Documentation

Table of Contents

Tennessee Information Protection Act (TIPA) Overview

Effective Date: July 1, 2025

The Tennessee Information Protection Act (TIPA) is a comprehensive state-level privacy law designed to provide consumers with greater control over their personal data. The law establishes specific rights for consumers and imposes certain obligations on businesses that handle personal data of Tennessee residents. Below is an overview of the Act’s key provisions and requirements.

Definition of Sensitive Data

TIPA defines “sensitive data” as a category of personal information that includes the following:

  1. Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship or immigration status;
  2. Financial information, which includes a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account;
  3. Genetic or biometric data processed to uniquely identify an individual;
  4. Personal information collected from a known child (a natural person younger than 13);
  5. Precise geolocation data.

Applicability of the Act

TIPA applies to individuals or entities conducting business in Tennessee or offering products or services targeting Tennessee residents that meet the following criteria:

  1. They exceed \$25,000,000 in revenue; and
  2. They:
  • Control or process personal information of at least 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal data; or
  • Control or process personal information of at least 175,000 consumers during a calendar year.

It is important to note that the Act does not apply to non-profit organizations.

Other limitations on applicability exist, including:

  • State entities,
  • Higher education institutions,
  • Protected health information,
  • Compliance with ordinances or regulations,
  • Provision of a product or service specifically requested by a consumer.

Consumers’ Rights

TIPA grants consumers the following rights:

  1. The right to confirm whether a controller is processing their personal data and access it;
  2. The right to obtain a copy of their personal data in a portable, readily usable format, allowing them to transmit the data to another controller;
  3. The right to request the correction of inaccurate personal data;
  4. The right to request the deletion of their personal data;
  5. The right to opt out of the processing of their personal data for targeted advertising, sale of personal data, and profiling activities with legal or similarly significant effects;
  6. The right not to be discriminated against for exercising opt-out rights.

Exercise of Rights

To exercise their rights, consumers may submit requests to controllers through the means described in the privacy notice. No account creation is required for submitting requests, although if the consumer has an existing account with the controller, the request may be submitted through that account. If the request is made on behalf of a child, the parent or legal guardian may submit the request.

Follow-Up by Controllers

Controllers are required to respond to consumer requests within 45 days. They must provide the requested information free of charge, up to twice per consumer within any 12-month period. In cases where requests are deemed manifestly unfounded, excessive, or repetitive, controllers may charge a reasonable fee to cover administrative costs.

Controllers must be able to authenticate consumer requests using commercially reasonable efforts and may request additional information from the consumer to verify the request. Controllers must also establish an appeal process, which should be clearly available, free of charge, and similar to the process for submitting consumer rights requests.

In the event an appeal is denied, controllers must provide an online mechanism or another contact method for consumers to submit complaints to the Tennessee Attorney General.

Controllers’ Obligations

TIPA imposes the following obligations on controllers:

Limit the collection of personal data: Controllers must limit the collection of personal data to what is adequate, relevant, and necessary in relation to the processing purposes disclosed to consumers;

Obtain consumer consent: Controllers must obtain consumer consent to:

    • Process personal data for purposes that are not reasonably necessary or compatible with the purposes disclosed in the privacy policy;
    • Process sensitive data, including sensitive data of a known child (which must comply with the Children’s Online Privacy Protection Act, COPPA);

    Privacy notice requirements: Controllers must provide a clear, accessible, and meaningful privacy notice that includes:

      • Categories of personal data processed;
      • Purposes for processing personal data;
      • Categories of personal data sold to third parties, if applicable, and the relevant categories of third parties;
      • How consumers may exercise their rights, including the right to appeal;
      • A clear disclosure of any sale of personal data or processing for targeted advertising, with an opt-out procedure;

      Contract with processors: Controllers must enter into contracts with processors, ensuring compliance with the TIPA requirements.

      Data protection assessments: Controllers must conduct and document data protection assessments for each processing activity that poses a heightened risk of harm to consumers, such as processing for targeted advertising or the sale of personal data.

      Data security practices: Controllers must implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

        Universal Opt-Out Signals

        The Act does not regulate the use of universal opt-out signals, meaning that businesses are not required to comply with such signals under TIPA.