Tennessee passed a law called the Tennessee Information Protection Act (TIPA) that aims to protect the personal information of Tennessee residents. TIPA’s enactment is just one of many state privacy laws that have been passed in the United States. In fact, this spring alone, four other privacy laws were also enacted, in addition to other laws that specifically affect certain types of data. 

Who does TIPA impact?

This new law applies to companies with more than $25 million in gross revenue, that do business in Tennessee or target products or services to Tennessee consumers, and:

  • Control or process personal information of 175,000 or more Tennessee consumers; or
  • Control or process personal information of 25,000 or more Tennessee consumers and derive over 50% of gross revenue from the sale of that data.

Who is exempt from TIPA?

TIPA defines a “consumer” as a person who lives in Tennessee and is using items for themselves. This doesn’t include people who work for a company or people who are part of a business deal. The exemptions to TIPA closely mimic those of other state privacy laws, such as, personal information is covered by laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act, and a litany of other federal laws. The law doesn’t apply to government groups, charities, or higher education institutions. There are some reasons when personal information can be used, like if it’s needed to follow the law, to stop fraud, or to protect someone in a legal case.

What consumer rights are created?

The TIPA creates consumer rights that allow Tennessee residents to access, correct, and delete their personal information. They can also obtain a copy of their personal information that was previously provided to the controller. Moreover, Tennessee residents have the right to opt-out of a controller’s processing of personal information for the purposes of selling personal information, targeted advertising, and profiling. Your organization will need to be prepared to respond to consumer requests related to the exercise of these new rights.

Who will enforce TIPA?

The Tennessee Attorney General has the exclusive authority to enforce the TIPA, and there is no private right of action.

What do I need to do to comply?

To comply with the TIPA, businesses need to provide a privacy notice, establish a secure means for consumers to exercise their privacy rights, obtain consumer consent to process sensitive data, enter into contracts with processors, and conduct and document data protection assessments. The TIPA provides an affirmative defense to a cause of action for a TIPA violation where a controller creates, maintains, and complies with a written privacy policy that reasonably conforms to the National Institute of Standards and Technology (“NIST”) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” This means that if a controller adopts a privacy program that reasonably conforms to the NIST framework, it may be able to avoid liability for certain violations of the TIPA.

The TIPA comes into effect on July 1, 2025.

What happens if I don’t comply?

If a business violates the law, the Tennessee Attorney General must give 60 days’ written notice and an opportunity to cure to the controller. If an enforcement action follows, violations of the TIPA are up to $15,000 per violation.

What can I do now to get ready?

If you believe your business may be subject to this new Tennessee law, one of the best first steps is to have a NIST Privacy Assessment performed. This activity will assess the completeness and maturity of the privacy-related practices inside your organization. Through a series of interviews with key stakeholders and subject matter experts, as well as a review of select documentation, our team of privacy professionals will evaluate the people, processes and technology that contribute to the protection of Personally Identifiable Information.

LBMC can also help you with the review and/or creation of Policies and Procedures. Existing policies can be reworked, or completely new policies can be provided to help organizations ensure a focus on consumer privacy.

Content provided by LBMC Information Security professionals, Van Steel and Dennis McGough.

Finally, LBMC can help you with customized Privacy Consulting services. If you need to improve your existing program, or if you need to start fresh with a brand-new privacy program, our knowledgeable professionals can provide consulting to help you to improve your privacy practices.