Introduction to the Tennessee Information Protection Act
Tennessee was the eighth state in the US to pass a consumer privacy bill, with an effective date of July 1, 2025. As of May 11, 2023, when the law was passed, organizations have a little more than two years to prepare for TIPA compliance.
Passing of comprehensive state-level privacy laws is gaining momentum in the United States in 2023, with six laws passed between March and June: Iowa, Indiana, Tennessee, Montana, Florida, and Texas. The law passed in Tennessee is the result of a multi-year effort to bolster consumer data privacy in the state. TIPA is considered “business-friendly”, like the Virginia Consumer Data Protection Act (VCDPA) and Iowa Consumer Data Protection Act (ICDPA). A federal law in the US remains in limbo.
What is the Tennessee data privacy act?
The Tennessee Information Protection Act (TIPA), from HB 1181, protects the privacy and personal information rights of Tennessee’s nearly seven million residents, and establishes data privacy responsibilities for companies doing business in the state or providing goods or services targeting Tennessee residents. In the course of doing business these organizations process consumers’ personal information. Like other states with data privacy laws, including California, Tennessee defines a consumer as a resident of the state who is acting in a “noncommercial and nonemployment context”.
The TIPA uses an opt-out model, as do the laws in all the other states that have passed comprehensive data privacy regulations to date. This means that businesses that are required to become TIPA-compliant must inform consumers about data collection and processing that they perform, i.e. what data, for what purposes, third parties with whom the data will be shared, etc. Businesses must give consumers a way to opt out of data collection and processing. They and any third parties they engage for data processing must also implement reasonable security and protections.
Definitions in the Tennessee Information Protection Act
The TIPA uses a fairly standard definition of personal information (also called personal data in some other laws): “information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with a particular consumer”. The list of examples is extensive, though it excludes publicly available information, aggregated data, or de-identified data.
The Act specifically references identifiers:
- real name, alias, or unique identifier
- online identifier
- IP address
- email address
- account name
- Social Security Number (SSN)
- driver’s license number
- passport number
- “or other similar identifiers”
It also references “information that identifies, relates to, describes, or could be associated with, a particular individual, including, but not limited to”:
- physical characteristics or description
- telephone number
- insurance policy number
- employment or employment history
- bank account number
- credit card number or debit card number
- other financial, medical, or health insurance information
- commercial information, including purchase records and similar
- biometric data
- Internet or other electronic network activity information
- geolocation data (within 1.750 feet/533.5 meters)
- audio, electronic, visual, thermal, olfactory, or similar information
- professional or employment-related information
- education information that is not publicly available
- inferences drawn from the information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
The last definition regarding consumer profiling is particularly interesting and profiling/targeting is becoming increasingly relevant and explicitly addressed in data privacy laws, particularly as it relates to automated decision-making used for profiling (e.g. the use of AI/ML tools for that purpose).
The European Union’s General Data Protection Regulation (GDPR) set the standard for defining consent, which has been followed by many regulations passed since.
Under TIPA, consent is defined as: “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer; and includes a written statement, including a statement written by electronic means, or an unambiguous affirmative action.”.
Sensitive data / sensitive personal information
This covers more specific categories of personal information, including that which reveals:
- personal information collected from a known child younger than 13 years of age
- racial or ethnic origin
- religious beliefs
- mental or physical health diagnosis
- sexual orientation
- citizenship or immigration status
- genetic or biometric data that is processed for the purpose of uniquely identifying a natural person
- personal information collected from a known child
- precise geolocation data
Businesses that collect and process personal information will likely qualify as controllers, which the TIPA defines as “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information”.
For businesses that share personal information for processing purposes, the business will be the controller and the third-party entity will be the processor, defined in the Tennessee privacy act as “a natural or legal entity that processes personal information on behalf of a controller”.
