Guides

Tennessee Information Protection Act: 101 – What You Need to Know

Scott Dooley
4 min read · Jan 10, 2026 Last updated: January 1, 2026

Tennessee passed its Information Protection Act in May 2023, with the law taking effect on July 1 2025. The law includes the highest consumer threshold of any state privacy law, reflecting a business-friendly approach, and offers a unique safe harbor for businesses following the NIST privacy framework.

What Is TIPA?

The Tennessee Information Protection Act (TIPA) grants Tennessee residents rights over their personal data and establishes obligations for covered businesses. The law is notable for its NIST framework affirmative defense and its high applicability thresholds.

Enforcement is handled by the Tennessee Attorney General. There is no private right of action.

Does It Apply to Your Business?

TIPA has the highest applicability thresholds of any enacted state privacy law. A business must meet ALL of the following criteria:

Revenue requirement: Annual revenues exceeding $25 million.

Plus one of these thresholds:

Threshold 1: Control or process personal information of at least 175,000 Tennessee consumers.

Threshold 2: Control or process personal information of at least 25,000 Tennessee consumers AND derive more than 50% of gross revenue from selling that data.

The 175,000-consumer threshold is the highest of any state privacy law, making TIPA one of the most narrowly applicable state laws.

Exemptions

Several categories are exempt from TIPA:

  • Government entities
  • Nonprofit organizations
  • HIPAA-covered entities and business associates
  • Higher education institutions (public and private)
  • Insurance companies licensed under state law
  • Financial institutions regulated by the Gramm-Leach-Bliley Act

Key Consumer Rights

Tennessee residents have the following rights:

  • Right to confirm whether a business is processing their personal data
  • Right to access their personal data
  • Right to correct inaccuracies
  • Right to delete their personal data
  • Right to obtain a portable copy of their data
  • Right to opt out of the sale of personal data
  • Right to opt out of targeted advertising
  • Right to opt out of profiling for certain decisions

Business Obligations

Covered entities must:

  • Provide clear privacy notices
  • Implement reasonable data security measures
  • Obtain consent before processing sensitive data
  • Respond to consumer requests within 45 days (with possible 45-day extension)
  • Conduct data protection assessments for high-risk processing

Data protection assessment requirements apply to processing activities created or generated on or after July 1 2024.

The NIST Safe Harbour

TIPA includes a unique provision allowing businesses to assert an affirmative defense if they create, maintain, and comply with a written privacy policy that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework.

This safe harbor is not found in any other state privacy law and can provide significant protection against enforcement actions for businesses that implement the NIST framework.

Sensitive Data

TIPA requires consent before processing sensitive data, which includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexual orientation
  • Citizenship or immigration status
  • Genetic data
  • Biometric data
  • Personal data of known children
  • Precise geolocation data

Enforcement and Penalties

The Tennessee Attorney General has exclusive enforcement authority.

The law includes a 60-day cure period. Before initiating any action, the Attorney General must provide 60 days’ written notice and an opportunity to cure.

Penalties can reach up to $7,500 per violation, plus reasonable attorney’s fees and investigative costs.

Key Dates

  • May 11 2023: TIPA signed into law
  • July 1 2024: Data protection assessment requirements began applying to new processing activities
  • July 1 2025: TIPA took effect

Where to Find Official Resources

Getting Started

Tennessee’s high thresholds mean fewer businesses are covered compared to other states. The $25 million revenue requirement combined with the 175,000-consumer threshold creates a narrow applicability band.

If your business is covered, consider implementing a NIST-compliant privacy policy to take advantage of the affirmative defense. This can provide protection against enforcement that is not available under any other state law.

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. Virginia Consumer Data Protection Act: 101 – What You Need to Know
  2. California CCPA/CPRA: 101 – What You Need to Know
  3. Rhode Island Data Transparency and Privacy Protection Act: 101 – What You Need to Know
  4. Australia Privacy Act 1988: 101 – What You Need to Know
  5. Connecticut Data Privacy Act: 101 – What You Need to Know

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR