On May 11, 2023, Tennessee joined the rapidly growing ranks of U.S. states to enact a comprehensive data privacy law as Gov. Bill Lee (R-TN) signed the Tennessee Information Protection Act (TIPA) into law. Taking effect July 1, 2025, TIPA is more similar to the Virginia Consumer Data Protection Act (VCDPA), and the more “business-friendly” family of state privacy laws such the Utah Consumer Privacy Act (UCPA), and the Iowa Act Relating to Consumer Data Protection (ICDPA). While TIPA extends important privacy protections to consumers, several key provisions signal that it is less consumer friendly than the California Consumer Privacy Act (CCPA) and its amending California Privacy Rights Act (CPRA), the Indiana Consumer Data Protection Act (INCDPA) or the Colorado Privacy Act (CPA). In this article, we highlight key provisions of TIPA and dive into the important compliance requirements that businesses need to know.
Key Provisions
- Applicability –The law only applies to businesses exceeding $25 million in annual revenue, and that either control or process the personal information of 175,000 or more Tennessee consumers, or control or process the data of 25,000 consumers while deriving more than 50% of gross revenue from the sale of personal information.
- Safe Harbor – Controllers and processors are allowed to assert an affirmative defense to violations if they maintain a written privacy program that “reasonably conforms” to the current privacy framework set by the National Institute of Standards and Practices (NIST), among other requirements.
- Insurance Companies Exempt – There is an entity-level carve out for state-licensed insurance companies, a first among state data privacy laws.
- High Civil Penalties and Treble Damages – Courts may impose civil penalties of up to $7,500 per violation, and treble damages may be awarded for willful or knowing violations.1
- 60-Day Cure Period – TIPA’s 60-day cure period is one of the longest of all of the enacted state privacy laws. Only Iowa’s 90-day cure period is longer. Importantly for businesses, unlike under the CCPA, for example, TIPA’s cure period does not currently have a sunset date.
- Two Years to Prepare – Businesses have more than two years to come into compliance with TIPA, providing a generous ramp-up period as compared to the roughly one-year period provided by Connecticut, Montana, Texas and Utah.
What Information Is Covered?
TIPA defines “personal information” as information that is linked or reasonably linkable to an identified or identifiable natural person.2 Similar to other state privacy laws, TIPA establishes a category of “sensitive data” as personal information that includes: (1) personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (3) the personal information collected from a known child (e.g., a natural person under 13 years of age); or (4) precise geolocation data (e.g., information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 ft.)3
Who Must Comply with TIPA?
Like other state data privacy laws and the European General Data Protection Regulation (GDPR), the Tennessee law governs the activities of “controllers”—those determining the purpose and means of processing personal data—and “processors”—those who process the personal data on the controller’s behalf.4 To be applicable, TIPA requires a $25 million annual revenue threshold akin to that of the UCPA.
Unless the business is deriving more than 50% of its gross annual revenue from the sale of personal information and controls or processes the information of at least 25,000 Tennessee consumers, TIPA only applies if the business controls or processes the personal information of 175,000 Tennessee consumers—the highest state resident threshold of any enacted state privacy law to date.
What Are the Notable Exemptions?
Just like the other state data privacy laws, TIPA features exemptions for both entities and types of data.
Entity-based Exemptions
TIPA exempts government entities, nonprofits, financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA), institutions of higher education, and covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).5 TIPA is also the first state privacy law to feature an entity-level carve-out for insurance companies, entirely exempting all insurance companies licensed under Tennessee law (though insurance companies are often using the GLBA exemption of the other comprehensive state privacy laws to achieve similar exemptions).6
Data-Based Exemptions
Much like Utah, Virginia and Iowa, Tennessee’s TIPA does not apply to personal information processed or maintained in the course of employment, including information provided by an individual applying to, or acting as an employee, agent or independent contractor of a controller, processor or third party, as well as emergency contact information and data used to administer benefits.7 The law’s definition of “consumer” also explicitly excludes natural persons acting in a commercial or employment context.8 Data that is publicly available, aggregated or de-identified is also excluded from the definition of “personal information.”9 Information subject to Title V of the GLBA is exempt, along with information governed by the Fair Credit Reporting Act (FCRA) and information governed by the Family and Educational Rights and Privacy Act (FERPA), among others.10 The statute further deems companies that meet the verifiable parental consent requirements of the federal Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. § 6501 et seq.) compliant with TIPA’s parental consent requirements regarding the collection and processing of the personal information of children under age 13.11
TIPA also has a variety of exemptions specific to health data, including an exemption for protected health information under HIPAA, and information and documents created for the Health Care Quality Improvement Act (HCQIA). Patient safety work product created for the Patient Safety and Quality Improvement Act (PSQIA) is exempt, along with information used only for public health activities and purposes as authorized by HIPAA. There are also a number of carve-outs specifically related to personal information collected, processed or sold in connection with certain types of research, such as human subject research and public or peer-reviewed scientific or statistical research in the public interest.12
What Rights Do Tennessee Consumers Have?