This is defined as the “exchange of personal information for monetary or other valuable consideration by the controller to a third party”. Several notable exclusions to the definition of sale of personal information include:
- disclosure of personal information to a processor that processes the personal information on behalf of the controller
- disclosure of personal information to a third party for purposes of providing a product or service requested by the consumer
- disclosure or transfer of personal information to an affiliate of the controller
- disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience
- disclosure or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets
- disclosure of personal information to a third party at the direction, and with the consent, of the consumer
Refers to displaying advertisements to consumers where the ads displayed are based on personal information about the consumer that has been obtained from the consumer or about their online activities over time, particularly across other websites or apps. The goal is to use the personal information to predict the consumers’ interests and preferences to increase relevance and personalize the advertising experience.
What is covered in the Tennessee data privacy act?
Who has to comply with the Tennessee Information Protection Act?
The TIPA applies to organizations conducting business in Tennessee, and any business that offers products or services targeted to Tennessee residents. TIPA compliance has two primary threshold criteria for organizations (“controllers” under the law):
- control or process the personal information of at least 100,000 Tennessee residents during a calendar year,
- control or process the personal information of at least 25,000 Tennessee consumers during a calendar year, and derive more than 50% of their gross revenue from the sale of personal information
Unlike some state laws, e.g. California with the CCPA and CPRA, Tennessee’s privacy law will not have a revenue threshold alone. That means that companies otherwise would be required to comply with the regulation if their annual gross revenues exceeded a certain dollar threshold, even if they did not meet the threshold of the number of consumers’ whose data was processed.
Without this threshold, businesses of any size/value that meet the Tennessee privacy law’s personal information or personal information plus revenue percentage thresholds must become TIPA-compliant.
One aspect that makes the Tennessee Information Protection Act unique among other state-level data privacy laws is an affirmative defense or safe harbor provision. Organizations charged with violating TIPA can raise an affirmative defense by creating, complying with and maintaining a written privacy program. The program needs to conform to one or more existing and accepted standards and principles:
- U.S. National Institute of Standards and Technology (NIST) Privacy Framework
- Asia-Pacific Economic Cooperation Cross-Border Privacy Rules
- APEC Privacy Recognition for Processors System
NIST is the particular framework of note for such a defense. Ohio included a similar provision in its most recent data privacy law bill from 2022, but the privacy legislation did not pass.
Conformation to a privacy framework depends on the following:
- size and complexity of the controller or processor’s business
- nature and scope of the activities of the controller or processor
- sensitivity of the personal information processed
- cost and availability of tools to improve privacy protections and data governance
- compliance with a comparable state or federal law
Exemptions to Tennessee Information Protection Act compliance
The exemptions in the Tennessee data privacy act are fairly consistent with the other existing US data privacy laws, deferring mainly to existing federal laws, including:
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act
- Fair Credit Reporting Act (FCRA)
- Children’s Online Privacy Protection Act (COPPA)
- Family Educational Rights and Privacy Act (FERPA)
- Driver’s Privacy Protection Act
- Farm Credit Act (FCA)
- Controlled Substances Act
Other exemptions include HR data, health records, research data for human subjects that are covered by other federal laws or standards, and data that is processed or maintained for employment-related purposes.
Exempted institutions include:
- state government entities
- financial institutions (also entities and affiliates subject to the Gramm-Leach-Bliley Act)
- insurance companies
- institutions of higher education
- nonprofit organizations
Exclusions to the TIPA’s definition of “consumer” include individuals acting in an employment or business (B2B) context.
Consumers’ rights under the Tennessee Information Data Protection Act
Consumers have several main personal information rights under the new data protection law. Parents or legal guardians of known children can invoke a child’s rights regarding processing of personal information.
- Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data, with some exceptions
- Right to disclosure: any categories of information about the consumer that have been sold
- Right to delete: any personal information the controller has that was provided by the consumer (with some exceptions)
- Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
- Right to portability: obtain a copy of the consumer’s personal information that the consumer previously provided to the controller, in a readily usable format, with some exceptions
- Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
- Right to opt out: of sale of personal information, targeted advertising, or profiling
Parents or guardians can exercise these rights on behalf of children. The most notable personal information rights that are not included are:
- Right to opt out of automated decision-making (including use of AI tools)
- Private right of action (consumers’ ability to sue the controller in the event of a violation)
How does the new Tennessee data protection act affect businesses?
