Tennessee Governor Bill Lee passed the Tennessee Information Protection Act (TIPA) on May 11, 2023. TIPA becomes effective on July 1, 2025, and groups Tennessee with California, Colorado, Virginia, and other states that have published their own data privacy law while waiting for a comprehensive federal law from the U.S. Government.
Mostly, TIPA conforms to the compliance framework established by the European Union’s General Data Protection Regulation (GDPR). Therefore, data controllers and processors conducting business in Tennessee should be able to quickly adapt their existing compliance program to adhere to TIPA since the act imposes compliance obligations similar to those found throughout the Colorado Privacy Act, Montana Consumer Data Privacy Act, and the Virginia Consumer Data Protection Act.
This article presents an overview of the Tennesse Information Protection Act, outlining key definitions, obligations, and timelines. Keep reading to learn more about TIPA and discover what your organization must do to comply with Tennessee’s latest data privacy law.
Eliminate hassle, save time, and streamline your compliance program with UpGuard>
Who must comply with TIPA?
%20(1).png)
TIPA imposes privacy, disclosure, and transparency obligations on data controllers who conduct business in Tennessee or target residents of Tennessee for the sale of products or services. However, TIPA only applies to data controllers that meet both the following revenue and processing thresholds:
- Revenue: Exceeds USD 25 million in annual revenue
- Processing: Either control the personal information of at least 25,000 consumers and obtain more than 50% of their annual gross revenue from selling this information OR control the personal information of at least 175,000 consumers within a calendar year.
TIPA’s scope is far more restrictive than other state privacy laws, requiring covered entities to meet a processing and revenue threshold. The act also outlines exemptions for specific categories of organizations, industries, and data.
TIPA exemptions
The Tennessee Information Privacy Act does not apply to the following entities:
- Government entities
- Nonprofit organizations
- Financial institutions
- Institutions of higher education
- HIPAA-regulated organizations
- Gramm-Leach-Bliley Act-regulated organizations
- Insurance companies licensed in Tennessee
TIPA also does not apply to these classes of data:
- Healthcare records
- Research data
- Motor vehicle records
- Insurance information
- Employment information
- De-identified data
- Data regulated by the Family Educational Rights and Privacy Act (FERPA)
- Data regulated by the federal Farm Credit Act
- Data regulated by the Fair Credit Reporting Act
TIPA protects all other types of data, granting Tennessee residents and consumers several data privacy rights and safeguards.
What rights does TIPA grant to consumers?
%20(1).png)
The Tennessee Information Privacy Act grants rights to resident consumers acting in an individual capacity or on behalf of their household. The privacy law does not apply to consumers acting on behalf of a commercial entity or organization. Under TIPA, consumers have the following rights:
- Confirmation: TIPA grants consumers the right to confirm whether a controller collects or processes their personal data.
- Access: TIPA grants consumers the right to access the data a controller has previously collected or processed.
- Correction: TIPA grants consumers the right to correct inaccuracies found in their personal data.
- Deletion: TIPA grants consumers the right to delete personal data that a controller has previously collected or processed.
- Data portability: TIPA grants consumers the right to obtain a copy of all the data a controller has collected or processed.
- Opt-out: TIPA grants consumers the right to opt out of data collection activities established by a controller for targeted advertising, data sales, or profiling.
Tennessee residents can exercise the consumer rights granted to them by TIPA by submitting authenticated requests to the data controller responsible for collecting or processing their data. After a consumer submits a request, the data controller has 45 days to respond. The controller can extend this period by an additional 45 days if the request is complex or they must react simultaneously to an exuberant number of requests. TIPA also grants consumers the right to appeal a controller's refusal to take action on a submitted request. Data controllers must respond to all appeal requests within 60 days.
In addition to honoring consumer requests, data controllers must also adhere to several disclosure and transparency obligations included within TIPA.
What obligations does TIPA impose on data controllers?
The Tennessee Information Privacy Act imposes obligations on data controllers who process a consumer’s personal information and sensitive data. TIPA defines personal information and sensitive data as follows:
- Personal information: Data and information that could be reasonably linked to an identified or identifiable, natural person
- Sensitive data: Information that contains genetic or biometric data, data of a child, precise geolocation data, or reveals an individual’s racial or ethnic origin, immigration status, religious beliefs, or health status
Under TIPA, organizations that collect the personal information or sensitive data of a Tennessee consumer must adhere to the following obligations:
- Limited collection: TIPA requires data controllers to limit their collection of a consumer’s personal data to what is reasonably adequate, relevant, and necessary for the disclosed data processing purposes.
- Data security controls: TIPA requires data controllers to establish and maintain reasonable administrative, technical, and physical data security practices to safeguard the confidentiality and integrity of consumer data.
- Customer consent: TIPA requires data controllers to obtain consumer consent before they process the consumer’s sensitive data.
- Privacy notice: TIPA requires data controllers to provide a clear and accessible privacy policy. The notice must include the types of personal data they will collect and process, the purpose for this collection and processing, the categories of personal information they will share with third-party vendors and service providers, the categories of third parties that will receive the data, contact information, and an explanation of how data subjects can exercise the rights granted to them by TIPA.
- Sale of personal data: TIPA requires data controllers to disclose if they intend to participate in the sale of personal information to third parties or participate in targeted advertising.
- Universal opt-out mechanism: TIPA requires data controllers to allow consumers to opt out of the sale or processing of their data for targeted advertising.
- Data protection assessment: TIPA requires data controllers to conduct a data protection impact assessment on processing activities that present privacy risks to consumers, including targeted advertising, the sale of data, and the processing of sensitive data. Data controllers must also conduct impact assessments on any profiling activities.
