Who does the TIPA apply to?

The TIPA applies to entities with $25M+ annual revenue that also process data of 175,000+ Tennessee consumers, or 25,000+ consumers while deriving 50%+ of revenue from data sales.

What is the NIST affirmative defense?

Tennessee offers an affirmative defense to businesses that create, maintain, and comply with a written privacy program that reasonably conforms to the NIST privacy framework.

What is the cure period under the TIPA?

The TIPA provides a 60-day cure period. Businesses have 60 days to cure alleged violations after notification by the Attorney General.

Tennessee Privacy Law

Tennessee Information Protection Act

Effective: July 1, 2025Active

Overview

The Tennessee Information Protection Act (TIPA) was signed into law on May 11, 2023, and became effective on July 1, 2025. Tennessee's law is notable for requiring both a revenue threshold and a consumer data processing threshold (using AND logic), similar to Utah's approach, making it more business-friendly in terms of applicability. The TIPA provides Tennessee consumers with comprehensive privacy rights, including access, correction, deletion, portability, and opt-out rights for data sales, targeted advertising, and profiling. The law includes an appeals process for denied requests and requires opt-in consent for processing sensitive data. Tennessee also introduced an affirmative defense for businesses that maintain a written privacy program conforming to the NIST privacy framework. The law applies to entities that conduct business in Tennessee or target Tennessee consumers, have annual revenue exceeding $25 million, AND control or process personal data of 175,000 or more consumers, or control or process personal data of 25,000 or more consumers while deriving more than 50% of gross revenue from the sale of personal data. The TIPA includes a 60-day cure period and penalties of up to $7,500 per violation, enforced by the Tennessee Attorney General.

Applicability Thresholds

Conditions are joined by AND — ALL conditions must be met.

$25M+

Annual gross revenue

175,000+

Tennessee consumers' data processed

25,000+ consumers

AND 50%+ revenue from data sales

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

Law became effective July 1, 2025 — first full year of enforcement in 2025-2026
Tennessee AG developing enforcement priorities and compliance guidance
The NIST privacy framework affirmative defense provides unique compliance incentive
Monitoring for potential amendments to threshold requirements

Enforcement Details

Enforced By

Tennessee Attorney General

Penalty Per Violation

$7,500

Cure Period

60 days

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusBiometric data for identification

Universal Opt-Out / GPC Requirements

No Universal Opt-Out Requirement

The TIPA does not require businesses to honor universal opt-out mechanisms. Tennessee took a business-friendly approach and does not mandate GPC or similar signal recognition.

Minor / Child Protections

The TIPA requires opt-in consent before processing personal data of known children under 13. The law includes protections for teen data in the context of targeted advertising and data sales.

Compliance Checklist

1Assess whether your organization meets BOTH the $25M revenue threshold AND a consumer data processing threshold
2Consider adopting a NIST-conforming privacy program for the affirmative defense benefit
3Update privacy notices with all TIPA-required disclosures
4Implement opt-out mechanisms for data sales, targeted advertising, and profiling
5Obtain opt-in consent for processing sensitive data categories
6Establish consumer rights request response processes within the 45-day period
7Create an appeals process for denied consumer rights requests

Tennessee Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.