TIPA marks a significant development in data privacy for businesses operating in the state. This comprehensive legislation grants consumers enhanced control over their personal information while establishing stringent responsibilities for businesses and service providers. Navigating TIPA’s extensive requirements is crucial for maintaining your company’s compliance and reputation.

Here are key takeaways from the bill passed by the legislature:

• Entities Affected: The law affects entities that conduct business in Tennessee or provide products or services to Tennessee residents, exceed $25 million in revenue, and meet one of these criteria:
  • Control or process information of 25,000 or more Tennessee consumers per year and derive more than 50% of gross revenue from the sale of personal information; or
  • Control or process information of at least 175,000 Tennessee consumers.
• Consumer Rights: TIPA creates consumer rights to confirm, access, correct, delete, or obtain a copy of their personal information, or opt out of specific uses of their data. Controllers must respond to authenticated consumer requests within 45 days, with a possible 45-day extension, and establish an appeal process for refusals to take action on requests. If the controller cannot authenticate the consumer’s request, they can ask for additional information to do so.
• Data Controller Responsibilities: Controllers must limit data collection and processing to what is necessary, maintain data security practices, avoid discrimination, and obtain consent for processing sensitive data. Controllers must provide a clear and accessible privacy notice detailing their practices, and, if selling personal information or using it for targeted advertising, disclose these practices and provide an opt-out option. Controllers must also offer a secure and reliable means for consumers to exercise their rights without requiring consumers to create a new account.
• Controller–Processor Requirements: Processors must adhere to controllers’ instructions and assist them in meeting their obligations, including responding to consumer rights requests and providing necessary information for data protection assessments. Contracts between controllers and processors must outline data processing procedures, including confidentiality, data deletion or return, compliance demonstration, assessments, and subcontractor engagement. The determination of whether a person is acting as a controller or processor depends on the context and specific processing of personal information.
• Data Protection Assessments: Controllers must conduct and document data protection assessments for specific data processing activities involving personal information. These assessments must weigh the benefits and risks of processing, with certain factors considered. Assessments are confidential, exempt from public disclosure, and not retroactive.
• De-Identified Data Exemptions: Controllers must take measures to ensure that de-identified data cannot be associated with a natural person, publicly commit to not reidentifying data, and contractually obligate recipients to comply with the law. Consumer rights do not apply to pseudonymous data under certain conditions, and controllers must exercise oversight of disclosed pseudonymous or de-identified data.
• Major Similarities to CCPA: TIPA shares many similarities with the CCPA, including (but not limited to):
  • Granting consumers the right to access, delete, and opt out of the sale of their personal information, and requiring businesses to provide notice of their data collection and usage practice;
  • Requiring controllers and processors to enter into contracts outlining the terms and conditions of data processing and obligating subcontractors to meet the obligations of the processor; and
  • Requiring data protection assessments for certain processing activities, weighing the benefits and risks associated with the processing.
• Affirmative Defense: TIPA provides for an “affirmative defense” against violations of the law by adhering to a written privacy policy that conforms to the NIST privacy framework or comparable standards. The privacy program’s scale and scope must be appropriate based on factors such as business size, activities, personal information sensitivity, available tools, and compliance with other laws. In addition, certifications from the Asia Pacific Economic Cooperation’s Cross-Border Privacy Rules and Privacy Recognition for Processors systems may be considered in evaluating the program.
• Enforcement: The Tennessee Attorney General retains exclusive enforcement authority for TIPA;the law expressly states that there is no private right of action. The Tennessee Attorney General must provide 60 days’ written notice and an opportunity to cure before initiating enforcement action. If the alleged violations are not cured, the Tennessee Attorney General may file an action and seek declaratory and/or injunctive relief, civil penalties up to $7,500.00 for each violation, reasonable attorney’s fees and investigative costs, and treble damages in the case of a willful or knowing violation.
• Dates and Deadlines: TIPA becomes effective on July 1, 2025.
• Exemptions: The law includes numerous exemptions, including (but not limited to):
  • Government entities;
  • Financial institutions, their affiliates, and data subject to the Gramm-Leach-Bliley Act (GLBA);
  • Insurance companies;
  • Covered entities, business associates, and protected health information governed by the Health Insurance Portability and Accountability Act (HIPAA) and/or the Health Information Technology for Economic and Clinical Health Act (HITECH);
  • Nonprofit organizations;
  • Higher education institutions; and
  • Personal information that is subject to other laws such as the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and the Fair Credit Reporting Act (FCRA).

Despite having extensive carve-outs, TIPA grants consumers extensive rights over their personal information, and places stringent compliance obligations on businesses (controllers) and service providers (processors). Businesses should start planning for compliance now to avoid costly enforcement actions down the road.