Tennessee Privacy Law Attorneys

TIPA Compliance, Data Breach Response & Consumer Privacy in Tennessee

Home / States / Tennessee

Tennessee Privacy Law Overview

Tennessee's privacy law took effect July 1, 2025 and is notable for its NIST-based affirmative defense — the only one of its kind among state privacy laws. Its high thresholds (a $25 million revenue floor plus large consumer counts) mean it applies mainly to bigger companies, but those companies gain a clear compliance roadmap and a litigation shield if they follow it.

The Tennessee Information Protection Act (TIPA)

Tennessee's law provides comprehensive consumer rights with opt-in consent for sensitive data, but applies only to larger businesses (over $25 million in revenue and high consumer counts). Its signature feature is an affirmative defense: a business that maintains a written privacy program conforming to the NIST Privacy Framework can use that program as a defense to enforcement.

TIPA: Quick Overview

  • Effective Date: July 1, 2025
  • Citation: Tenn. Code Ann. § 47-18-3301 et seq.
  • Enforced By: Tennessee Attorney General
  • Maximum Penalty: Up to $7,500 per violation, plus treble damages for willful violations
  • Private Right of Action: No (enforcement by the state only)
  • Right to Cure: 60 days

Who Must Comply

The TIPA applies to businesses that meet Tennessee's applicability thresholds:

  • Annual revenue exceeding $25 million, and
  • Controls or processes data of 175,000+ Tennessee consumers, or 25,000+ consumers with over 50% of revenue from selling data

What makes Tennessee different: Tennessee is the only state to offer an affirmative defense for businesses that follow the NIST Privacy Framework, and it allows treble damages for willful violations.

Consumer Rights Under the TIPA

Tennessee residents can exercise the following rights over their personal data:

  • Right to access / confirm what data is held
  • Right to correct inaccurate data
  • Right to delete personal data
  • Right to data portability
  • Right to opt out of targeted advertising
  • Right to opt out of the sale of personal data
  • Right to opt out of profiling for significant decisions

Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).

Data Breach Notification in Tennessee

Tennessee requires notice to affected residents within 45 days of discovery; private businesses are generally not required to notify the Attorney General.

  • Deadline to notify residents: No later than 45 days after discovery of the breach
  • Attorney General notice: Tennessee does not impose a separate Attorney General notice duty on most private businesses
  • Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)

Federal Privacy Laws That Apply in Tennessee

Even where Tennessee law is silent, residents and businesses are covered by federal privacy statutes:

  • HIPAA — health information held by providers, plans and their vendors
  • GLBA — privacy and safeguards rules for financial institutions
  • FERPA — student education records
  • FCRA — consumer reporting agencies and background screening
  • COPPA — online collection of data from children under 13
  • FTC Act §5 — unfair or deceptive privacy and data-security practices

Tennessee Privacy Law FAQ

What is Tennessee's NIST affirmative defense?
TIPA is the only state privacy law that lets a business assert an affirmative defense in enforcement actions if it maintains a written privacy program that reasonably conforms to the NIST Privacy Framework. This rewards documented, standards-based compliance.
Does Tennessee's privacy law apply to small businesses?
Generally no. TIPA applies only to businesses with more than $25 million in annual revenue that also meet high consumer-count thresholds (175,000 consumers, or 25,000 with majority revenue from data sales), so most small and mid-sized businesses are out of scope.

How a Tennessee Privacy Attorney Can Help

For Businesses

  • Build and audit a privacy compliance program
  • Draft privacy policies, notices and vendor contracts
  • Respond to consumer rights requests
  • Manage data-breach response and notification
  • Defend regulatory investigations and enforcement

For Consumers

  • Enforce your privacy rights against non-compliant businesses
  • Pursue or join data-breach litigation
  • File complaints with the Tennessee Attorney General
  • Seek damages for identity theft and fraud
  • Stop unlawful data sales and unwanted marketing

Need a Tennessee Privacy Attorney?

Whether you are a business working toward compliance or a Tennessee resident whose privacy has been violated, our network of Tennessee-licensed attorneys can help.

Find a Tennessee Privacy Attorney

Other State Privacy Laws

Virginia

VCDPA – comprehensive privacy law

Kentucky

KCDPA – comprehensive privacy law

Indiana

INCDPA – comprehensive privacy law

Texas

TDPSA – comprehensive privacy law

California

CCPA/CPRA – strongest consumer privacy law in the U.S.

Florida

FDBR – comprehensive privacy law