Tennessee Information Protection Act
The Tennessee Information Protection Act grants consumer data rights and uniquely offers an affirmative defense to organizations that maintain a documented privacy program aligned to the NIST Privacy Framework. It has high thresholds and is enforced by the Tennessee Attorney General.
Tennessee Information Protection Act
The Tennessee Information Protection Act (TIPA), enacted as House Bill 1181 and Senate Bill 73, is Tennessee's comprehensive consumer privacy statute. It took effect on July 1, 2025. TIPA is distinctive for offering controllers and processors an affirmative defense to liability if they maintain a written privacy program that reasonably conforms to the NIST Privacy Framework.
Who It Applies To
TIPA applies to persons that conduct business in Tennessee or produce products or services targeted to Tennessee residents, exceed 25 million dollars in revenue, and during a calendar year control or process the personal data of either 175,000 or more consumers, or 25,000 or more consumers while deriving more than 50 percent of gross revenue from the sale of personal data. These higher thresholds, including the revenue floor, make TIPA narrower in scope than most state laws. It exempts HIPAA and Gramm-Leach-Bliley data.
Key Requirements
Controllers must publish a privacy notice, minimize data collection, and maintain reasonable security. Consumers may confirm processing, access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, and significant profiling. Opt-in consent is required for sensitive data. Controllers must conduct data protection assessments for high-risk processing. TIPA's signature feature is the affirmative defense available to organizations that create, maintain, and comply with a documented privacy program aligned to the NIST Privacy Framework or comparable standards.
Penalties for Non-Compliance
The Tennessee Attorney General has exclusive enforcement authority; there is no private right of action. Penalties may reach up to 7,500 dollars per violation, and courts may award treble damages for willful or knowing violations. A 60-day cure period applies before enforcement.
How to Comply
Determine whether you meet the revenue and consumer thresholds. Publish an accurate privacy notice and operate consumer-request workflows within 45 days. Implement opt-in consent for sensitive data and conduct documented assessments. Most importantly, build a written privacy program that maps to the NIST Privacy Framework to secure the statutory affirmative defense, and keep evidence of ongoing conformance.
Relationship to Other Laws
Tennessee is unusual in tying a litigation safe harbor to a recognized external framework. The affirmative defense rewards organizations that operationalize the NIST Privacy Framework rather than merely drafting a notice. This makes Tennessee a strong incentive to adopt a documented, auditable privacy program with mapped controls, regular reviews, and evidence of conformance, which also strengthens compliance with every other state law and reduces breach-related risk.
Operational Mechanics
Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.