What is the TIPA Law? – An Overview of the Tennessee Information Protection Act
Ever wondered how the TIPA law protects your personal data?
With the forthcoming Tennessee Information Protection Act (TIPA) coming into effect on July 1, 2025, Tennessee becomes the 8th U.S. state to enact a consumer privacy law.
Businesses have over two years following its passage on May 11, 2023 to confirm TIPA compliance and align with TIPA mandates.
From March to June of 2023, state-level privacy laws faster implemented new rules or regulations.
Six states did so, two of which are already known, and the rest are Tennessee, Iowa, Indiana, Montana, Florida, and Texas.
The Tennessee Data Privacy Law demonstrates great focus on protecting consumer data within the state.
As a more business-friendly legislation, TIPA law adopts elements of the Virginia Consumer Data Protection Act (VCDPA) and Iowa Consumer Data Protection Act (ICDPA) so the Tennessee data privacy laws are more flexible than other state.
This blog is for organizations operating in Tennessee to understand what TIPA law consists of.
The alliance with TIPA law will be important for compliance and safeguarding consumer data in the Tennessee privacy law landscape.
What is the Tennessee Information Protection Act (TIPA)
The Tennessee Information Protection Act, also known as TIPA, provides processes for managing personal data in Tennessee.
In the Tennessee law of data privacy, personal data includes, but is not limited to, a person’s full name, usernames, IP addresses, Social Security Number, geolocation, physical and financial information, and other information associated with a consumer.
Businesses cannot use publicly available or devoiced information to manage data but must conform to TIPA compliance rules for responsible data management.
Most Important Features of TIPA Law
Businesses located in Tennessee need to grasp what TIPA law encompasses for their own benefit.
In this law, Tennessee data protection, an entity is a controller who is a business that makes decisions about the data being processed.
Other entities are processors which are third parties that perform the tasks delegated to them by controllers.
It further classifies personal information as any information exchanged, except for a few outside the identified scope.
Moreover, advertising through TIPA privacy regulations is restricted and ensures companies that process personal information for advertisement purposes do so in compliance with TIPA.
It concerns the management of permission, which is in line with international regulations for data protection as GDPR.
Alongside the specifics of the Tennessee privacy statute, sensitive personal information is defined, which includes, but is not limited to, one’s race or ethnic origin, religious beliefs, health information, sexual orientation, genetic or biometric information, and highly accurate geolocation data.
Additional safeguards are given regarding information obtained from children below 13 years of age.
Since law TIPA comes into force on July 1, 2025, all companies are required to adopt preemptive TIPA compliance plans in anticipation of additional Tennessee data protection law changes.
Who Must Comply With the Tennessee Protection Act?
The TIPA law, formally referred to as the Tennessee Information Protection Act, governs all businesses within or outside of the state of Tennessee.
It governs organizations conducting business in Tennessee or offering goods and services to residents of the state.
In order to meet TIPA compliance, organizations described as `controllers’ in the Tennessee privacy laws must fulfill at least one of the following requirements:
- Manage or process personal data of no less than one hundred thousand (100,000) residents of Tennessee each year.
- Manage or process personal data of twenty five thousand (25,000) consumers in Tennessee and earn more than fifty percent (50%) of gross income from the sale of personal information.
The TIPA law, in contrast with other state laws like California’s CCPA, does not set a revenue benchmark for compliance.
This implies that businesses will be considered in violation of the TIPA law if they process consumer data transparency and fail to comply, irrespective of how much revenue they earn annually.
Affirmative Defense Within TIPA Law Compliance of Privacy Issues
One provision of TIPA privacy that is particularly noteworthy is its affirmative defense clause. Under the existing Tennessee privacy law, a business entity found to have possibly breached the Tennessee data privacy law is not liable for punishment if it proves compliance with an endorsed privacy system such as:
- The NIST Privacy Framework (U.S. National Institute of Standards and Technology)
- APEC Cross Border Privacy Rules
- APEC Recognition System for Processors
The TIPA Act considers business size, level of sensitivity of the data, and compliance with other state or federal laws when determining compliance with the privacy standards.
