Tips And Guidelines To Tennessee's Information and Protection Act

The Office of the Tennessee Attorney General’s Division of Consumer Affairs today announced the release of a guide to assist consumers and businesses in understanding the Tennessee Information Protection Act (TIPA), which will take effect on July 1, 2025.

TIPA, passed by the Tennessee General Assembly and signed into law by Governor Bill Lee in 2023, requires certain businesses to ensure consumers’ data and information are protected and gives consumers more control over how their data is collected, processed, and used by those businesses.

“Tennessee’s Information Protection Act goes into effect July 1. This new law protects consumer privacy and gives Tennesseans more transparency and control over corporate data collection and retention,” said Attorney General Jonathan Skrmetti. “Consistent with the law passed by our General Assembly and signed by Governor Lee, my office is glad to provide clear guidance so companies know what they need to do, because Tennessee wants to continue to be an easy place to build and run a business.”

The Division of Consumer Affairs has provided both consumers and businesses with a Frequently Asked Questions (FAQ) and terms list to help Tennesseans better understand the operation of this new law:

FAQ for Consumers

1. What is TIPA? The Tennessee Information Protection Act is a data protection and privacy law passed in Tennessee in 2023. The law applies to certain businesses collecting and processing the personal information of Tennesseans. The law aims to give Tennesseans control over how their data is collected, processed, and used, while also ensuring that companies comply with measures to help ensure effective data security practices.
2. Who does TIPA apply to? TIPA generally applies to larger businesses that handle large amounts of data. The law governs both data "controllers" and data "processors," as defined by TIPA. The data "controller" is the person or entity that actually controls the data and is responsible for determining why and how the data is processed. The data "processor" is responsible for processing the data provided to it by the controller in accordance with the controller's instructions. Put simply, a controller provides data and direction to a processor to carry out processing activities—for example, analysis or interpretation—on its behalf.  By way of example, a data “controller” could include an online retailer that collects and stores data regarding customers’ past purchases. Under these circumstances, the retailer is a controller to the extent it is responsible for deciding how to process the customer data.  In the event the retailer retains a marketing firm to analyze its customer purchase data and generate additional product recommendations for the retailers’ customers, the marketing firm might qualify as a “processor” under TIPA.  TIPA, however, does not apply to all businesses that control and/or process data. Certain entities, such as non-profit organizations, state agencies, financial institutions, healthcare companies, and higher education institutions, are exempt. (For more information, see “FAQ for Businesses” below).
3. How has TIPA changed Tennessee law? TIPA changes Tennessee law by providing consumers with a set of rights regarding the controlling and processing of their data. In addition, TIPA places new obligations on businesses subject to the law in order to better protect consumers’ personal information.
4. What rights do I have under TIPA? Under TIPA, Tennessee residents have the right to: (1) confirm if a controller is processing their personal information and gain access to that information, (2) correct inaccuracies in their personal information, (3) have a controller delete the personal information the controller obtains about them (however, the controller does not need to delete aggregated or de-identified information), (4) obtain a portable copy of their personal information, and (5) opt out of targeted advertising, profiling, or sale of their personal information. Consumers also have the right to know: (1) what categories of personal information the controller processes, (2) the purpose for processing their personal information, (3) how they can exercise their rights, including how to appeal a controller’s decision regarding a request, (4) the categories of personal information the controller shares with third parties, if any, and (5) the categories of third parties, if any, the controller shares their personal information with. An entity must respond to a consumer’s request to exercise one of these rights within 45 days of receipt of the request. If a consumer’s request is denied, the entity must provide a description of why the request was denied and must provide a process for submitting an appeal.
5. What is “profiling”? Profiling is a completely automated way of processing personal information a controller obtains about a consumer. Profiling allows entities to evaluate, analyze, or predict personal aspects of a person’s life, including preferences, interests, location, behavior, socio-economic status, health, movements, political affiliation, etc.
6. What is “targeted advertising”? Targeted advertising occurs when a consumer sees an advertisement that has been selected for that specific consumer’s viewing based on personal information about the consumer’s interests and preferences obtained from the consumer’s activities across websites or other online applications over time.
7. What opt-out rights do I have under TIPA? Tennessee consumers have the right to opt out of having their personal information processed for the purposes of: (1) selling personal information of the consumer, (2) targeted advertising, or (3) profiling the consumer for certain purposes.
8. How can I exercise my rights under TIPA? Under TIPA, entities subject to the statute are required to maintain a privacy notice that describes how consumers can exercise their rights, including how consumers can appeal a controller’s denial of a request to exercise TIPA rights.
9. What is the effective date for TIPA? The law will go into effect on July 1, 2025.

