On this pageDoes the Tennessee Information Protection Act apply to your business?
State Law Practice Note

Tennessee Consumer Privacy Law (TIPA)

The Tennessee Information Protection Act gives Tennessee consumers rights over their personal information and imposes notice, contracting, and consent duties on large controllers — it stands out for an unusually high entry bar (over $25 million in revenue plus large consumer-volume tests) and a one-of-a-kind affirmative defense for businesses that maintain a written privacy program conforming to the NIST privacy framework, enforced exclusively by the Attorney General with no private right of action.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawTenn. Code Ann. § 47-18-3303; Tenn. Code Ann. § 47-18-3311; Tenn. Code Ann. § 47-18-3305; Tenn. Code Ann. § 47-18-3306; Tenn. Code Ann. § 47-18-3302; Tenn. Code Ann. § 47-18-3313; Tenn. Code Ann. § 47-18-3314

Does the Tennessee Information Protection Act apply to your business?

Only if you clear a high entry bar. TIPA applies to persons doing business in Tennessee or targeting its residents that exceed $25 million in revenue and either process the information of at least 175,000 consumers in a calendar year, or at least 25,000 consumers while deriving over 50% of gross revenue from selling personal information . Many federally regulated entities and whole categories of organizations are carved out entirely .

What sets Tennessee apart from most state privacy laws is the dollar floor: a business under $25 million in revenue is outside the statute no matter how much data it handles. That makes TIPA reach far fewer companies than laws that key applicability to consumer volume alone. On top of the threshold, section 47-18-3311 exempts government bodies, financial institutions and GLBA-covered data, HIPAA covered entities and protected health information, nonprofits, institutions of higher education, and FCRA-, FERPA-, and DPPA-regulated data, among others. A consumer is a Tennessee resident acting only in a personal context, so employee and business-contact data is out of scope.

Sources for this answer

Primary law

A.1 Tenn. Code Ann. § 47-18-3303

TIPA applies only to persons exceeding $25 million in revenue that also process the personal information of at least 175,000 consumers a year, or 25,000+ while deriving over 50% of gross revenue from selling personal information.

This part applies to persons that conduct business in this state producing products or services that target residents of this state and that: - (1) Exceed twenty-five million dollars ($25,000,000) in revenue; and (2) - (A) Control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information; or - (B) During a calendar year, control or process personal information of at least one hundred seventy-five thousand (175,000) consumers.

See Tenn. Code Ann. § 47-18-3303.

Primary law

A.2 Tenn. Code Ann. § 47-18-3311

TIPA does not apply to a range of entities and data types, including government bodies, GLBA financial institutions, HIPAA-covered entities, nonprofits, and institutions of higher education.

This part does not apply to: - (1) A body, authority, board, bureau, commission, district, or agency of this state or of a political subdivision of this state; - (2) A financial institution, an affiliate of a financial institution, or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.);

See Tenn. Code Ann. § 47-18-3311(a).

What must your Tennessee privacy policy contain?

A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal information processed, the purpose for processing, how consumers exercise their rights and appeal a decision, the categories of personal information sold to third parties, and the categories of those third parties .

For a template privacy policy, section 47-18-3305(c) is the content checklist. TIPA also requires data minimization — collection limited to what is adequate, relevant, and reasonably necessary — and, where a controller sells personal information or processes it for targeted advertising, a clear and conspicuous disclosure of that processing and how to opt out. One Tennessee drafting note: items four and five of the notice are keyed to what the controller sells, not the broader idea of what it shares, so the notice should track the statute's wording rather than a looser paraphrase.

Sources for this answer

Primary law

B.1 Tenn. Code Ann. § 47-18-3305

A controller must provide a reasonably accessible, clear, and meaningful privacy notice listing the categories of personal information processed and the purpose for processing, among other required disclosures.

A controller shall provide a reasonably accessible, clear, and meaningful privacy notice that includes: - (1) The categories of personal information processed by the controller; - (2) The purpose for processing personal information;

See Tenn. Code Ann. § 47-18-3305(c).

What must your contracts with processors say?

A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not just a best practice .

Section 47-18-3306(b) then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with assessments, and a requirement to bind subcontractors by written contract to the same obligations. A compliant template data processing agreement tracks each of these. Separately, section 47-18-3312 makes any contract term that waives or limits a consumer's TIPA rights void as against public policy.

