A Major Milestone for Osano...and the Industry
When we founded Osano, our goals were ambitious. We wanted to...Read Now
October 24, 2023
Tennessee has entered the consumer privacy playing field with the Tennessee Information Protection Act (TIPA), joining a growing cohort of American states that refuse to wait for a privacy law at the federal level.
Signed into law in May 2023, businesses were given just over two years to prepare for the new privacy bill. The Tennessee privacy law takes effect July 1, 2025.
Here, we’ll provide all the basics about the Tennessee Information Protection Act, including who it applies to, what rights it gives consumers, and how to become compliant with the state law.
The Tennessee Information Protection Act is one in a series of state-enacted consumer data protection laws. While some countries—notably those in the European Union—have an overarching law spanning multiple jurisdictions, the United States does not.
As the amount of consumer data available online has grown, many state lawmakers have realized the importance of providing guardrails for consumers in their states.
The TIPA is Tennessee’s approach to protecting the privacy and personal data of its more than 7 million residents. It establishes the rights consumers have related to their data and governs responsibilities for those who have access to, maintain, use, or sell personal data. Like most other privacy laws, the TIPA applies to consumers acting in a personal context rather than a commercial or employment context.
You’ll need to comply with Tennessee’s privacy law if your organization exceeds $25 million in annual revenue, conducts business in the state or provides products or services that are targeted to residents of the state, and meets one or more of the following:
Like other state laws, the TIPA carves out a number of exemptions, both at the entity and the data level.
State agencies, financial institutions and those subject to the federal Gramm-Leach Bliley Act and insurance companies are exempt from compliance. Notably, TIPA is the first state privacy law to include insurance companies on an entity level.
In addition, covered entities or business associates governed by privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, HIPAA, and the Health Information Technology for Economic and Clinical Health Act are exempt. These include nonprofit organizations, institutions of higher education, HIPAA-protected information, health data, and personal information processed for research.
De-identified data is also excluded from the definition of personal data.
The TIPA uses a similar definition for personal information as other state laws, namely: “information that is linked or reasonably linkable to an identified or identifiable natural person.” It does not include publicly available information or de-identified or aggregate consumer information.
Like other state privacy laws, Tennessee’s privacy law outlines a number of consumer rights, including the right to:
When a consumer makes a request, you’ll have 45 days to respond. A 45-day extension is allowed in certain instances and as long as the consumer is informed of the extension and reason it is needed. If you decline to take action, you must still notify the consumer and provide instructions for how to appeal the decision.
Information must be provided free of charge up to twice annually, though the TIPA outlines that the controller may charge a “reasonable fee” to cover administrative costs of complying with the request. This may only be done when requests are unfounded, technically infeasible, excessive, or repetitive.
If your organization determines the purpose and means behind personal information processing (i.e., if you’re a “data controller”), then you’ll have a veritable laundry list of responsibilities to follow. You must:
In addition, you’ll be responsible for providing a reasonably accessible, clear and meaningful privacy notice to consumers. You’ll want to include information like:
As is the case with other state-level privacy laws, the Tennessee act requires controllers to enter into a contract with any entity that processes personal information on behalf of a controller. In essence, this contract is meant to ensure processors provide an equal level of protection over consumer data and assist controllers in fulfilling their responsibilities.
TIPA has several provisions that, while not completely unique in the privacy world, differ from other state laws:
Applicability: The applicability threshold is narrower than with other state laws as it only applies to those that meet both a revenue threshold and that process data of at least 175,000 residents or 25,000 residents with more than 50 percent of gross revenue coming from the sale of personal information. The 175,000 qualification is higher than other state laws.
On-ramp time: While most states are giving business owners and data controllers some time to prepare, Tennessee provided companies with two-plus years to get up to speed.
Cure period: Many state privacy laws provide a cure period—that is, a period of time for violators to course correct after being notified of their violations. The Tennessee privacy law has a 60-day cure period, which is among the longest times provided out of any other state privacy law. In addition, the right to cure doesn’t sunset as it does with some other state laws.
Affirmative defense: Notably, the TIPA is the first privacy act to provide businesses with the possibility of an affirmative defense. Essentially, an affirmative defense is evidence that a defendent may introduce to negate or mitigate their liability. In the case of the TIPA, businesses can proactively defend against potential future violations if they create a written privacy program that follows the National Institute of Standards and Technology (NIST) privacy framework or other similar policies or procedures designed to safeguard consumer privacy. As of this writing, no other U.S. privacy law offers this protection.
It’s worth noting that the Tennessee privacy act is considered to be relatively business friendly. On the spectrum of business friendliness versus consumer friendliness, its closer to the Utah Consumer Privacy Act (UCPA) and the Iowa Consumer Data Protection Act (ICDPA) than its counterparts in California, the California Privacy Rights Act), and Indiana’s Consumer Data Protection Act (INCDPA).
Tennessee’s privacy act is enforceable by the state attorney general. In either case, you’ll be notified before any enforcement action is taken.
If your organization addresses the violation within the 60-day cure period, there will be no penalty. Furthermore, you’ll have to develop a written statement affirming that the violation has been cured and promising not to make a similar violation in the future.
If the violation has not been cured or if you breach the written statement, then the attorney general may penalize your organization by seeking an injunction, declatory judgment, and other relief.
In addition, a court can issue fines up to $7,500 per violation, which has become a standard penalty among the U.S. privacy laws. However, the TIPA also allows courts to triple the actual damages caused if the violation was willful.
As is usually the case with U.S. privacy laws, there is no private right of action.
The good news for companies already maintaining compliance with other state laws is that —given the business friendliness of TIPA—controllers should be able to adapt with relative ease. However, as new comprehensive privacy acts take effect, it's more important than ever to adopt a scalable privacy framework that enables you to become compliant with even the most stringent laws.
Maintain awareness by keeping track of laws that may impact your company. Subscribing to Oasno’s newsletter can help. We also recommend reviewing the law’s text with legal counsel to help determine if you’re in compliance, and if not, what steps to take.
Finally, consider a data privacy platform like Osano. Osano provides customizable consent management, data subject access request automation, vendor management tools, automated privacy assessments, and more. Schedule a demo of Osano today to see how we can help your organization achieve and maintain TIPA compliance.
Tennessee’s privacy law is opt-out, which means consent is not required before the collection of processing of personal information. However, opt-in consent is required when processing sensitive personal information, which includes personal information collected from a known child.
The Tennessee Information Protection Act does not have a universal opt-out clause or mention the GPC signal, which is used to automatically send a request to opt out of the collection of certain personal information.
The state attorney general has exclusive authority to enforce TIPA.
Under the TIPA, sensitive data includes personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. It also includes genetic or biometric data, personal information collected from a known child, and precise geolocation data.
Controllers cannot process sensitive data without opt-in consent. In the case of a known child, data must be processed in accordance with COPPA.
Consent management platforms, or CMPs, are essential tools for complying with state privacy laws. But what factors should you consider when evaluating CMP solutions? Our CMP scorecard can help guide your evaluation.Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.