← Back to Blog

Tennessee Information Protection Act (TIPA): Privacy Compliance Guide

Tennessee's privacy law includes a unique affirmative defense for businesses with privacy programs. Here's what you need to know.

2026-03-03

The Tennessee Information Protection Act (TIPA) took effect on July 1, 2025. While it follows the familiar Virginia-style template, Tennessee includes a unique feature that no other state offers: an affirmative defense for businesses that maintain a privacy program aligned with recognized frameworks.

Who Does TIPA Apply To?

TIPA applies to businesses that conduct business in Tennessee or target Tennessee residents and meet both criteria:

  • Revenue exceeding $25 million, AND
  • Control or process personal data of at least 175,000 Tennessee consumers, OR 25,000 Tennessee consumers while deriving more than 50% of revenue from selling personal data

The dual requirement (revenue + consumer count) means TIPA has a higher bar than most state privacy laws. Smaller businesses are less likely to be covered — but if you meet both thresholds, compliance is mandatory.

The Affirmative Defense — Tennessee's Unique Feature

If your business creates, maintains, and complies with a written privacy program that conforms to recognized frameworks — such as:

  • NIST Privacy Framework
  • ISO/IEC 27701
  • Other standards recognized by the AG

Then you have an affirmative defense against enforcement actions. This doesn't make you immune from violations, but it gives you a strong legal position if challenged.

This is a meaningful incentive to document your privacy practices formally rather than just checking boxes.

Consumer Rights

Tennessee consumers can:

  • Access their personal data
  • Correct inaccurate data
  • Delete their personal data
  • Data portability — obtain a copy
  • Opt out of sale, targeted advertising, and profiling

Response deadline: 45 days, with a possible 45-day extension.

Key Requirements

  • Privacy policy with all standard disclosures
  • Sensitive data consent — opt-in required
  • Data protection assessments for high-risk processing
  • 60-day cure period (permanent — does not expire)

Enforcement

Enforced by the Tennessee Attorney General. No private right of action. The permanent 60-day cure period and affirmative defense make Tennessee one of the more business-friendly state privacy laws.

TIPA Compliance Checklist

  • Privacy policy covering required disclosures
  • Cookie consent banner with opt-out
  • Written privacy program aligned with NIST or ISO 27701 (recommended for affirmative defense)
  • Consumer request process — 45-day window
  • Sensitive data consent — opt-in
  • Data protection assessments for targeted advertising, data sales, profiling

Check Your Compliance

ClearConsent checks your site against all 19 US state privacy laws including Tennessee's TIPA. See where you stand in under 60 seconds.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free