The Tennessee Information Protection Act (TIPA), effective July 1, 2025, is a state data privacy law designed to protect Tennessee residents. It applies standards similar to other state laws and enforces privacy practices through compliance requirements, consumer rights, and penalties.
To verify readiness for TIPA compliance, businesses need to:
Conduct an audit:
Perform a full audit of data collection and sharing practices and identify personal data collected and its purposes
Update privacy policy:
Review and update privacy and cookie policies with TIPA-specific disclosures.
Implement consent management:
Implement cookie consent banners and opt-out flows to automate consent capture and preference management
Ensure consumer rights:
Establish mechanisms to respond to consumer rights requests within 45 days
Perform Data Protection Assessments:
Safeguard privacy with regard to targeted advertising, data sales, profiling, or processing sensitive data.
Compliance with TIPA is required for any forprofit business that:
Do business in Tennessee or targets Tennessee residents;
Have ≥$25 million in annual revenue;
And either processes data of ≥175,000 Tennesseans, or ≥25,000 while earning ≥50% of revenue from selling that data
Exemptions include:
Non-profits, state agencies, higher education institutions, HIPAA-covered entities, state licensed insurance companies, and GLBA-regulated financial institutions and data.
Tennessee consumers are granted the:
Consumers can access and confirm processing of personal data
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Consumers can find out what third parties have received their data and confirm whether an entity is processing it
Controllers must respond to rights requests within 45 days (extendable another 45).
Cookies that collect personal data (e.g., IP address, identifiers) require:
Strictly necessary cookies remain exempt.
Controls must also provide clear cookie notices and optout mechanisms to meet transparency and compliance obligations.
Enforcement lies with the Tennessee Attorney General. Violations carry:
A 60-day cure period before formal penalties
After curing, must submit a written statement of resolution
Noncured violations risk up to 7,500 USD per consumer per violation, with potential triple damages for willful breaches
Courts may also award injunctive relief and investigative costs
No private right of action under TIPA.
TIPA compliance has specific actions associated, but you can also check that your approach to data privacy aligns with general best practices:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
It applies to for profit companies doing business in Tennessee targeting its residents, with ≥$25 million revenue and meeting consumer-data thresholds (≥175k total or ≥25k with ≥50% revenue from data sales).
Any data linked or reasonably linkable to an identified or identifiable person—name, IP, browsing history, geolocation, email, health app data—but not deidentified or publicly available data.
Includes racial/ethnic origin, religion, health, sexual orientation, citizenship, genetic/biometric data, precise geolocation, and data from known children.
The Tennessee Attorney General enforces TIPA, including issuing 60day cure notices, penalties, and legal actions.
Nonprofits, governmental/higheredu entities, HIPAA-covered persons, state-licensed insurers, and GLBA-regulated businesses/data are exempt.
Official Tennessee code (Title 47 Chapter 18 Part 32) can provide the full background for TIPA Tennessee.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
