Tennessee Information Protection Act (TIPA): Complete 2026 Compliance Guide

Tennessee’s Dual-Threshold Privacy Law

The Tennessee Information Protection Act (TIPA) took effect on July 1, 2025, after being signed into law on May 11, 2023. Tennessee is one of only two states (along with Utah) that uses AND logic for its applicability thresholds, meaning businesses must meet both a revenue requirement and a consumer data processing requirement to be covered. This makes the TIPA one of the more business-friendly state privacy laws.

Tennessee also introduced a unique feature: an affirmative defense for businesses that maintain a written privacy program conforming to the NIST Privacy Framework. Use our Privacy Law Calculator to determine whether your business is subject to the TIPA.

Who Must Comply with the TIPA?

The TIPA applies to entities that conduct business in Tennessee or produce products or services targeted to Tennessee residents, AND meet ALL of the following conditions:

• Have annual revenue exceeding $25 million, AND
• Meet one of these consumer data thresholds:
  • Control or process personal data of 175,000 or more Tennessee consumers during a calendar year, OR
  • Control or process personal data of 25,000 or more Tennessee consumers AND derive over 50% of gross revenue from the sale of personal data

The dual-threshold approach — requiring both revenue AND consumer data processing thresholds — significantly narrows the TIPA’s applicability. A small business processing data of millions of Tennessee consumers is not covered if it lacks $25M in revenue; conversely, a large company that processes data of fewer than 175,000 Tennessee consumers is not covered either (unless it meets the data sale revenue tier).

Exemptions

The TIPA exempts several categories of entities and data:

• Entity exemptions: State and local government bodies, financial institutions subject to GLBA, entities covered by HIPAA, nonprofit organizations, institutions of higher education, and entities regulated by the Tennessee Insurance Title
• Data exemptions: Data governed by HIPAA, GLBA, FCRA, FERPA, DPPA, COPPA, and certain employment and B2B contact data

Consumer Rights Under the TIPA

Tennessee residents have a comprehensive set of privacy rights under the TIPA:

• Right to confirm and access — Confirm whether a controller is processing their personal data and access that data
• Right to correct — Request correction of inaccurate personal data
• Right to delete — Request deletion of personal data
• Right to data portability — Obtain a copy of personal data in a portable, readily usable format
• Right to opt out — Opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects
• Right to appeal — Appeal denied consumer rights requests

Controllers must respond to consumer requests within 45 days, with one 45-day extension if reasonably necessary. If an appeal is denied, the consumer must be informed of how to contact the Attorney General.

The NIST Privacy Framework Affirmative Defense

Tennessee is the only state to offer an affirmative defense for businesses that maintain a written privacy program conforming to the NIST Privacy Framework. This is a significant compliance incentive:

• If you maintain a written privacy program that reasonably conforms to the NIST Privacy Framework, you can use it as an affirmative defense in TIPA enforcement actions
• The privacy program must be updated regularly and reflect actual data processing practices
• This does not create a safe harbor — the AG can still bring enforcement actions — but it provides a legal defense that can reduce or eliminate liability

The NIST Privacy Framework focuses on identifying and managing privacy risk through five core functions: Identify, Govern, Control, Communicate, and Protect. For businesses already following NIST guidelines, this is a natural fit.

Key Business Obligations

Privacy Notices

Controllers must provide a reasonably accessible, clear privacy notice covering: categories of personal data processed, processing purposes, how consumers can exercise rights, categories of data shared with third parties, and third-party categories.

Sensitive Data Consent

Processing sensitive data requires the consumer’s opt-in consent. Sensitive data under the TIPA includes: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, and biometric data used for identification.

Data Protection Assessments

Controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm, including: targeted advertising, sale of personal data, certain profiling activities, and processing sensitive data. Assessments completed under other state privacy laws (such as Virginia’s VCDPA or Colorado’s CPA) can satisfy Tennessee’s requirements.

No Universal Opt-Out Requirement

The TIPA does not require businesses to honor universal opt-out mechanisms such as Global Privacy Control (GPC). This aligns with the law’s business-friendly approach. Check your GPC obligations across all states with our GPC Compliance Checker.

Processor Contracts

Controllers must enter into written contracts with data processors specifying: processing instructions, confidentiality requirements, data deletion or return obligations, cooperation with audits, and subprocessor management.

Minor Protections

The TIPA requires opt-in consent before processing personal data of known children under 13, consistent with COPPA. The law includes additional protections for teen data in the context of targeted advertising and data sales.

Enforcement and Penalties

The Tennessee Attorney General has exclusive enforcement authority. There is no private right of action.

• Penalties: Up to $7,500 per violation
• Cure period: 60 days — the AG must provide written notice and a 60-day window to cure before pursuing enforcement

Tennessee’s 60-day cure period is the second-longest among state privacy laws (behind only Iowa’s 90 days). Combined with the NIST affirmative defense, this makes Tennessee one of the most forgiving states for enforcement. View the latest enforcement trends on our Enforcement Tracker.

How Tennessee Compares to Other State Privacy Laws

The TIPA has several distinguishing features:

• AND-logic thresholds: Requires both $25M revenue AND a consumer data threshold, unlike most states that use OR logic
• NIST affirmative defense: The only state offering a legal defense based on NIST Privacy Framework compliance
• 60-day cure period: Second-longest cure period, behind Iowa (90 days)
• Higher consumer threshold: 175,000 consumers vs. 100,000 in most states, reflecting Tennessee’s narrower scope
• Full consumer rights: Unlike Iowa, Tennessee includes correction, profiling opt-out, and appeal rights
• No GPC requirement: Businesses are not required to honor universal opt-out signals

Use our State Comparison Tool for a detailed side-by-side analysis.

7-Step TIPA Compliance Plan

1. Assess applicability — Verify that your business meets BOTH the $25M revenue threshold AND one of the consumer data processing thresholds. Use the Privacy Law Calculator for a multi-state assessment.
2. Consider adopting a NIST-conforming privacy program — If you don’t already have one, building a privacy program aligned with the NIST Privacy Framework creates an affirmative defense and often satisfies requirements across multiple state laws.
3. Update your privacy notice — Ensure it covers all categories of data collected, processing purposes, consumer rights, and third-party sharing.
4. Implement opt-out mechanisms — Provide clear methods for consumers to opt out of targeted advertising, data sales, and profiling.
5. Build consumer rights processes — Establish intake, verification, fulfillment, and appeals workflows. Set up a 45-day response timeline with extension protocols.
6. Conduct data protection assessments — Document DPAs for targeted advertising, data sales, profiling, and sensitive data processing. Cross-state DPAs from Virginia or Colorado can satisfy Tennessee’s requirements.
7. Review processor contracts — Ensure all data processor agreements meet TIPA contractual requirements for processing scope, confidentiality, and data handling obligations.

For a detailed walkthrough, visit our Tennessee Compliance Checklist.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.