Tennessee Information Protection Act
Tennessee’s privacy law, the Tennessee Information Protection Act (TIPA), was passed unanimously by the full legislature and signed by Governor Bill Lee May 11, 2023. The law’s effective date is July 1, 2025. TIPA follows the Virginia model most closely, but includes narrower application thresholds, broader exemptions, and a unique safe harbor provision.
What You Need to Know About TIPA
TIPA applies to for-profit entities that:
- Conduct business or provide products or services to residents of Tennessee (consumers), and
- Exceed $25 million in annual revenue, and
- Annually controls or processes the PI of either:
- 175,000 residents; or
- 25,000 residents and derives more than 50% of gross revenue from the sale of PI.
Exempt Entities: Exempt entities include:
- Non-profits;
- State government entities;
- Higher education Institutions;
- Insurers;
- HIPAA-covered entities; and
- GLBA-covered entities.
Exempt Data: TIPA exempts a long list of personal information, including but not limited to:
- Protected Health Information (PHI) under HIPAA;
- GLBA covered data;
- Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
- Various forms of credit data regulated by the Fair Credit Reporting Act; and
- Data covered by a wide variety of other federal laws including the Family Educational Rights and Privacy Act, Farm Credit Act, and Driver’s Privacy Protection Act.
Exempt Use Cases: TIPA is not applicable in some circumstances, such as: processing PI in an employment or commercial (B2B) context;
- Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
- Product recalls;
- Identifying and repairing technical errors that impair existing or intended functionality; and
- Performing internal operations.
Key Components of TIPA
TIPA covers “personal information” (PI), which Tennessee defines as any information that is linked or reasonably linkable to an identified or identifiable natural person.
The definition exempts de-identified and information made publicly available by government records, the media or the consumer.
Sensitive PI in TIPA consists of:
- Racial or ethnic origin;
- Religious beliefs;
- Mental or physical condition or diagnosis;
- sexual orientation;
- Citizenship or immigration status;
- PI about a known child;
- Precise geolocation data (identifies the specific location within a radius of 1750 feet); and
- Genetic or biometric data for the purpose of identification.
Where a controller processes de-identified data, Tennessee requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with TIPA.
TIPA also exempts pseudonymous data from all privacy rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.
In a word: Yes!
Parental consent is required to process PI about a known child (younger than 13) in accordance with COPPA.
Consent is also required prior to processing PI for purposes that are not reasonably necessary to or compatible with the business purpose for which the information was collected and notified to the consumer.
Under TIPA, a privacy notice must include:
- The categories of PI processed;
- The purpose for processing PI;
- The categories of third parties to which PI is sold, if any;
- The categories of PI that are sold to third parties, if any;
- Privacy rights; and
- The methods for a consumer to exercise their privacy rights (see below) and appeal a rights decision.
Tennessee defines “sale” as an exchange for valuable monetary consideration, more limited than many state privacy laws that also include “other” valuable consideration. This requires that the monetary consideration be valuable (not nominal) for any exchange of PI to be a sale.
There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, the disclosure of PI that the consumer intentionally made available to the public, and the disclosure of PI as part of a merger or bankruptcy.
The state Attorney General (AG) has sole enforcement authority under TIPA. Under the law, the AG may bring an enforcement action after providing 60 days’ notice and an opportunity for the business to cure the alleged violation(s). This cure period does not sunset. Penalties may include injunctive relief (the company must immediately stop certain behaviors) and/or fines of up to $7,500 per violation, plus attorney’s fees, investigative costs, and any other relief the court determines appropriate. For willing or knowing violations, the court can award triple damages.
Uniquely, TIPA offers a safe harbor for entities that voluntarily implement and maintain a privacy policy compliant with the NIST Privacy Framework. Importantly, this is not an exemption from TIPA. With this statute, if an entity maintains a voluntary privacy program that meets the safe harbor conditions and if a cause of action for an alleged violation of TIPA is brought against the business, that voluntary program can serve as protection against monetary fines.
Privacy Rights
The privacy rights TIPA provides to consumers align with those provided under other state laws.
If TIPA applies to your business, you must provide the following privacy rights to consumers:
- Right to know whether a business is processing your PI;
- Right to access PI;
- Right to correct inaccuracies in PI;
- Right to delete PI about them;
- Right to obtain a copy of PI (data portability); and
- Right to opt out of the sale of PI and processing for targeted advertising and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Tennessee requires that businesses respond to privacy rights requests within 45 days of receipt, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge at least twice a year. If the business cannot authenticate a request or declines to take a requested action for another reason, the business must notify the consumer in writing, including the reason for the declination and instructions for appeal.
The appeals process must be conspicuously available to the consumer and similar to the process for submitting an initial privacy rights request. Businesses must respond to appeals within 60 days of receipt. If denying an appeal, it must provide an online mechanism, if available, or another method for contacting the AG to submit a complaint.
Universal Opt Out
Tennessee does not require that controllers recognize universal opt-out signals.
Privacy Impact Assessments
Tennessee requires regulated businesses to conduct data protection impact assessments, or privacy impact assessments (PIAs), for certain high-risk processing.
TIPA requires assessments for activities created or generated after July 1, 2024, that present a heightened risk of harm, specifically including:
- Processing for targeted advertising;
- Selling PI;
- Processing sensitive PI;
- Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of:
- Unfair or deceptive treatment or unlawful disparate impact on consumers;
- Financial, physical, or reputational injury to consumers;
- Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
- Other substantial injury.
- Processing activities involving PI that present a heightened risk of harm to consumers.
Vendor Contracts
TIPA requires that businesses have a contract in place with vendors that dictates dictating obligations with respect to processing PI. Contracts must include:
- Instructions for processing PI;
- The nature and purpose of processing;
- Type of data that is subject to processing;
- The duration of processing;
- A duty of confidentiality for individuals who process the PI;
- Obligation to delete or return all PI at the controller’s direction or when it has completed the services, unless retention of the PI is required by law;
- Obligation to make available all information necessary to demonstrate the vendor’s compliance with its obligations;
- Compliance with audits by the controller or independent auditor and to provide a report of the assessment to the controller; and
- Pass along obligations to any subcontractor in a written contract.
Data Minimization
Like many other state consumer privacy laws, Tennessee limits the collection of PI “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed.” Where processing is not necessary or compatible with the purpose for collection, businesses must obtain consumers’ consent for the processing.
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate and trust.
