Tennessee was the eighth state in the US to pass a consumer privacy bill, with an effective date of July 1, 2025. As of May 11, 2023, when the law was passed, organizations have a little more than two years to prepare for TIPA compliance.<\/p>\n
Passing of comprehensive state-level privacy laws is gaining momentum in the United States in 2023, with six laws passed between March and June: Iowa, Indiana, Tennessee, Montana, Florida, and Texas. The law passed in Tennessee is the result of a multi-year effort to bolster consumer data privacy in the state. TIPA is considered \u201cbusiness-friendly\u201d, like the Virginia Consumer Data Protection Act (VCDPA)<\/a> and Iowa Consumer Data Protection Act (ICDPA)<\/a>. A federal law in the US remains in limbo.<\/p>\n\n\n The Tennessee Information Protection Act (TIPA)<\/a>, from HB 1181<\/a>, protects the privacy and personal information rights of Tennessee\u2019s nearly seven million residents, and establishes data privacy responsibilities for companies doing business in the state or providing goods or services targeting Tennessee residents. In the course of doing business these organizations process consumers\u2019 personal information. Like other states with data privacy laws, including California, Tennessee defines a consumer as a resident of the state who is acting in a \u201cnoncommercial and nonemployment context\u201d.<\/p>\n The TIPA uses an opt-out model, as do the laws in all the other states that have passed comprehensive data privacy regulations to date. This means that businesses that are required to become TIPA-compliant must inform consumers about data collection and processing that they perform, i.e. what data, for what purposes, third parties with whom the data will be shared, etc. Businesses must give consumers a way to opt out of data collection and processing. They and any third parties they engage for data processing must also implement reasonable security and protections.<\/p>\n Personal information<\/strong><\/p>\n The TIPA uses a fairly standard definition of personal information (also called personal data in some other laws): \u201cinformation that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with a particular consumer\u201d<\/em>. The list of examples is extensive, though it excludes publicly available information, aggregated data, or de-identified data<\/a>.<\/p>\n The Act specifically references identifiers:<\/p>\n It also references \u201cinformation that identifies, relates to, describes, or could be associated with, a particular individual, including, but not limited to\u201d<\/em>:<\/p>\n Additionally:<\/p>\n The last definition regarding consumer profiling is particularly interesting and profiling\/targeting is becoming increasingly relevant and explicitly addressed in data privacy laws, particularly as it relates to automated decision-making used for profiling (e.g. the use of AI\/ML tools for that purpose).<\/p>\n Consent<\/strong><\/p>\n The European Union\u2019s General Data Protection Regulation (GDPR)<\/a> set the standard for defining consent, which has been followed by many regulations passed since.<\/p>\n Under TIPA, consent is defined as: \u201ca clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer; and includes a written statement, including a statement written by electronic means, or an unambiguous affirmative action.\u201d.<\/em><\/p>\n The second part of the definition is relevant for the use of a consent management platform to collect and store user consent data for use of cookies and other online tracking technologies on websites, apps and connected media devices.<\/p>\n Sensitive data \/ sensitive personal information<\/strong><\/p>\n This covers more specific categories of personal information, including that which reveals:<\/p>\n Controller<\/strong><\/p>\n Businesses that collect and process personal information will likely qualify as controllers, which the TIPA defines as \u201cthe natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information\u201d<\/em>.<\/p>\n Processor<\/strong><\/p>\n For businesses that share personal information for processing purposes, the business will be the controller and the third-party entity will be the processor, defined in the Tennessee privacy act as \u201ca natural or legal entity that processes personal information on behalf of a controller\u201d<\/em>.<\/p>\n Sale<\/strong><\/p>\n This is defined as the \u201cexchange of personal information for monetary or other valuable consideration by the controller to a third party\u201d<\/em>. Several notable exclusions to the definition of sale of personal information include:<\/p>\n Targeted advertising<\/strong><\/p>\n Refers to displaying advertisements to consumers where the ads displayed are based on personal information about the consumer that has been obtained from the consumer or about their online activities over time, particularly across other websites or apps. The goal is to use the personal information to predict the consumers\u2019 interests and preferences to increase relevance and personalize the advertising experience.<\/p>\n\n\n The TIPA applies to organizations conducting business in Tennessee, and any business that offers products or services targeted to Tennessee residents. TIPA compliance has two primary threshold criteria for organizations (\u201ccontrollers\u201d under the law):<\/p>\n or<\/strong><\/p>\n Unlike some state laws, e.g. California with the CCPA and CPRA<\/a>, Tennessee\u2019s privacy law will not have a revenue threshold alone. That means that companies otherwise would be required to comply with the regulation if their annual gross revenues exceeded a certain dollar threshold, even if they did not meet the threshold of the number of consumers\u2019 whose data was processed.