How to comply with the Tennessee data privacy act?
Controllers must notify consumers of their rights and ways that consumers can exercise those rights by submitting a verifiable request to the company. The controller must include clear information on how to exercise consumer rights in their privacy notice or policy page on their website.
After a consumer request is received, the controller has 45 days to respond. There are some limited reasons that they can decline, including if the consumer’s identity cannot be reasonably verified. If a controller denies a request, they have to provide the consumer with information on how to contact the Attorney General’s office. The consumer can also appeal such a decision, and the controller has 60 days to respond to the appeal.
If there are extenuating circumstances preventing fulfilling a consumer request, once the consumer has been notified, that response period can be extended by 45 days if reasonably necessary.
Controllers can process personal information for the purpose(s) that they have communicated, as long as the processing is “reasonably necessary” (relevant, adequate, and limited) and proportional to those purposes.
Controllers must protect personal information by establishing, implementing and maintaining reasonable administrative, technical, and physical security measures. These measures should be appropriate to the nature and volume of personal information being processed.
Data protection assessments (DPA)
Controllers must conduct and document data protection assessments when they process information:
- categorized as sensitive personal information
- for the purposes of targeted advertising
- for the purposes of profiling if there is a reasonably foreseeable or heightened risk of harm to consumers
- to sell the personal information
Data protection assessments conducted to comply with other state laws may enable organizations to become TIPA-compliant if the scope and effect is similar.
Like other US states that have passed privacy laws, Tennessee uses an opt-out model, so user consent is not required before collecting and processing information in many cases. The exception is that consent must be obtained before collecting or processing sensitive personal information. Consumers must be given clear notice about processing and be able to opt out of sale, targeted advertising, or profiling.
Where children are concerned, the TIPA follows the federal Children’s Online Privacy Protection Act (COPPA). Consent from any known child’s parent or guardian must be obtained before processing of any personal information of any user known to be under 13 years of age. This would include all children’s personal information, as under Tennessee’s data privacy regulation data of children under 13 is classified as “sensitive” by default.
Controllers are prohibited from unlawful discrimination against consumers, and from processing personal information if doing so is in violation of state or federal laws governing discrimination.
Additionally, controllers cannot discriminate against consumers for exercising their rights. For example, a consumer cannot be blocked from accessing a website if they opt out of allowing personal information collection.
However, there are often website features or functions that will not work without certain cookies being active, so if a consumer does not opt in to their use because they collect personal information, the site may not work optimally. This is not considered to be discriminatory.
Controllers can offer voluntary incentives like discounts for consumers’ voluntary participation in operations like an organization’s loyalty program or signing up for a newsletter, where these operations collect and process personal data. Such offers have to be reasonable, as data protection authorities tend to frown on disproportionate incentives as they start to look like bribes.
Controllers must provide consumers with clear and accessible information about data processing. Commonly this appears on the company’s website in a privacy notice or policy. Under the TIPA, this information must include:
- categories of personal information processed by the controller
- purpose(s) for processing personal information
- how consumers may exercise their rights and/or appeal a controller’s decision (e.g. if a request for access is denied)
- categories of personal information that the controller sells to third parties, if any
- categories of third parties to whom the controller sells personal information, if any
- the right to opt out of the sale of personal information to third parties or processing personal information for targeted advertising and how to exercise it
Third party contracts
Controllers must have contracts in place with third-party processors (service providers) with clear information about:
- duty of confidentiality
- specific data processing procedures
- deletion or return of personal information upon request
- demonstration of the processor’s compliance with obligations
- allowance of a reasonable assessment of the processor’s policies, operations and security measures by the controller or a qualified designated assessor
Universal opt-out signal
Like the Virginia Consumer Data Protection Act (VCDPA), the Tennessee Information Protection Act does not make any reference to the Global Privacy Control (GPC) “universal opt-out” or similar mechanisms. California’s laws do reference this signal, which is intended to standardize user consent online. Using it enables consumers to create a single set of their own personal data privacy consent preferences. These settings can then be communicated to all websites or apps that consumers visit, so users don’t have to set new preferences on every site. Use of this mechanism also helps ensure compliance with consumer privacy laws relevant to each user.