- De-identified data: TIPA requires data controllers who have collected de-identified data to take reasonable security measures to ensure the data cannot be re-identified or connected to an individual in the future. Data controllers must also contractually obligate any third parties or other recipients of the data to comply with TIPA.
- Data of a known child: TIPA aligns with the Children’s Online Privacy Protection Act (COPPA) and requires data controllers to obtain parental consent before processing the data of any child under 13 years of age.
While TIPA primarily imposes obligations on data controllers, it also imposes a few obligations on data processors (individuals or entities who specialize in processing personal data on behalf of data controllers).
What obligations does TIPA impose on data processors?
The obligations TIPA outlines for data processors are significantly less stringent than the ones the act imposes on data controllers. However, under TIPA, data processors help data controllers comply with the act. Processors must cooperate with their controllers to abide by TIPA and honor all consumer requests. TIPA also requires these obligations and other essential compliance practices to be outlined in a contractual agreement before a processor begins to process data on behalf of a controller.
Penalties for non-compliance and TIPA enforcement
Unlike the California Consumer Privacy Act and subsequent California Privacy Rights Act, TIPA does not offer consumers the private right of action. Instead, the Tennessee Attorney General has the sole authority to enforce TIPA, investigate instances of non-compliance, and issue monetary penalties.
Before taking action against a data controller, the Tennessee Attorney General must provide written notice to the controller or processor, allowing a 60-day cure period. Suppose the controller or processor does not remedy all alleged violations expressed in the notice with the cure period. In that case, the Tennessee Attorney General’s Office can bring the violator to court, seeking injunctive relief or declaratory judgment. The court may impose civil penalties of up to $7,500 per violation (in addition to attorney’s fees and investigative costs) and can award treble damages if it determines the violating organization was aware it was committing a violation.
Affirmative defense
TIPA is one of the only US state privacy laws that offers businesses the possibility of an affirmative defense (evidence that negates or mitigates liability). If an organization is brought to court, TIPA outlines that it may be awarded an affirmative defense if they have developed a written privacy program that follows the National Institute of Standards and Technology’s (NIST) privacy framework. Tennessee was the first state to adopt this safe harbor practice for organizations following the NIST privacy framework.
List of US state privacy regulations
- California Privacy Rights Act
- Colorado Privacy Act
- Connecticut Personal Data Privacy and Online Monitoring Act
- Delaware Personal Data Privacy Act
- Indiana Consumer Data Protection Act
- Iowa Consumer Data Protection Act
- Kentucky Consumer Data Protection Act
- Montana Consumer Data Privacy Act
- New Hampshire Senate Bill 255
- New Jersey Senate Bill 332
- Oregon Consumer Privacy Act
- Tennessee Information Protection Act
- Texas Data Privacy and Security Act
- Utah Consumer Privacy Act
- Virginia Consumer Data Protection Act
Achieve comprehensive TIPA compliance with UpGuard
Complying with TIPA can be challenging if your organization partners with several third-party vendors or service providers. Not only does the Tennesee Information Privacy Act require data controllers to ensure their operations comply with the obligations, but it also requires data controllers to ensure all their contractors and subcontractors achieve compliance.
Given these strict first- and third-party requirements, your organization should streamline its compliance management program with a robust cybersecurity solution like UpGuard Vendor Risk.
UpGuard offers organizations across industries robust third-party risk management (TPRM) and compliance reporting tools that help identify, assess, remediate, and document third-party compliance risks, all in one intuitive software.
Here’s how UpGuard has helped organizations similar to yours with TPRM and compliance management:
- Mattress Firm: “When I add a new vendor in UpGuard, I see their ratings and download the report to keep as a baseline. I can also identify any outstanding remediation issues on existing vendors and ensure they’re resolved.”
- Rimi Baltic: “Before UpGuard, conducting proper research for each vendor would eat up a lot of time – Does it comply with our requirements? Where is their data located? Do they have privacy policies? UpGuard has saved us a significant amount of time with its automation process. I would say it definitely saves us a few days per month. For example, in initial research that would have taken me 1-2 hours, I can get that answer in 5-10 minutes.”
- Wesley Mission Queensland: “One of the best features of the platform is being able to bring all our vendors into one place and manage it from there. We can also set reassessment dates which means we don’t have to manage individual calendar reminders for each vendor.”
These and other UpGuard customers have elevated their TPRM programs with UpGuard Vendor Risk’s powerful features and tools:
- Vendor risk assessments: Fast, accurate, and comprehensive view of your vendors’ security posture
- Security ratings: Objective, data-driven measurements of an organization’s cyber hygiene
- Security questionnaires: Flexible questionnaires that accelerate the assessment process and provide deep insights into a vendor’s security
- Reports library: Tailor-made templates that support security performance communication to executive-level stakeholders
- Risk mitigation workflows: Comprehensive workflows to streamline risk management measures and improve overall security posture
- Integrations: Application integrations for Jira, Slack, ServiceNow, and over 4,000 additional apps with Zapier, plus customizable API calls
- Data leak protection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches
- 24/7 continuous monitoring: Real-time notifications and new risk updates using accurate supplier data
- Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting
- Shared Profile: Eliminate having to answer security questionnaires by creating an UpGuard Shared Profile
- Intuitive design: Easy-to-use first-party dashboards
- World-class customer service: Plan-based access to professional cybersecurity personnel that can help you get the most out of UpGuard
Elevate your compliance and TPRM programs with UpGuard Vendor Risk today. TIPA’s effective date is July 1, 2025.
