The Tennessee Information Protection Act: Compliance Requirements and Checklist

At a glance: Tennessee Information Protection Act

• On July 1, 2025, the Tennessee Information Protection Act (TIPA) will go into effect.
• A significant piece of legislation aimed at safeguarding consumer privacy, Tennessee’s privacy law establishes clear expectations around how businesses can collect and process Tennessee residents’ personal data.
• This guide covers who’s subject to Tennessee’s privacy law, compliance requirements for businesses under the law’s scope, how TIPA compares to other state regulations.
• Keep reading until the end for a complete compliance checklist.

Who's subject to Tennessee's privacy law?

Determining whether your business falls under the Tennessee Information Protection Act (TIPA) is an essential first step, as not all entities will be affected.

The TIPA applies to businesses that:

• Generate over $25 million in revenue and EITHER
• Control or process personal information of at least 25,000 consumers, deriving more than 50% of their gross revenue from the sale of personal information OR
• Control or process personal information of at least 175,000 consumers in a calendar year.

These thresholds are designed to capture a broad range of businesses, particularly those engaging in significant data processing activities. Certain exemptions apply, including government agencies and entities governed by specific federal regulations like HIPAA.

Compliance requirements under the Tennessee Information Protection Act (TIPA)

Tennessee’s privacy law outlines several compliance obligations for businesses:

Fulfilling consumer rights

Tennessee’s privacy law grants consumers several rights, including:

• The right to access personal information
• The right to confirm processing activities
• The right to correct inaccuracies
• The right to delete data
• The right to data portability
• The right to opt out of targeted advertising, data sales, and profiling

Businesses must respond to consumer requests within 60 days and consumers may appeal a business’s decision if their request is rejected.

Providing clear privacy notices

Businesses are required to issue a privacy notice that details:

• The categories of personal information collected
• The purpose of data processing
• Consumer rights and how to exercise them
• Categories of data shared with third parties
• Contact information for the business

Opt-in consent for sensitive data

For sensitive data, especially concerning users under 13 (subject to COPPA), businesses must obtain explicit consent before processing. This applies to targeted advertising, data sales, and profiling activities.

Data minimization and purpose limitation

Organizations must limit their data collection to what is necessary for stated purposes and cannot repurpose data without consumer consent.

Security safeguards

Businesses must implement reasonable administrative, technical, and physical measures to protect the confidentiality and integrity of personal information.

Compliance and enforcement

Enforcement of the Tennessee Information Protection Act will be managed by the Attorney General, and there is no private right of action. A 60-day cure period allows businesses to rectify compliance issues, with penalties up to $7,500 per violation.

How Tennessee’s privacy law compares with other state laws

Applicability thresholds

The Tennessee Information Protection Act (TIPA) establishes specific thresholds for its applicability:

• It applies to businesses with annual revenues exceeding $25 million that also meet one of the following conditions:
  • Control or process personal information of at least 175,000 consumers in Tennessee.
  • Control or process personal information of at least 25,000 Tennessee consumers while earning more than 50% of their gross revenue from the sale of that data.

These thresholds are relatively high compared to some other states, meaning fewer businesses will be subject to TIPA's regulations.

Affirmative defense provision

TIPA introduces a unique "affirmative defense" provision. Organizations can defend against alleged TIPA violations by establishing and adhering to a written privacy program that aligns with recognized standards, such as:

• The U.S. National Institute of Standards and Technology (NIST) Privacy Framework
• The Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules
• The APEC Privacy Recognition for Processors System

This piece of the law is not commonly seen in other state privacy laws—offering businesses a potential defense strategy.

Insurance company exemption

TIPA is notable in that it completely exempts all insurance providers licensed in Tennessee. This exemption is unique among state privacy regulations and offers a significant relief for the insurance sector.

Treatment of pseudonymous data

TIPA provides a broad carve-out for pseudonymous data. Consumer rights do not extend to pseudonymous data if the organization can demonstrate that identifying information is kept separate and protected by effective technical and organizational measures.

This provision allows for more flexibility in managing pseudonymous data compared to regulations in other states.

Universal opt-out mechanisms

Unlike some state laws, such as those in California and Colorado, the TIPA does not explicitly require the recognition of universal opt-out mechanisms. This lack of specific mandate might reduce the compliance obligations imposed on businesses, as they are not compelled to honor browser-based signals like the Global Privacy Control.

Tennessee Information Protection Act compliance checklist

To prepare for compliance with the Tennessee Information Protection Act, businesses can take several key steps:

1. Determine applicability

Begin by thoroughly reviewing the specific revenue and consumer thresholds outlined in the law. This step is crucial to assess whether your business operations fall under the law’s scope. Consider factors such as annual revenue, the number of consumers your business engages with, and how many consumers on whom you process data.

2. Complete a data inventory

Begin by creating a comprehensive inventory of all personal information collected by the organization. This should include detailed descriptions of the categories of data, such as names, email addresses, and phone numbers. Additionally, document the specific purposes for which each type of data is collected and the legal bases for processing this information.

3. Implement data minimization practices

Businesses should implement data minimization practices, ensuring they collect only the personal information that’s relevant and necessary for their operations. Organizations must also limit their data processing activities to the purposes disclosed to consumers and establish clear policies that restrict data usage to these specified purposes.

4. Establish privacy request mechanisms

Businesses need to provide clear mechanisms for consumers to access, correct, delete, and transfer their data. A process should be established to respond to consumer requests within 45 days, and an appeals process must be created for instances where requests are denied.

5. Implement consent management

Ensure a robust consent management process is in place for handling sensitive data and related activities. This involves obtaining clear and explicit consent from users before collecting their data, regularly reviewing and updating consent records, and providing users with the option to withdraw their consent at any time.

6. Publish clear privacy notices

Develop accessible privacy notices that clearly communicate your data practices and consumer rights. This notice should include, among other things, the categories of personal information collected, the purposes for processing that data, and methods for consumers to exercise their rights and appeal decisions.

7. Document a privacy program that aligns with recognized standards

Create a documented privacy program that aligns with recognized standards, such as the U.S. National Institute of Standards and Technology (NIST) Privacy Framework. This will help establish credibility for your compliance efforts and provide an affirmative defense against potential violations.

About Transcend

Transcend is the next-generation privacy solution. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for new legislation like Tennessee’s data privacy law.

From Consent Management to automated DSR Automation to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, Unstructured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.