Sources for this answer

Primary law

C.1 Tenn. Code Ann. § 47-18-3306

A contract between a controller and a processor must govern the processor's data processing performed on behalf of the controller and set forth the required terms.

A contract between a controller and a processor governs the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract is binding and must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

See Tenn. Code Ann. § 47-18-3306(b).

Do you need consent to process sensitive data?

Yes. A controller may not process a consumer's sensitive data without obtaining consent, and for a known child it must instead process the data in accordance with the federal Children's Online Privacy Protection Act . Sensitive data includes information revealing race or ethnicity, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data used to identify a person; information collected from a known child; and precise geolocation data .

This is the opt-in model, the opposite of a notice-and-opt-out approach. TIPA does not, however, require honoring a universal opt-out preference signal such as Global Privacy Control, so a Tennessee-only program can rely on its own opt-out mechanisms — though a multi-state template generally has to support universal signals to stay compliant elsewhere. A controller also needs consent before processing personal information for purposes beyond those reasonably necessary and compatible with the purposes it disclosed.

Sources for this answer

Primary law

D.2 Tenn. Code Ann. § 47-18-3302

Sensitive data includes information revealing race or ethnicity, religious beliefs, a health diagnosis, sexual orientation, or citizenship status; genetic or biometric data used to identify a person; information from a known child; and precise geolocation data.

“Sensitive data” means a category of personal information that includes: - (A) Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; - (B) The processing of genetic or biometric data for the purpose of uniquely identifying a natural person; - (C) The personal information collected from a known child; or - (D) Precise geolocation data;

See Tenn. Code Ann. § 47-18-3302(26).

Can a consumer sue your business under TIPA?

No. The Attorney General and Reporter has exclusive authority to enforce TIPA, and the statute says a violation cannot be the basis for a private right of action, including a class action . Before suing, the Attorney General must give 60 days' written notice of the specific alleged violations and a chance to cure . Uniquely, a business has an affirmative defense if it maintains a written privacy program that reasonably conforms to the NIST privacy framework .

A controller that cures within the 60-day window and certifies the cure in writing avoids the action; an uncured violation exposes it to civil penalties of up to $7,500 per violation, with treble damages for willful or knowing violations. Tennessee's signature feature is the affirmative defense in section 47-18-3314: a controller or processor that creates, maintains, and complies with a written privacy program conforming to the NIST privacy framework (or a comparable framework) and providing consumers the substantive rights TIPA requires can raise that program as a defense. No other state pairs comprehensive privacy duties with a NIST-based safe harbor like this, which makes building a documented, framework-aligned program both a compliance step and a litigation shield.

Sources for this answer

Primary law

E.1 Tenn. Code Ann. § 47-18-3313

The Attorney General has exclusive authority to enforce TIPA, and a violation cannot be the basis for a private right of action, including a class action.

A violation of this part shall not serve as the basis for, or be subject to, a private right of action, including a class action lawsuit, under this part or other law.

See Tenn. Code Ann. § 47-18-3313(e).

Primary law

E.2 Tenn. Code Ann. § 47-18-3313

Before bringing an action, the Attorney General must give 60 days' written notice identifying the specific provisions allegedly violated, and may not sue if the violation is cured within that period.

Prior to initiating an action under this part, the attorney general and reporter shall provide a controller or processor sixty-days' written notice identifying the specific provisions of this part the attorney general and reporter alleges have been or are being violated.

See Tenn. Code Ann. § 47-18-3313(b).

Primary law

E.3 Tenn. Code Ann. § 47-18-3314

A controller or processor has an affirmative defense if it maintains a written privacy program reasonably conforming to the NIST privacy framework and providing consumers the substantive rights TIPA requires.

A controller or processor has an affirmative defense to a cause of action for a violation of this part if the controller or processor creates, maintains, and complies with a written privacy policy that: (1) - (A) Reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” or other documented policies, standards, and procedures designed to safeguard consumer privacy;

See Tenn. Code Ann. § 47-18-3314(a).

OpenAgreements is a free legal reference project maintained by UseJunior. See our methodology for how we research and verify the content.
This research preview is not legal advice. Page text is intended for reuse under CC BY 4.0; source excerpts and linked materials belong to their respective owners.
PrivacyTermsDisclaimer