With data privacy laws changing across the United States, Tennessee also made an important move to protect consumer data by introducing its own privacy law, effective from July 1, 2025. This blog breaks down the Tennessee Information Protection Act (TIPA), explaining its main points, consumer rights, responsibilities for data controllers, exemptions, and how it will be enforced. 

Scope of the Act 

The Tennessee Information Protection Act applies to businesses operating in the state that meet specific thresholds: 

1. Entities that control or process personal information of at least 100,000 consumers within a calendar year. 

2. Entities that control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information. 

This ensures that businesses handling significant volumes of consumer data comply with the new privacy requirements. 

Consumer Rights 

Tennessee Information Protection Act grants consumers several rights to protect their personal information. These include: 

1. Right to Access – Consumers can request access to their personal information held by a business. 

2. Right to Correction – Consumers can request corrections to inaccurate personal data. 

3. Right to Deletion – Consumers can ask businesses to delete their personal data, subject to certain exceptions. 

4. Right to Data Portability – Consumers can obtain a copy of their data in a portable format. 

5. Right to Opt-Out – Consumers can opt out of the sale of their personal information and targeted advertising. 

6. Right to Appeal – If a request is denied, consumers have the right to appeal the decision. 

These rights empower consumers by providing transparency and control over their personal data. 

Responsibilities of Businesses 

Businesses that collect and process consumer data must adhere to strict guidelines to ensure data privacy and security: 

1. Data Minimization – Controllers must limit data collection to what is adequate and relevant for disclosed purposes. 

2. Purpose Limitation – Data cannot be processed for purposes beyond those originally disclosed with the customer without their consent. 

3. Data Security Measures – Businesses must implement reasonable security practices to protect personal data. 

4. Non-Discrimination – Consumers cannot be denied services or charged differently for exercising their privacy rights. 

5. Sensitive Data Handling – Controllers cannot process sensitive data without explicit consumer consent. 

6. Transparency – Businesses must provide clear privacy notices outlining the categories of data collected, purposes for processing, consumer rights and how to opt out of data sales or targeted advertising. 

Additionally, businesses must provide at least one method for consumers to exercise their rights, such as a toll-free phone number, email, web form, or an opt-out link on the company’s homepage. 

Exemptions Under the Act 

Certain entities and data types are exempt from the Tennessee Information Protection Act. These include: 

1. Government Entities – Any state or local government agency, board, commission, or authority. 

2. Financial Institutions & Data – Banks and financial institutions, including their affiliates, that follow the Gramm-Leach-Bliley Act (GLBA) privacy rules.  

3. Insurance Companies – Licensed insurance businesses operating in the state. 

4. Healthcare Entities – Covered healthcare providers and business associates following HIPAA privacy, security, and breach notification rules.  

5. Nonprofits – Charitable organizations and nonprofit groups.  

6. Colleges & Universities – Institutions of higher education.  

7. Protected Health Data – Medical records and personal health information covered by HIPAA and other health laws.  

8. Scientific & Medical Research – Personal data used in research that follows federal human subject protection rules, good clinical practices, or FDA research guidelines. 

9. Healthcare Quality & Safety – Information created under federal healthcare quality improvement and patient safety laws.  

10. De-identified Medical Data – Healthcare data that has been anonymized according to HIPAA standards.  

11. Public Health Information – Data used strictly for public health purposes under HIPAA.  

12. Credit & Financial Data – Consumer credit reports and financial data regulated by the Fair Credit Reporting Act (FCRA).  

13. Driver & Vehicle Records – Personal data protected under the Driver’s Privacy Protection Act (DPPA).  

14. Student Records – Information covered by the Family Educational Rights and Privacy Act (FERPA).  

15. Agricultural Data – Information regulated under the Farm Credit Act.  

16. Employment-Related Data – Information collected for employment, independent contractor roles, or emergency contact purposes.  

17. Scientific & Statistical Research – Data used in public interest research following federal standards.  

18. Licensed Insurance Producers – Insurance agents operating under state law. 

These exemptions ensure that organizations already regulated under federal privacy laws do not face conflicting compliance requirements. 

Limitations on Enforcement 

The law includes specific limitations to protect businesses from undue restrictions. It does not prevent businesses from: 

• Complying with state, federal, or local laws 

• Cooperating with law enforcement 

• Investigating and defending legal claims 

• Protecting public safety and preventing fraud 

• Conducting internal research to improve products and services 

These provisions strike a balance between privacy protections and practical business operations. 

Enforcement and Penalties 

The Tennessee Attorney General has exclusive authority to enforce the law. Businesses found in violation will be given a 60-day cure period to rectify issues before legal action is taken. If the violation is not addressed, the Attorney General may pursue: 

• Declaratory judgments 

• Injunctive relief 

• Civil penalties of up to $15,000 per violation 

• Attorney’s fees and investigative costs 

A violation is assessed based on factors such as the number of affected consumers, the severity of the violation, and the business’s size and complexity. 

Conclusion 

The Tennessee Information Protection Act is an important law that protects consumer privacy rights. Businesses in Tennessee must check their data collection, processing, and security practices to ensure they follow this law. Companies can earn consumer trust and avoid large fines by meeting the law’s requirements. As privacy laws change, businesses should keep updating their policies and improving their security measures.