The Tennessee Information Protection Act took effect on July 1 2025, making it one of the newest US state privacy laws. The law’s high applicability thresholds and unique NIST framework safe harbor create a business-friendly enforcement environment.
How TIPA Enforcement Works
The Tennessee Attorney General has exclusive enforcement authority under TIPA. Consumers cannot bring private lawsuits, including class actions, for violations.
Before initiating any enforcement action, the Attorney General must provide 60 days’ written notice and an opportunity to cure the violation. This is among the longer cure periods in state privacy laws.
Penalties can reach up to $7,500 per violation, plus reasonable attorney’s fees and investigative costs.
The NIST Affirmative Defense
TIPA includes a unique safe harbor not found in any other state privacy law. Businesses can assert an affirmative defense if they create, maintain, and comply with a written privacy policy that reasonably conforms to the NIST privacy framework.
This defense provides significant protection. If a business can demonstrate NIST compliance, it has a legal basis to defend against enforcement actions.
Enforcement Status
As of January 2026, the Tennessee Attorney General has not publicly announced enforcement actions or fines under TIPA. The law has been in effect for approximately six months.
Given the high applicability thresholds, the 60-day cure period, and the NIST affirmative defense, formal enforcement actions may be limited.
Enforcement Considerations
Several factors make Tennessee’s enforcement environment unique:
Narrow applicability. The $25 million revenue requirement combined with the 175,000-consumer threshold (the highest of any state) means relatively few businesses are covered. Fewer covered entities means fewer potential enforcement targets.
NIST safe harbor. Businesses with documented NIST-compliant privacy policies have a strong defense against enforcement. This may encourage the Attorney General to focus on businesses without such documentation.
Long cure period. The 60-day cure period provides substantial time to address issues before penalties apply.
Expected Focus Areas
If enforcement does occur, likely focus areas include:
Businesses without NIST compliance. The safe harbor creates an incentive structure where businesses lacking NIST documentation are more vulnerable to enforcement.
Sensitive data processing. TIPA requires consent for sensitive data processing. Processing health data, biometric data, or children’s data without consent is a clear violation.
Data sales and targeted advertising. Consumers have opt-out rights for data sales and targeted advertising. Non-functional opt-out mechanisms could attract attention.
Attorney General Guidance
In April 2025, the Tennessee Attorney General’s office provided tips and guidelines to businesses and consumers regarding TIPA compliance. This guidance signals the AG’s intent to support compliance rather than pursue aggressive enforcement, at least initially.
What This Means for Your Organization
If your business meets Tennessee’s high thresholds, the NIST affirmative defense should be a priority. Implementing a NIST-compliant privacy policy provides meaningful protection against enforcement.
Steps to take:
- Assess whether you meet the $25 million revenue AND 175,000-consumer thresholds
- If covered, develop a privacy policy conforming to the NIST privacy framework
- Document your NIST compliance to support any future affirmative defense
- Implement consent mechanisms for sensitive data processing
The combination of high thresholds, a 60-day cure period, and the NIST safe harbor makes Tennessee among the most business-friendly enforcement environments.