Consumers under TIPA enjoy a similar assortment of rights as under other state data privacy laws. For instance, Tennessee consumers have the right to: (1) know whether a controller is processing the consumer’s data and the right to access that data; (2) request a controller correct inaccuracies in the consumer’s personal data; (3) delete personal data provided by, or obtained about, the consumer; (4) obtain a copy of their personal data in a portable and readily usable format; and (5) opt out of processing for the sale of personal data, targeting advertising or profiling.13 The consumer rights afforded under TIPA most closely align with those under the VCDPA, which includes similar rights to correct inaccuracies and to delete both personal data provided by the consumer, and personal data obtained about the consumer, both of which are absent from the UCPA. Similar to the Iowa, Virginia, Colorado and Connecticut laws, Tennessee’s TIPA requires that controllers establish a process for consumers to appeal the refusal to take action on requests to exercise their rights.
However, TIPA contains an expansive carve-out for pseudonymous data. While the law excludes “de-identified data”—data that cannot reasonably be linked to an identified or identifiable natural person—it also does not apply consumer rights to pseudonymous data if the controller demonstrates that consumer identifying information is kept separate with effective technical and organizational controls preventing the controller’s access.14 In the case that controllers disclose either de-identified or pseudonymous data to third parties, controllers must exercise oversight and monitor compliance with contractual commitments concerning that data.15 Additionally, similar to the laws of Utah, Virginia and Iowa, Tennessee’s TIPA does not appear to explicitly require organizations to recognize universal opt-out mechanisms.
What Obligations Do Controllers and Processors Have?
As seen in other state data privacy laws and the GDPR, TIPA divides responsibilities between data controllers and processors.
Controller Requirements:
- Data Minimization: Controllers must limit personal data collection to what is adequate, relevant and reasonably necessary for the disclosed purpose for which the data is processed.16
- Avoid Secondary Use: Controllers must have the consumer’s consent before processing personal data for purposes beyond those reasonably necessary for and compatible with the disclosed purpose for which the data is processed.17
- Data Security: Controllers are required to establish, implement and maintain reasonable administrative, technical and physical practices for data security, appropriate to the volume and nature of the data.18
- Nondiscrimination: Controllers must not process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers, and may not discriminate against consumers who exercise their rights under TIPA. This does not preclude controllers from offering different prices or goods to consumers exercising the right to opt out as part of a loyalty or rewards program.19
- Processor Agreements: Similar to other state laws, controllers are required to enter into binding contracts with processors that, among other things, detail the nature and purpose of the processing, instructions for the processing, and the rights and obligations of both parties. Processors under this contract have a number of requirements, such as establishing a duty of confidentiality for personal data, deleting or returning all personal data to the controller upon the controller’s request at the end of the provision of services, making personal data available upon controller request, arranging for cooperation with the controller’s assessor or independent assessor; and mandating conditions for subcontractor engagement.20
- Sensitive Data: Much like in Virginia, Colorado and Connecticut, Tennessee’s TIPA requires controllers to obtain a consumer’s opt-in consent prior to processing that consumer’s sensitive data.21 In the event the consumer is a child, the controller must process the child’s sensitive data in accordance with COPPA.
- Transparency and Purpose Specification: Controllers must provide a clear and reasonably accessible privacy notice and disclose: (1) the categories of data processed; (2) the purpose of the processing; (3) how the consumer may exercise their rights; (4) the categories of data the controller sells to third parties; (5) the categories of third parties, if any, to whom the data is sold; and (6) a reliable means for consumers to submit a request, without requiring the consumer to create a new account. In the event a controller is selling personal information or using it for targeted advertising, the controller must clearly and conspicuously disclose the processing as well as how the consumer may opt out.22
- Data Protection Assessments: Like many other state laws, including the Virginia, Colorado and Connecticut laws, Tennessee’s TIPA requires controllers to perform a data protection assessment before engaging in certain processing activities. These include: (1) processing for targeted advertising; (2) selling personal data; (3) processing personal data for profiling, in the event the profiling presents a reasonably foreseeable risk of certain legal, financial, physical, reputational or deceptive harms; (4) processing sensitive data; and (5) other processing presenting a heightened risk of harm to consumers.23 TIPA allows the use of assessments conducted for other state laws, provided they have a reasonably comparable scope and effect. Assessments must be conducted for processing generated on or after July 1, 2024.24 However, there is no requirement to conduct assessments prior to TIPA’s effective date of January 1, 2025.
Controllers under TIPA have 45 days to respond to consumer requests, consistent with the timelines of other state privacy laws. TIPA also grants companies the option for a 45-day extension provided they issue proper notice to the consumer.25
Processor Requirements:
TIPA requires processors to adhere to controller instructions and assist controllers with their obligations, which includes entering into a binding contract, responding to consumer requests and providing necessary information for the controller to conduct data protection assessments.
NIST Safe Harbor
Tennessee is the first state to provide an explicit affirmative defense provision within its comprehensive privacy law, providing a safe harbor in the event it is sued for a violation of the TIPA.26 TIPA provides this never-before-seen affirmative defense to violations of the law, if the controller or processor creates, maintains and complies with a written privacy policy that “reasonably conforms” to the NIST Privacy Framework or “other documented polices, standards, and procedures designed to safeguard consumer privacy.”27 The NIST Privacy Framework is a set of voluntary guidelines for privacy programs, based on five core functions:
- Identify: Developing organizational understanding to manage privacy risk to individuals from processing personal data.
