Tennessee Information Protection Act: A Practical Guide

Tennessee's Information Protection Act (TIPA) went into effect on July 1, 2025, and it comes with a unique twist that no other state privacy law offers: an affirmative defense for businesses that follow a recognized privacy framework like the NIST Privacy Framework. For small and mid-sized businesses already investing in good data practices, that is a meaningful incentive. But first, you need to understand what TIPA requires and whether it applies to your business at all.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Tennessee Information Protection Act (HB 1181, 2023), codified at Tenn. Code Ann. §§ 47-18-3301 et seq., as of the date of publication.

TIPA joined a growing list of state privacy laws modeled on Virginia's VCDPA. But Tennessee added higher applicability thresholds and that distinctive NIST framework defense. This guide breaks down the law in practical terms -- who it covers, what rights consumers have, what businesses must do, and how to use the NIST defense to your advantage.

Does This Law Apply to Your Business?

TIPA has a dual threshold that makes it narrower in applicability than most other state privacy laws. To be covered, a business must meet both a revenue threshold and a consumer data threshold:

Revenue requirement: The business must exceed $25 million in annual revenue.

Plus one of the following:

Control or process the personal data of 100,000 or more Tennessee consumers during a calendar year.
Control or process the personal data of at least 25,000 Tennessee consumers and derive more than 50% of gross revenue from the sale of personal data.

This "revenue AND consumer count" structure is significant. A startup that processes data on 200,000 Tennessee consumers but generates only $2 million in revenue is not covered by TIPA. Conversely, a company with $50 million in revenue but only 5,000 Tennessee consumer records is also not covered. Both conditions must be met.

Example: A mid-sized e-commerce company based in Nashville generates $30 million in annual revenue and has 150,000 Tennessee customers in its database. This company meets both the revenue threshold ($25M+) and the consumer threshold (100K+), so TIPA applies.

Example: A small marketing agency in Memphis generates $3 million in revenue and processes data on 40,000 Tennessee consumers, earning 60% of its revenue from data sales. Despite meeting the second consumer threshold, the agency does not meet the $25 million revenue requirement. TIPA does not apply.

Exemptions. TIPA exempts state and local government entities, entities and data subject to HIPAA, GLBA, FCRA, FERPA, and the Driver's Privacy Protection Act. Nonprofits and higher education institutions are also exempt. Employee data and B2B contact information are excluded from the definition of "consumer."

What Rights Do Consumers Have?

TIPA grants Tennessee consumers a standard set of privacy rights that aligns closely with the Virginia model:

Right to Access. Consumers can confirm whether a business is processing their personal data and access that data.

Right to Correction. Consumers can request that inaccurate personal data be corrected.

Right to Deletion. Consumers can request deletion of their personal data.

Right to Data Portability. Consumers can obtain a copy of their data in a portable, readily usable format.

Right to Opt Out. Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.

Right	Granted?	Notes
Access	✅	Confirm processing and access personal data
Correction	✅	Request correction of inaccurate data
Deletion	✅	Request deletion of personal data
Data Portability	✅	Obtain data in a portable, readily usable format
Opt-Out of Targeted Ads	✅	Consumer can opt out of targeted advertising
Opt-Out of Data Sales	✅	Consumer can opt out of sale of personal data
Opt-Out of Profiling	✅	Limited to decisions with legal or similarly significant effects
Right to Non-Discrimination	✅	Cannot discriminate against consumers for exercising rights

Businesses must respond to consumer requests within 45 days, with the option to extend by an additional 45 days when reasonably necessary. If a request is denied, the business must provide an appeal mechanism, and the consumer appeal must be addressed within 60 days.

What Your Business Must Do

If TIPA applies to your business, here is what compliance looks like in practice.

Publish a comprehensive privacy notice. Your privacy policy must disclose the categories of personal data you process, the processing purposes, how consumers can exercise their rights, the categories of data shared with third parties, and the categories of those third parties. If you sell personal data or use it for targeted advertising, that must be clearly disclosed.

Build consumer request workflows. You need reliable, documented processes for receiving, verifying, and responding to all consumer rights requests. This includes access, correction, deletion, portability, and opt-out requests. The 45-day deadline (extendable to 90 days) requires systems that can locate and compile personal data efficiently. For a practical framework, see our how to respond to a DSAR guide.

Implement an appeal process. TIPA requires that consumers be able to appeal denied requests. Your appeal process must result in a response within 60 days, and if the appeal is denied, you must provide a way for the consumer to contact the Tennessee Attorney General.

Obtain opt-in consent for sensitive data. Sensitive data under TIPA includes racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, genetic or biometric data, data from known children, and precise geolocation data. You must obtain affirmative opt-in consent before processing any of these categories.

Conduct data protection assessments. TIPA requires assessments for processing activities involving targeted advertising, the sale of personal data, processing of sensitive data, and profiling. These assessments must evaluate the benefits of processing against the potential risks to consumers and must be made available to the Attorney General upon request.