Exemptions Under the Tennessee Information Protection Act
Under the Tennessee Information Protection Act, some entities and data types qualify for exemption from TIPA compliance under the Tennessee privacy law. These consist of:
- Entities covered by other federal laws including HIPAA, FCRA, COPPA, FERPA and Farm Credit Act
- Government, financial, insurance, nonprofit, and educational institutions
- Employment and B2B (Business to Business) information
By comprehending TIPA meaning with its TIPA requirements, businesses will take responsibility to ensure compliance with the Tennessee data protection laws.
What are the Consumer Rights Under TIPA Law?
The TIPA or Tennessee Information Protection Act allows consumers to exercise certain privileges concerning their personal information.
According to this law, individuals over the age of eighteen, as well as parents and guardians of minors, have the ability to control what happens with the data associated with them.
Important Consumer Privileges Set Forth By The Tennessee Information Protection Act
The TIPA law gives various consumer rights to ensure that there is privacy and control of personal information. These rights may be exercised by parents or guardians on behalf of minors under TIPA law.
However, some rights like opting out of automated decision-making (including any AI-based processing) and the private right of action (where consumers are empowered to file a lawsuit against a business for failure to adhere to the law) are not part of applying TIPA compliant.
The TIPA law to protect consumers privacy
- The Right of Access – Consumers have the right to check whether a business (controller) is indeed processing their data and, subject to some limitations, be given access to that data.
- Right to Disclosure – the consumer has the right to know what has been done with some categories of their data that have been sold according to Tennessee privacy law.
- Right to Delete – the consumer makes requests to the controller for deletion of some personal data as long as there are no undue restrictions.
- Right to Correction – You can attend to some people’s inaccurate and old data in TIPA compliance rules.
- Right to Portability – portability of information by a consumer means that the data is provided to the consumer in a format that is easy to use and, therefore, easy to transfer in compliance with TIPA.
- Right Not to Be Discriminated Against – Pursuant to the TIPA privacy rules, businesses under the Tennessee data protection law cannot unlawfully discriminate against consumers who seek to exercise their rights.
- Right to Opt-Out – Under the Tennessee Data Protection and Internet Privacy Act, consumers have the right to opt out of the targeted advertising, profiling, or sale of their personal data.
Keeping in mind what TIPA law is and its TIPA definition, both businesses and consumers are able to understand the Tennessee data privacy law obligations easily.
How Businesses Can Comply With TIPA Regulations?
The TIPA law, better known as the Tennessee Information Protection Act, has specific TIPA business compliance policies regarding consumer data.
To mitigate the risk of violating TIPA and Tennessee data privacy laws, businesses should learn how to comply with TIPA law.
Consumer Notification and Response Time
According to Tennessee privacy laws, all businesses (controllers) should educate consumers on their rights and how to use them.
Such instructions should be available in the company’s privacy policy or website notice.
Consumers must submit a request, allowing the controller to respond within 45 days.
If the controller cannot verify the person’s identity, they will refuse the request.
In these cases the controller must advise the consumer how to reach the Tennessee Attorney General’s Office.
Consumers can appeal the decision which the controller is required to answer within 60 days. If other exceptional situations exist the answer can be delayed by 45 days.
Key Compliance Measures Under TIPA Law
1. Purpose Limitation
Controllers must ensure that the personal data they process is relevant to the stated intent so as to avoid unneeded and irrelevant data collection and use TIPA privacy regulations.
2. Data Security
Controllers are required to implement strong technical, administrative, and physical security measures to safeguard consumer data under the Tennessee data protection law.
These safeguards should correspond to the processing of the type and quantity of personal data being.
3. Data Protection Assessments (DPA)
Businesses are required to carry out data protection assessments for:
- Sensitive personal information
- Data utilized for targeted marketing
- Profiling that may result in a likelihood of harm to consumers
- Saleable personal data
Businesses can achieve compliance with TIPA requirements by performing assessments under other state privacy laws.
4. Consent Requirements
Unlike some privacy laws, TIPA law allows data collection and processing by default, requiring consumers to opt out if they choose not to participate.
However, consent must be granted explicitly while processing sensitive personal data to ensure compliance with Tennessee data privacy law.
For children younger than thirteen (13) years old, TIPA law is aligned with the Children’s Online Privacy Protection Act (COPPA).
This means that consent from a parent or guardian must be obtained before collecting a minor’s personal data which is automatically deemed as sensitive information under the Tennessee Information Protection Act.