- Govern: Implementing governance structure to enable ongoing understanding of risk management priorities.
- Control: Implementing appropriate activities to allow individuals or organizations to manage data to effectively manage privacy risk.
- Communicate: Developing appropriate activities to allow individuals and organizations to understand privacy risks associated with data processing.
- Protect: Implementing appropriate data processing safeguards to prevent cybersecurity-related privacy events.28
The scale and scope of this reasonably conforming privacy framework must also be based on: (1) the size and complexity of the controller or processor’s business; (2) the nature and scope of the activities of the controller or processor; (3) the sensitivity of the personal data; (4) the cost and availability of tools to improve privacy protections and data governance; and (5) compliance with a comparable state or federal law.29
Because the NIST Privacy Framework is a set of voluntary guidelines developed to give businesses flexibility in risk management, and there are currently no Tennessee Rules & Regulations interpreting TIPA, it is unclear how privacy programs will be evaluated to determine if they “reasonably conform” to the NIST framework. Likewise, it remains to be seen how successful controllers and processors will be in invoking this affirmative defense in enforcement actions.
Who Enforces TIPA?
As with all other similar state laws except the CCPA, there is no private right of action under TIPA. Rather, the Tennessee Attorney General and Reporter (AG) retains exclusive enforcement authority for TIPA violations. Before initiating any action against an offending controller or processor, the AG must provide 60 days’ written notice and an opportunity to cure.30 The AG may not initiate an enforcement action against the business if, within the cure period, the business submits a written confirmation that the violation has been cured and no further violations of the kind will occur.31 If the alleged violations are not cured, the AG may file an action and seek declaratory, injunctive and monetary relief, including a $7,500 maximum civil penalty per violation, along with reasonable attorney’s fees and investigative costs. However, in the event of willful or knowing violations, treble damages may be awarded at the court’s discretion.32
Companies will have until July 1, 2025 when TIPA goes into effect to ensure they are compliant, and those that have already taken steps to comply with earlier state privacy laws should be well positioned for compliance with TIPA. As additional comprehensive state privacy laws are on the way, along with forthcoming international data protection laws, it is more important than ever for companies to adopt a robust privacy program framework that can adapt to new regulatory requirements.
Learn about the other State Laws in Akin’s State Data Privacy Law Series, as well as our CCPA Report:
- Virginia Consumer Data Protection Act: What Businesses Need to Know | Akin (akingump.com)
- Colorado Privacy Act: What Businesses Need to Know | Akin (akingump.com)
- Connecticut Data Privacy Act: What Businesses Need to Know | Akin (akingump.com); Businesses and Consumers Prepare as the CTDPA Takes Effect on July 1 | Akin Gump Strauss Hauer & Feld LLP
- Utah Consumer Privacy Act: What Businesses Need to Know | Akin (akingump.com)
- Iowa Data Protection Act: What Businesses Need to Know | Akin Gump Strauss Hauer & Feld LLP
- Key Takeaways from Akin’s CCPA Litigation and Enforcement Report | Akin (akingump.com)
1 Further, the law explicitly provides that each provision violated and each consumer affected are considered separate violations.
2 Public Chapter No. 408 §§ 47-18-3201(18) (Tennessee 2023), available at https://publications.tnsosfiles.com/acts/113/pub/pc0408.pdf, hereinafter “TIPA.”
3 Id. §3201(5), (18) and (26).
4 Id. §3201(8), (20).
5 Id. § 3210(a)(1-6).
6 Id. § 3210(a)(3).
7 Id. § 3210(a)(20).
8 Id. § 3201(7)(B).
9 Id. § 3201(17)(B).
10 Id. § 3210(a).
11 Id. § 3210(b).
12 Id. § 3210(a)(10), (21).
13 Id. § 3203(a)(2)(A-E), § 3201(21) “profiling” here refers to “a form of solely automated processing performed on personal information to evaluate, analyze, or predict personal aspect related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
14 Id. § 3207(c).
15 Id. § 3207(d).
16Id. § 3204(a)(1).
17 Id. § 3204(a)(2).
18 Id. § 3204(a)(3).
19 Id. § 3204(a)(5).
20 Id. § 3205(b).
21 Id. § 3204(a)(6), § 3201(26).
22 Id. § 3204(c-d).
23 Id. § 3206(a).
24 Id. § 3206(f).
25 Id. § 3203(b)(1).
26 Other states such as Utah, Connecticut and Ohio have included safe harbors for those companies that follow various cybersecurity frameworks, including the NIST Cybersecurity Framework. Tennessee’s is the first law adopting a safe harbor for those following the NIST Privacy Framework.
27 Id. § 3213(a).
28 Dep’t of Com., NIST, The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management Version 1.0 (January 16, 2020), available at https://www.nist.gov/privacy-framework/privacy-framework.
29 TIPA at § 3213(b).
30 Id. § 3212(b).
31 Id.
32 Id. § 3212(d)(1-2).