<\/p>\n Without this threshold, businesses of any size\/value that meet the Tennessee privacy law\u2019s personal information or personal information plus revenue percentage thresholds must become TIPA-compliant.<\/p>\n One aspect that makes the Tennessee Information Protection Act unique among other state-level data privacy laws is an affirmative defense or safe harbor provision. Organizations charged with violating TIPA can raise an affirmative defense by creating, complying with and maintaining a written privacy program. The program needs to conform to one or more existing and accepted standards and principles:<\/p>\n NIST is the particular framework of note for such a defense. Ohio included a similar provision in its most recent data privacy law bill from 2022, but the privacy legislation did not pass. The exemptions in the Tennessee data privacy act are fairly consistent with the other existing US data privacy laws, deferring mainly to existing federal laws, including:<\/p>\n Other exemptions include HR data, health records, research data for human subjects that are covered by other federal laws or standards, and data that is processed or maintained for employment-related purposes.<\/p>\n Exempted institutions include:<\/p>\n Exclusions to the TIPA\u2019s definition of \u201cconsumer\u201d include individuals acting in an employment or business (B2B) context.<\/p>\n\n\n Consumers have several main personal information rights under the new data protection law. Parents or legal guardians of known children can invoke a child\u2019s rights regarding processing of personal information.<\/p>\n Parents or guardians can exercise these rights on behalf of children. The most notable personal information rights that are not included are:<\/p>\n Controllers must notify consumers of their rights and ways that consumers can exercise those rights by submitting a verifiable request to the company. The controller must include clear information on how to exercise consumer rights in their privacy notice or policy page on their website.<\/p>\n After a consumer request is received, the controller has 45 days to respond. There are some limited reasons that they can decline, including if the consumer\u2019s identity cannot be reasonably verified. If a controller denies a request, they have to provide the consumer with information on how to contact the Attorney General\u2019s office. The consumer can also appeal such a decision, and the controller has 60 days to respond to the appeal.<\/p>\n If there are extenuating circumstances preventing fulfilling a consumer request, once the consumer has been notified, that response period can be extended by 45 days if reasonably necessary.<\/p>\n Purpose limitation<\/strong><\/p>\n Controllers can process personal information for the purpose(s) that they have communicated, as long as the processing is \u201creasonably necessary\u201d (relevant, adequate, and limited) and proportional to those purposes.<\/p>\n Data security<\/strong><\/p>\n Controllers must protect personal information by establishing, implementing and maintaining reasonable administrative, technical, and physical security measures. These measures should be appropriate to the nature and volume of personal information being processed.<\/p>\n Data protection assessments (DPA)<\/strong><\/p>\n Controllers must conduct and document data protection assessments when they process information:<\/p>\n Data protection assessments conducted to comply with other state laws may enable organizations to become TIPA-compliant if the scope and effect is similar.<\/p>\n Consent requirements<\/strong><\/p>\n Like other US states that have passed privacy laws, Tennessee uses an opt-out model, so user consent is not required before collecting and processing information in many cases. The exception is that consent must be obtained before collecting or processing sensitive personal information. Consumers must be given clear notice about processing and be able to opt out of sale, targeted advertising, or profiling.<\/p>\n Where children are concerned, the TIPA follows the federal Children\u2019s Online Privacy Protection Act<\/a> (COPPA). Consent from any known child\u2019s parent or guardian must be obtained before processing of any personal information of any user known to be under 13 years of age. This would include all children\u2019s personal information, as under Tennessee\u2019s data privacy regulation data of children under 13 is classified as \u201csensitive\u201d by default.<\/p>\n Nondiscrimination<\/strong><\/p>\n Controllers are prohibited from unlawful discrimination against consumers, and from processing personal information if doing so is in violation of state or federal laws governing discrimination.<\/p>\n Additionally, controllers cannot discriminate against consumers for exercising their rights. For example, a consumer cannot be blocked from accessing a website if they opt out of allowing personal information collection.<\/p>\n However, there are often website features or functions that will not work without certain cookies being active, so if a consumer does not opt in to their use because they collect personal information, the site may not work optimally. This is not considered to be discriminatory.