Consumers can report suspected violations of TIPA to the Division of Consumer Affairs through the Division of Consumer Affairs complaint portal linked here (File a Complaint). You may also file a complaint by mail, fax, or email by printing and filling out the Complaint Form and sending it using the below contact information. For more information, please contact the Division of Consumer Affairs using the below contact information.

Email: consumer.affairs@ag.tn.gov

Mailing Address: Division of Consumer Affairs, Tennessee Attorney General’s Office, P.O. Box 20207, Nashville, TN 37202-0207 

FAQ for Businesses

1. Who must comply with TIPA? You or your business are subject to TIPA if you: (1) do business in Tennessee or produce products or services targeting residents of the State, (2) earn more than $25 million in annual revenue, and (3) EITHER: (a) control or process the personal information of at least 25,000 Tennessee consumers and derive 50% of your gross annual revenue from the sale of that information, OR (b) process or control the personal information of at least 175,000 Tennessee consumers during a calendar year.
2. What is a “sale of personal information”? TIPA defines the “sale of personal information” as any exchange of personal information for valuable monetary consideration by the controller to a third party. TIPA provides that the sale of personal information does not include: (1) disclosure of personal information to a processor engaging in processing on behalf of the controller, (2) disclosure of personal information to a third party for purposes of providing a product of service requested by the customer, (3) disclosure or transfer of personal information to an affiliate of the controller, (4) disclosure of personal information that the consumer intentionally made available to the general public via mass media and did not restrict to a specific audience, or (5) disclosure to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
3. Who is exempt from TIPA? Various entities and groups are exempt from the requirements of TIPA, including: (1) political subdivisions of the State, as well as bodies, authorities, boards, bureaus, commissions, districts, or other agencies of the State, (2) financial institutions and affiliates of a financial institution, (3) covered entities or business associates governed by the privacy, security, and breach notification rules outlined by the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA), (4) non-profit organizations, and (5) higher-education institutions.
4. Does TIPA include a set of consumer rights? Yes. Under TIPA, Tennessee residents have the right to: (1) confirm if a controller is processing their personal information and gain access to that information, (2) correct inaccuracies in their information, (3) delete the personal information a controller provides or obtains about the consumer (however, the controller does not need to delete aggregated or de-identified information), (4) obtain a portable copy of their personal information, and (5) opt out of targeted advertising, profiling, or sale of their personal information. Consumers also have the right to know: (1) what categories of personal information the controller processes, (2) the purpose for processing the personal information, (3) how they can exercise their rights, including how to appeal a controller’s decision regarding a request, (4) the categories of personal information the controller shares with third parties, if any, and (5) the categories of third parties, if any, the controller shares the personal information with. (For more information, see “FAQ for Consumers” above).
5. What responsibilities does TIPA place on controllers of information? If your business qualifies as a data controller, then you: (1) must provide consumers with a reasonably accessible privacy notice; (2) must limit the collection of personal information to what is adequate, relevant, and reasonably necessary for the purpose for which data is processed, as disclosed to the consumer; (3) must not process personal information for purposes beyond what is reasonably necessary to achieve the objectives for the processing, as disclosed to the consumer, unless you obtain consumer consent; (4) must establish, implement, and maintain reasonable administrative, technical, and physical data security practices; (5) must not process personal information in violation of a state or federal law that prohibits discrimination against consumers; and (6) must not process sensitive data concerning a consumer without obtaining their consent. If the controller seeks to process sensitive data of a known child, it must do so in accordance with the Children’s Online Privacy Protection Act. Controllers will not be required to delete aggregated or de-identified information, provided the information is not linked to a specific consumer.
6. What must a controller’s privacy notice include? TIPA requires that controllers provide consumers with a privacy notice that explains: (1) the categories of personal information the controller possesses; (2) the purpose for processing the personal information; (3) how a consumer can exercise their rights under TIPA; (4) how a consumer can appeal a controller’s decision denying a request to exercise their rights; (5) the categories of personal information the controller shares with third parties; and (6) the categories of third parties that the controller will share personal information with.
