Tennessee Information Protection Act (TIPA)

• Enacted: May 11, 2023
• Effective: July 1, 2025

TIPA applies to businesses operating in Tennessee or targeting Tennessee residents and that:

• Control or process personal data of at least 100,000 consumers annually, or
• Control or process data of at least 25,000 consumers and derive over 50% of gross revenue from selling personal data.

• Government bodies and their contractors
• GLBA-covered financial institutions
• HIPAA-covered entities and associates
• Nonprofits and higher education institutions
• De-identified or publicly available data

• Limit data collection to what’s necessary and relevant
• Use data only for disclosed purposes
• Provide clear and accessible privacy notices
• Use reasonable security measures
• Obtain consumer consent for processing sensitive data, including racial or ethnic origin, health data, biometric and genetic data, and precise geolocation
• Respond to consumer requests within 45 days, with a one-time 45-day extension when necessary

• Publish a privacy notice explaining data uses and consumer rights
• Enable opt-out mechanisms for sales or targeted ads
• Include links to exercise consumer rights

• Conduct data protection assessments for high-risk processing activities
• Ensure contracts with processors define confidentiality, responsibilities, and processing limitations
• Implement technical and organizational safeguards
• Provide employee training on privacy and security measures

Consumers may:

• Access their data
• Correct inaccuracies
• Delete personal data
• Obtain a copy in a portable, structured, machine-readable format
• Opt out of data sales, targeted ads, and profiling

• Authority: Tennessee Attorney General
• Penalties: Up to $7,500 per violation
• Cure Period: 60 days until July 1, 2026; not guaranteed afterward
• Private Right of Action: Not provided