<\/p>\n Controllers can offer voluntary incentives like discounts for consumers\u2019 voluntary participation in operations like an organization\u2019s loyalty program or signing up for a newsletter, where these operations collect and process personal data. Such offers have to be reasonable, as data protection authorities tend to frown on disproportionate incentives as they start to look like bribes.<\/p>\n Transparency<\/strong><\/p>\n Controllers must provide consumers with clear and accessible information about data processing. Commonly this appears on the company\u2019s website in a privacy notice or policy. Under the TIPA, this information must include:<\/p>\n Third party contracts<\/strong><\/p>\n Controllers must have contracts in place with third-party processors (service providers) with clear information about:<\/p>\n Universal opt-out signal<\/strong><\/p>\n Like the Virginia Consumer Data Protection Act<\/a> (VCDPA), the Tennessee Information Protection Act does not make any reference to the Global Privacy Control<\/a> (GPC) \u201cuniversal opt-out\u201d or similar mechanisms. California\u2019s laws do reference this signal, which is intended to standardize user consent online. Using it enables consumers to create a single set of their own personal data privacy consent preferences. These settings can then be communicated to all websites or apps that consumers visit, so users don\u2019t have to set new preferences on every site. Use of this mechanism also helps ensure compliance with consumer privacy laws relevant to each user.<\/p>\n\n\n In Tennessee, the Attorney General has exclusive enforcement authority for the TIPA. As noted, the law does not provide consumers with private right of action, but they can report alleged violations or complaints about denial of requests to the Attorney General\u2019s office. The Attorney General must provide parties with alleged violations against them with written notice that lists the violations.<\/p>\n There is a 60-day cure period when organizations can fix the issues and take steps to prevent recurrence. Cure periods in other state-level data privacy laws range from 30 to 90 days.<\/p>\n Organizations found to have violated the TIPA also have to notify the Attorney General that they have taken these repair actions, and provide a statement that no further violations will occur. Once they have done this, and if no further issues come up, there won\u2019t be further punitive action against them.<\/p>\n If the controller or any of their data processors are still in violation after the cure period, or after submitting their statement, the Attorney General can initiate civil proceedings.<\/p>\n A controller or processor found to be in violation of Tennessee\u2019s data privacy regulation is subject to a fine of up to US $15,000 per violation. If the controller\u2019s violation is knowing or willful, the Attorney General can seek three times the damages. They can also recover reasonable expenses from investigations and case preparation.<\/p>\n\n\n Tennessee\u2019s consumer privacy law reflects the opt out model, as do all other current US state-level data privacy laws, except where sensitive personal information is concerned. Under this model, controllers do not have to obtain user\/data subject consent prior to collecting or processing personal data.<\/p>\n Consumers do have to be provided with the option of opting out of collection and processing of their personal information for sale, targeted advertising, or profiling at any point. Information about that must be provided on the website, typically under the privacy notice\/policy page.<\/p>\n The mechanism to enable users to opt out of data processing can be presented in a banner and displayed, most commonly as a link or button. A Consent Management Platform (CMP) like Usercentrics\u2019 also helps to automate detection of the cookies and other tracking technologies in use on websites and apps. Use of a CMP streamlines collecting and providing the information to users about categories of data and specific services in use by the controller and\/or processor(s), and third parties with whom data is shared. Tennessee\u2019s privacy law, and most data privacy regulations around the world, require this notification.<\/p>\n Because the United States does not have a single federal data privacy law, companies doing business across the country and\/or with other countries may need to comply with multiple consumer privacy laws to protect data. (Learn more: Comparing US state-level data privacy laws<\/a>) A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user\u2019s preferred language.<\/p>\n\n\nWhat is the Tennessee data privacy act?<\/h2>\n
Definitions in the Tennessee Information Protection Act<\/h4>\n
\n
\n
\n
\n
\n
What is covered in the Tennessee data privacy act?<\/h2>\n
Who has to comply with the Tennessee Information Protection Act?<\/h4>\n
\n
\n
<\/h4>\n
Affirmative defense<\/h4>\n
\n
\nConformation to a privacy framework depends on the following:<\/p>\n\n
<\/h4>\n
Exemptions to Tennessee Information Protection Act compliance<\/h4>\n
\n
\n
Consumers\u2019 rights under the Tennessee Information Data Protection Act<\/h2>\n
\n
\n
How does the new Tennessee data protection act affect businesses?<\/h2>\n
How to comply with the Tennessee data privacy act?<\/h4>\n
\n
\n
\n
What happens if you break the Tennessee data protection law?<\/h2>\n
Enforcement<\/h4>\n
<\/h4>\n
Cure period and controller actions<\/h4>\n
Fines and penalties<\/h4>\n
The Tennessee Information Protection Act and consent management<\/h2>\n