Implement processor agreements. Contracts with data processors must specify the processing instructions, nature and purpose of processing, data type, duration, and obligations for confidentiality, security, and data return or deletion.

Consider the NIST Privacy Framework. This is where Tennessee stands apart. TIPA provides an affirmative defense for businesses that create, maintain, and comply with a written privacy program that reasonably conforms to the NIST Privacy Framework (or other frameworks and standards specified by the Attorney General). This does not prevent enforcement, but it gives you a strong legal defense if an enforcement action is brought. Practically speaking, adopting the NIST Privacy Framework and documenting your adherence to it is one of the most valuable steps a TIPA-covered business can take.

How Is It Enforced?

TIPA is enforced exclusively by the Tennessee Attorney General. There is no private right of action.

The law provides a 60-day cure period. After receiving notice of an alleged violation from the Attorney General, the business has 60 days to cure the violation and provide a written statement that the violation has been remedied and will not recur. This is more generous than the 30-day cure period in most Virginia-model states. However, the cure period sunsets on July 1, 2027 -- after that date, the Attorney General has discretion over whether to offer cure opportunities.

Penalties for violations can reach up to $7,500 per violation under Tennessee consumer protection enforcement authority. The Attorney General can also seek injunctive relief and reasonable costs.

The NIST affirmative defense is particularly relevant to enforcement. If a business can demonstrate it was operating under a written privacy program that reasonably conforms to the NIST Privacy Framework at the time of the alleged violation, it has a defense against liability. This does not guarantee immunity, but it substantially strengthens the business's position. No other state privacy law currently offers this incentive.

How This Compares to Other State Laws

Tennessee's dual threshold and NIST defense set it apart. Here is how TIPA compares:

Feature	Tennessee (TIPA)	Texas (TDPSA)	Virginia (VCDPA)
Effective Date	Jul 1, 2025	Jul 1, 2024	Jan 1, 2023
Revenue Threshold	$25M+	None	None
Consumer Threshold	100K or 25K + 50% data sales	None (small biz exemption)	100K or 25K + 50% data sales
NIST Affirmative Defense	Yes	No	No
Cure Period	60 days (sunset 2027)	30 days (sunset 2025)	30 days (sunset 2025)
Response Deadline	45 days (+45 ext.)	45 days (+45 ext.)	45 days (+45 ext.)
Private Right of Action	No	No	No
Max Penalty	$7,500/violation	$7,500/violation	$7,500/violation

Texas's TDPSA, which took effect in July 2024, has no revenue threshold and applies much more broadly -- essentially covering all businesses that are not classified as small businesses under federal SBA standards. TIPA is significantly narrower in scope due to its $25 million revenue requirement. Virginia's VCDPA does not have a revenue threshold but shares similar consumer thresholds and rights. For comparison with California's broader law, see our CCPA compliance guide.

Action Checklist for Small Businesses

Check both thresholds. Confirm that your business exceeds $25 million in annual revenue AND meets one of the consumer data thresholds (100K consumers or 25K + 50% data sale revenue). If you do not meet both, TIPA does not apply to you.
Audit your data practices. Map the personal data you collect from Tennessee consumers, including sources, storage locations, sharing partners, and retention periods.
Update your privacy notice. Ensure it meets all TIPA disclosure requirements, including categories of data, purposes, third parties, and consumer rights information.
Build request handling workflows. Implement processes for all consumer rights requests with clear timelines and identity verification. See our DSAR workflow guide.
Implement the appeal process. Create a documented appeal mechanism for denied consumer requests with a 60-day response commitment.
Adopt the NIST Privacy Framework. This is optional but strongly recommended. Create and maintain a written privacy program that conforms to the NIST framework. Document your compliance. This provides a valuable affirmative defense.
Complete data protection assessments. Document assessments for targeted advertising, data sales, sensitive data processing, and profiling activities.
Train your team and update vendor contracts. Ensure employees can recognize privacy requests and that all processor agreements meet TIPA requirements.

Key Dates

May 11, 2023: TIPA signed into law (HB 1181).
July 1, 2025: TIPA takes effect. Full compliance required.
July 1, 2027: 60-day cure period sunsets. Attorney General gains discretion on cure opportunities.

References

Tennessee Information Protection Act: Tenn. Code Ann. §§ 47-18-3301 et seq. (HB 1181, 2023). Full text on Tennessee General Assembly website
NIST Privacy Framework: National Institute of Standards and Technology. NIST Privacy Framework Version 1.0
Texas Data Privacy and Security Act (TDPSA): Tex. Bus. & Com. Code ch. 541 (HB 4, 2023).
Virginia Consumer Data Protection Act (VCDPA): Va. Code §§ 59.1-575 through 59.1-585.

Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.

Want to build a compliant DSAR process that covers Tennessee and beyond? Our DSAR Compliance Guide gives you a step-by-step framework for handling consumer requests -- and helps you document your privacy program for that NIST affirmative defense.