5. Nondiscrimination
In accordance with the Tennessee privacy law, businesses are prohibited from discriminating against customers for using their rights.
For instance, consumers may not be denied access to the website if they wish to opt out of personal data collection.
On the other hand, some functions on the website may not work properly with cookies feature turned off, and this is not viewed as discriminatory as per TIPA law.
6. Transparency and Consumer Rights
Businesses, in order to comply with TIPA, need to have well-defined, and easy-to-access privacy policy explanations that include:
- The kinds of personal information collected.
- Reasons for processing data.
- How consumers can exercise their rights or decision appeals.
- If applicable, the personal data sold is classified.
- If applicable, third parties provide consumer data.
- Businesses perform targeted or optional advertising based on consumer data.
7. Third Party Contracts
Businesses need to enter into legally binding agreements with third party data processors, which guarantees:
- Obligations of confidentiality.
- Defined methods of data processing.
- Clear policies about deletion or return of consumer data.
- Verification of compliance.
Universal Opt-Out Signal and TIPA Compliance
Unlike California laws, the Tennessee Information Protection Act makes no mention of Global Privacy Control (GPC) signals for user consent.
However, businesses that TIPA compliant do have to allow consumers to easily opt out of collecting personal data through site settings or other clearly defined means.
TIPA Penalties and Fines for Non-Compliance
Businesses violating the Tennessee Information Protection Act are notified and given 60 days to fix the data privacy issue.
Legal action after the 60-day window depends on if the business attempts to fix the error.
Businesses can simply confirm the violation is fixed and no legal action within the state will be pursued.
A business can still face the consequences if it decides to leave the violation unattended after the fixed period.
Agencies can pursue court escalations under the Tennessee privacy law for these remaining violations:
- Authorities can decide whether a violation existed or not.
- Courts can issue injunctions to legally prevent future violations.
- Businesses must pay civil penalties of $7,500 for each violation.
- Businesses are responsible for covering attorney fees and other legal expenses.
- The state can impose additional consequences as deemed necessary.
Penalties may be tripled if found to be done with intent or ‘willful’ as deemed by the courts. Fines can go higher than $7,500, leaving businesses needing to comply with TIPA in order to see the protection of the data law of Tennessee.
FAQs
1. What is TIPA Law?
TIPA is the Tennessee Information Protection Act. It is a privacy law within Tennessee that provides rules on the protection of consumer data and the subsequent compliance requirements for businesses.
2. Who Does the TIPA Law Apply To?
The TIPA law subjects include all companies that undertake the processing of personal data of:
Individually or in combination:
- 100,000 or more residents of Tennessee during a single calendar year, or
- 25,000 or more residents and derive more than 50% of revenue from sales of data
3.What are the Penalties for Non-Compliance with the TIPA?
Compliance with TIPA LAW provisions may be sanctioned by:
- Monetary penalties of up to $7,500 per violation
- Treble damages for willful violations
- Civil actions – Injunctions and statutory attorney fees
4. How Can Businesses Comply With TIPA Law?
For a business to comply with TIPA, they will need to:
- Have a written policy on the privacy of information
- Grant some rights in relation to the information such as access, correction, and opt-out
- Adopt adequate security practices
- Carry out data protection audits
- Have contracts with third parties containing terms that assure compliance
Conclusion
Compliance with TIPA is crucial for the enforcement of Tennessee Information Protection Act. Following TIPA is necessary for companies to evade harsh fines and litigations under Tennessee law.
Knowing what is TIPA law, establishing stringent data security policies, will assist an organization to be in compliance with Tennessee data protection law while protecting consumers’ rights.
As TIPA law continually shapes Tennessee data privacy law, businesses need to remain vigilant to comply with the regulations in order to avoid breaches and enforce TIPA privacy practices.
Businesses can ensure secure, efficient, and compliant data processing by leveraging AI, Big Data technologies, cloud computing, and compliance tools like WP Cookie Consent and WP Legal Pages.
If you like this article, you might also like:
- Florida Digital Bill of Rights (FDBR) — A Complete Guide for 2025
- Oregon Consumer Privacy Act: An Overview of OCPA
- American Privacy Rights Act (APRA)
Are you looking to process your cookie data automatically? Grab the WP Legal Pages Compliance Platform for easy operations!