Tennessee Privacy Law
Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.
Tennessee Governor Bill Lee signed House Bill 1181, the Tennessee Information Protection Act (TIPA) into law on May 11, 2023. The TIPA’s main provisions become effective on July 1, 2025.
Like other state privacy laws, the Tennessee law creates obligations on “controllers” and “processors” of personal information; defined as the natural or legal persons who, alone or jointly with another person, determine the purposes and means for processing personal information, and the natural or legal entities who process personal information on behalf of a controller, respectively.
The TIPA applies to any persons who conduct business in Tennessee producing products or services that are targeted to Tennessee residents, and that: exceed $25,000,000 in revenue and (1) control or process personal information of at least 25,000 consumers, while deriving more than 50% of annual gross revenue from the sale of personal information; or (2) during a calendar year, control or process personal information of at least 175,000 consumers.
Like many other states’ privacy laws, information and data exempt from the provisions of the TIPA include, among other types, personal information subject to regulation under the FRCA, HIPAA, FERPA, and GLBA.
Controllers have the following obligations under the TIPA:
- Privacy Notice: controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal information processed by the controller; the purpose for processing personal information; the categories of personal information that the controller shares with third parties, if any; the categories of third parties, if any, with which the controller shares personal information; and, how consumers may exercise their consumer rights and appeal any controller’s decision regarding a consumer’s request.
- Restraint: controllers must limit the controller’s collection of personal information that which is adequate, relevant and reasonably necessary for the purposes of processing, and must obtain consumer consent for any processing outside of previously disclosed purposes.
- Security: controllers must have reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal information.
- Rights Request Mechanism: controllers must provide an effective means by which a consumer may exercise its rights under the TIPA.
Consumer rights under the TIPA include the right to:
- Confirm whether a controller is processing the consumer’s personal information and give the consumer access to that personal information;
- Require a controller to correct inaccuracies in personal information about the consumer;
- Require a controller to delete personal information about the consumer;
- Obtain a copy of the consumer’s personal information previously provided by the consumer to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal information to another controller; and,
- Opt out of the processing of personal information for purposes of targeted advertising, the sale of personal information, or profiling the consumer in furtherance of decisions made by the controller that produce legal effects or effects of similar significance for the consumer, such as those that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, or access to essential goods or services.
Controllers must respond to a consumer’s rights request within 45 days of receipt of the consumer’s request, with an option to extend such response by an additional 45 days with notice to the consumer.
Like most of the recent data privacy laws being enacted, the TIPA does not provide a private right of action, with violations only enforceable by the Tennessee Attorney General’s office. The Tennessee Attorney General must issue a notice of violation to a controller prior to initiating any action for violation of the TIPA, and if the controller fails to correct the action within 60 days of the notice, the attorney general may bring an action under the TIPA, which may result in an injunction or a civil penalty of up to $7,500 for each violation, with treble damages available if the violation is found to be willful or knowing.