Tennessee has joined the growing list of states enacting comprehensive consumer privacy legislation. The Tennessee Information Protection Act (TIPA) was signed into law on May 11, 2023, and will take effect on July 1, 2025. With similarities to other state privacy laws, TIPA establishes consumer rights and business obligations, but it also includes some unique provisions, such as a safe harbour for businesses that follow the National Institute of Standards and Technology (NIST) privacy framework.

Alongside TIPA, Tennessee has also enacted the Protecting Kids from Social Media Act, which took effect on January 1, 2025, aiming to safeguard minors from harmful online exposure.

With increasing privacy concerns and regulatory developments, here’s a breakdown of what the Tennessee law means for residents and businesses operating in the state.

Scope and Exemptions

TIPA applies to businesses that:

• Conduct business in Tennessee or target products and services to Tennessee residents,

• Control or process the personal data of at least 175,000 Tennessee consumers, or

• Control or process the data of at least 25,000 consumers while deriving more than 50% of gross revenue from the sale of personal data.

The law defines a controller as an entity that determines the purpose and means of processing personal data, while a consumer refers to a Tennessee resident acting in an individual or household capacity.

Exemptions

TIPA follows the trend of other U.S. privacy laws in exempting entities regulated by federal laws, including:

• Financial institutions covered under the Gramm-Leach-Bliley Act (GLBA),

• Health care entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA),

• Nonprofits,

• Higher education institutions, and

• Entities handling certain types of employment and commercial data.

Consumer Rights

TIPA grants Tennessee residents several privacy rights, allowing them to exercise greater control over their personal information. These include:

• Access – Consumers can confirm whether a controller is processing their data.

• Correction – The right to correct inaccuracies in personal data.

• Deletion – Consumers can request the deletion of personal data collected from or about them.

• Data Portability – Consumers can obtain a copy of their data in a portable format.

• Opt-out – The right to opt out of:

• The sale of personal data,

• Targeted advertising, and

• Profiling that produces significant legal effects.

  
  

Unlike some privacy laws, TIPA does not provide a private right of action, meaning consumers cannot sue businesses directly for violations. Instead, enforcement falls under the Tennessee Attorney General’s Office.

Controller Obligations

Businesses covered under TIPA must adhere to strict compliance requirements, including:

• Privacy Notice – Controllers must provide clear and accessible privacy notices, including data collection practices and consumer rights.

• Consent for Sensitive Data – Businesses must obtain opt-in consent before collecting or processing sensitive data, which includes:

• Racial or ethnic origin,

• Religious beliefs,

• Mental or physical health conditions,

• Sexual orientation,

• Citizenship or immigration status,

• Genetic or biometric data, and

• Precise geolocation data.

• Data Minimization and Purpose Limitation – Businesses may only collect personal data that is adequate, relevant, and limited to what is necessary for the specified processing purpose.

• Contractual Requirements for Processors – Controllers must enter into binding agreements with processors, defining the scope of data processing, its nature, duration, and obligations to ensure compliance.

• Annual Data Protection Assessments (DPAs) – Businesses must conduct documented data protection assessments for high-risk processing activities, balancing the benefits of data processing against the potential risks to consumers.

• NIST Safe Harbor – A unique feature of TIPA is its safe harbor provision. Businesses that implement privacy policies aligned with NIST’s Privacy Framework may be eligible for reduced enforcement penalties if they face regulatory action.

Enforcement

The Tennessee Attorney General has exclusive authority to enforce TIPA. Businesses found in violation have a 60-day cure period to address and fix noncompliance. If they fail to do so, they could face penalties of up to $7,500 per violation, with additional fines for intentional violations involving minors.

Protecting Kids from Social Media Act

In addition to TIPA, Tennessee has taken a proactive stance on online child safety with the Protecting Kids from Social Media Act, effective January 1, 2025. The law requires:

• Age verification for all users of social media platforms,

• Parental consent for minors under 18 to create accounts, and

• Social media companies to implement stronger identity verification measures to prevent unauthorised access.

The Act also mandates parental control features, allowing guardians to monitor and manage their children’s social media usage, including setting time limits and restricting content access. Additionally, data retention limitations prohibit platforms from storing age verification data beyond what is necessary for compliance.

Conclusion

With TIPA taking effect in July 2025, businesses operating in Tennessee must take proactive steps toward compliance, especially those handling large amounts of consumer data. Its NIST safe harbor provision stands out, offering companies an opportunity to reduce regulatory risks by aligning with industry best practices.  

The Protecting Kids from social media Act further demonstrates Tennessee’s commitment to digital privacy and online safety. As more states continue to introduce privacy laws, businesses must stay informed and adopt robust privacy frameworks to avoid penalties and maintain consumer trust.