The Tennessee Information Protection Act (TIPA) took effect on July 1, 2025. While it follows the familiar Virginia-style template, Tennessee includes a unique feature that no other state offers: an affirmative defense for businesses that maintain a privacy program aligned with recognized frameworks.
Who Does TIPA Apply To?
TIPA applies to businesses that conduct business in Tennessee or target Tennessee residents and meet both criteria:
- Revenue exceeding $25 million, AND
- Control or process personal data of at least 175,000 Tennessee consumers, OR 25,000 Tennessee consumers while deriving more than 50% of revenue from selling personal data
The dual requirement (revenue + consumer count) means TIPA has a higher bar than most state privacy laws. Smaller businesses are less likely to be covered — but if you meet both thresholds, compliance is mandatory.
The Affirmative Defense — Tennessee's Unique Feature
If your business creates, maintains, and complies with a written privacy program that conforms to recognized frameworks — such as:
- NIST Privacy Framework
- ISO/IEC 27701
- Other standards recognized by the AG
Then you have an affirmative defense against enforcement actions. This doesn't make you immune from violations, but it gives you a strong legal position if challenged.
This is a meaningful incentive to document your privacy practices formally rather than just checking boxes.
Consumer Rights
Tennessee consumers can:
- Access their personal data
- Correct inaccurate data
- Delete their personal data
- Data portability — obtain a copy
- Opt out of sale, targeted advertising, and profiling
Response deadline: 45 days, with a possible 45-day extension.
Key Requirements
- Privacy policy with all standard disclosures
- Sensitive data consent — opt-in required
- Data protection assessments for high-risk processing
- 60-day cure period (permanent — does not expire)
Enforcement
Enforced by the Tennessee Attorney General. No private right of action. The permanent 60-day cure period and affirmative defense make Tennessee one of the more business-friendly state privacy laws.
TIPA Compliance Checklist
- Privacy policy covering required disclosures
- Cookie consent banner with opt-out
- Written privacy program aligned with NIST or ISO 27701 (recommended for affirmative defense)
- Consumer request process — 45-day window
- Sensitive data consent — opt-in
- Data protection assessments for targeted advertising, data sales, profiling
Check Your Compliance
ClearConsent checks your site against 20+ global privacy laws including Tennessee's TIPA. See where you stand in under 60 seconds.
Scan your site free — no signup required.