What happens if you break the Tennessee data protection law?
In Tennessee, the Attorney General has exclusive enforcement authority for the TIPA. As noted, the law does not provide consumers with private right of action, but they can report alleged violations or complaints about denial of requests to the Attorney General’s office. The Attorney General must provide parties with alleged violations against them with written notice that lists the violations.
Cure period and controller actions
There is a 60-day cure period when organizations can fix the issues and take steps to prevent recurrence. Cure periods in other state-level data privacy laws range from 30 to 90 days.
Organizations found to have violated the TIPA also have to notify the Attorney General that they have taken these repair actions, and provide a statement that no further violations will occur. Once they have done this, and if no further issues come up, there won’t be further punitive action against them.
Fines and penalties
If the controller or any of their data processors are still in violation after the cure period, or after submitting their statement, the Attorney General can initiate civil proceedings.
A controller or processor found to be in violation of Tennessee’s data privacy regulation is subject to a fine of up to US $15,000 per violation. If the controller’s violation is knowing or willful, the Attorney General can seek three times the damages. They can also recover reasonable expenses from investigations and case preparation.
The Tennessee Information Protection Act and consent management
Tennessee’s consumer privacy law reflects the opt out model, as do all other current US state-level data privacy laws, except where sensitive personal information is concerned. Under this model, controllers do not have to obtain user/data subject consent prior to collecting or processing personal data.
Consumers do have to be provided with the option of opting out of collection and processing of their personal information for sale, targeted advertising, or profiling at any point. Information about that must be provided on the website, typically under the privacy notice/policy page.
The mechanism to enable users to opt out of data processing can be presented in a banner and displayed, most commonly as a link or button. A Consent Management Platform (CMP) like Usercentrics’ also helps to automate detection of the cookies and other tracking technologies in use on websites and apps. Use of a CMP streamlines collecting and providing the information to users about categories of data and specific services in use by the controller and/or processor(s), and third parties with whom data is shared. Tennessee’s privacy law, and most data privacy regulations around the world, require this notification.
Because the United States does not have a single federal data privacy law, companies doing business across the country and/or with other countries may need to comply with multiple consumer privacy laws to protect data. (Learn more: Comparing US state-level data privacy laws) A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user’s preferred language.
This will enable companies to achieve data privacy TIPA compliance, as well as other current and upcoming regulations across the United States. For companies doing business internationally, using a consent management platform also enables compliance with regulations like the GDPR, which has more strict consent management requirements than the laws in the US.
Preparing for the Tennessee Information Protection Act
Organizations doing business in Tennessee have until 2025 to prepare for compliance with the TIPA. If they have already achieved compliance with other state-level data privacy laws in the US, a good portion of the work is already done. As always, a privacy by design approach will benefit all operations in an organization, whether specifically for regulatory compliance or not.
Achieving TIPA compliance will mainly be a matter of confirming the Tennessee law’s specific requirements and having a solution in place to provide users with the necessary notifications and opt-out options. A consent management platform can help with cookie and tracking notification and management.
Updates to the TIPA are likely over time, as these US regulations are all in their first version, and both technology and consumer expectations are rapidly changing. The TIPA does not include private right of action, so consumer class-action lawsuits will not be a potential influence on future amendments to Tennessee’s privacy law as they may be to California’s.
Consulting qualified legal counsel and/or your organization’s data privacy expert is recommended to ensure responsibilities are met, even for regulations like Tennessee’s that are considered “business-friendly”.
Being proactive about protecting user privacy is a valuable business effort. It builds user trust and engagement, provides better user experiences, and strengthens customer relationships long-term, which leads to more high quality data for marketing operations and boosts revenue.
If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.