Consent?
Under Tennessee’s privacy law, implied (opt-out) Cookie Consent is enough, which means consent is not required before the collection or processing of personal information. However, explicit (opt-in) consent is required when processing sensitive personal information and personal information collected from a known child. CookieScript CMP allows you to create a highly customizable and professional Cookie Banner and get explicit or implied cookie consent.
How Does Tennessee data privacy law define sensitive information?
Under the TIPA, sensitive data is a category of personal information that includes personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship, or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; the personal information collected from a known child, and precise geolocation data. Use CookieScript to be TIPA and other privacy laws compliant.
Does Tennessee’s privacy law allow controllers to process sensitive data?
Under the TIPA, controllers must get explicit user consent to process the sensitive data of consumers. Without explicit consent, controllers cannot process sensitive data. In the case of a known child, data must be processed in accordance with COPPA as well. Use CookieScript CMP to get explicit Cookie Consent and comply with the TIPA.
What are the requirements of the TIPA regarding Global Privacy Control (GPC)?
Global Privacy Control is used to automatically send a request to opt out of the collection of certain personal information. The Tennessee Information Protection Act does not mention the GPC signal and thus could be neglected by websites. Use the CookieScript Consent Management Platform to manage consumers‘ Cookie Consent and stay compliant with the TIPA and other privacy laws.