Effective Date: July 1, 2025
The Tennessee Information Protection Act (TIPA) is a comprehensive state-level privacy law designed to provide consumers with greater control over their personal data. The law establishes specific rights for consumers and imposes certain obligations on businesses that handle personal data of Tennessee residents. Below is an overview of the Act’s key provisions and requirements.
TIPA defines “sensitive data” as a category of personal information that includes the following:
TIPA applies to individuals or entities conducting business in Tennessee or offering products or services targeting Tennessee residents that meet the following criteria:
It is important to note that the Act does not apply to non-profit organizations.
Other limitations on applicability exist, including:
TIPA grants consumers the following rights:
To exercise their rights, consumers may submit requests to controllers through the means described in the privacy notice. No account creation is required for submitting requests, although if the consumer has an existing account with the controller, the request may be submitted through that account. If the request is made on behalf of a child, the parent or legal guardian may submit the request.
Controllers are required to respond to consumer requests within 45 days. They must provide the requested information free of charge, up to twice per consumer within any 12-month period. In cases where requests are deemed manifestly unfounded, excessive, or repetitive, controllers may charge a reasonable fee to cover administrative costs.
Controllers must be able to authenticate consumer requests using commercially reasonable efforts and may request additional information from the consumer to verify the request. Controllers must also establish an appeal process, which should be clearly available, free of charge, and similar to the process for submitting consumer rights requests.
In the event an appeal is denied, controllers must provide an online mechanism or another contact method for consumers to submit complaints to the Tennessee Attorney General.
TIPA imposes the following obligations on controllers:
Limit the collection of personal data: Controllers must limit the collection of personal data to what is adequate, relevant, and necessary in relation to the processing purposes disclosed to consumers;
Obtain consumer consent: Controllers must obtain consumer consent to:
Privacy notice requirements: Controllers must provide a clear, accessible, and meaningful privacy notice that includes:
Contract with processors: Controllers must enter into contracts with processors, ensuring compliance with the TIPA requirements.
Data protection assessments: Controllers must conduct and document data protection assessments for each processing activity that poses a heightened risk of harm to consumers, such as processing for targeted advertising or the sale of personal data.
Data security practices: Controllers must implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
The Act does not regulate the use of universal opt-out signals, meaning that businesses are not required to comply with such signals under TIPA.