7. What responsibilities does TIPA place on processors of information? If your business qualifies as a data processor, then you must: (1) adhere to all instructions outlined by the controller and assist the controller in meeting the requirements under TIPA; (2) take into account the nature of the processing activity and the types of information available to the processor to fulfill consumer requests regarding consumer rights; and (3) provide appropriate information to enable the controller to conduct a Data Protection Assessment as required by TIPA.
8. What does TIPA say about contractual obligations between data controllers and data processors? TIPA requires that a written contract be in place governing the processor’s data processing activities and practices taken on behalf of the controller. The contract must require that the processor: (1) ensures each person processing the personal information is subject to a duty of confidentiality; (2) deletes or returns all data to the controller as requested at the end of the contract term, at the controller’s direction; (3) makes available all information in its possession upon the reasonable request of the controller to demonstrate compliance with TIPA obligations; (4) allows and cooperates with reasonable assessments by the controller or the designated assessor; and (5) requires any subcontractors, pursuant to a written contract, to meet the same obligations as the processor concerning the personal information.
9. How is TIPA enforced? The Tennessee Attorney General has the exclusive authority to enforce all provisions of the statute. To bring an enforcement action, the Attorney General must have reasonable cause to believe that a data controller or data processor is in violation of TIPA by way of inquiry or consumer complaint. Before taking any action for violations of TIPA, the Attorney General must give the entity a written notice of the violations and must allow for a 60-day right to cure. If the controller or processor successfully cures the violations and provides the Attorney General with express written notice of the cure, no further action will be taken unless a subsequent violation occurs or the previous violation persists.
10. Is there an affirmative defense available under TIPA? Yes. A controller or processor will have an affirmative defense to a violation of TIPA if it can show that it creates, maintains, and complies with a written privacy policy that: (1) reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework titled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” or other comparable privacy framework; (2) is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two (2) years of the publication date stated in the most recent revision to the NIST or comparable privacy framework; and (3) provides a person with the substantive rights required by TIPA.
11. What is considered a “comparable privacy framework”? TIPA instructs that the appropriateness of the scale and scope of a controller or processor’s privacy program will depend on: (1) the size and complexity of the controller or processor’s business; (2) the nature and scope of the activities of the controller or processor; (3) the sensitivity of the personal information processed; (4) the cost and availability of tools to improve privacy protections and data governance; and (5) compliance with a comparable state or federal law. With this in mind, certification pursuant to the Global Cross-Border Privacy Rules system—a system based on the Asia Pacific Economic Cooperation’s Privacy Recognition for Processors system and the Asia Pacific Economic Cooperation’s Cross Border Privacy Rules system—may be considered in addition to the factors listed above.
12. When Does TIPA go into effect? TIPA, in its entirety, goes into effect July 1, 2025. Even so, data protection assessment requirements apply to all processing activities that were created or generated on or after July 1, 2024. This requirement will not apply retroactively to processing activities that were created or generated before July 1, 2024. 

Key Terms

• Consumer: A natural person who is a resident of this State acting only in a personal context.  Does not include a natural person acting in a commercial or employment context.
• Data controller: A natural person or legal entity that, alone or jointly with others, determines the purpose and means of processing personal information.
• Data processor: A natural person or legal entity that processes personal information on behalf of a controller.
• Personal information: Information that is linked or reasonably linkable to an identified or identifiable natural person. Does not include information that is publicly available information or de-identified or aggregated consumer information.
• Sensitive data: A category of personal information that includes:
•     Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
•     Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person;
•     The personal information collected from a known child; or
•     Precise geolocation data.
• Biometric data: Data generated by automatic measurement of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics that are used to identify a specific individual.
•     It does not include a physical or digital photograph, video recording, audio recording, data generated from a photograph, video, or audio recording, or information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA.
• Pseudonymous data: Personal information that cannot be attributed to a specific natural person without the use of additional information, so long as the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable natural person.
• Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer. May include a written statement, including a statement written by electronic means, or an unambiguous, affirmative action.