Tennessee is officially joining the growing list of states enacting consumer data privacy legislation. The Tennessee Information Protection Act (TIPA), which goes into effect July 1, 2025, introduces new requirements for businesses handling personal consumer data. Inspired by laws like the Virginia Consumer Data Protection Act, TIPA is designed to give Tennessee consumers more control over their personal information while requiring businesses to strengthen their data protection practices. With just over a year to prepare, now is the time for businesses to understand their obligations and take proactive steps toward compliance.

Understanding the Basics of TIPA

TIPA applies to entities that conduct business in Tennessee or target products and services to Tennessee residents, and that meet at least one of the following thresholds:

• Control or process the personal data of at least 100,000 Tennessee consumers during a calendar year; or
• Control or process the personal data of at least 25,000 Tennessee consumers and derive more than 50% of gross revenue from the sale of personal data.

Importantly, TIPA does not apply to government entities, certain financial institutions, or entities governed by HIPAA. It also exempts specific types of data such as health records and certain employment-related information.

Key Consumer Rights Under TIPA

TIPA grants Tennessee consumers a suite of new rights regarding their personal data. These rights align closely with those seen in other state privacy laws and include:

• Right to Access: Consumers can confirm whether a controller is processing their personal data and access that data.
• Right to Correct: Consumers can request corrections to inaccuracies in their personal data.
• Right to Delete: Consumers can ask for their personal data to be deleted.
• Right to Portability: Consumers can obtain a copy of their data in a portable format.
• Right to Opt-Out: Consumers can opt out of targeted advertising, data sales, and profiling that has legal or similarly significant effects.

Businesses must respond to these requests within 45 days, with a possible 45-day extension, and must also offer a clear and accessible privacy notice outlining data practices.

Obligations for Businesses

To comply with TIPA, businesses must implement several operational and technical measures:

• Data Minimization and Purpose Limitation: Collect only the data necessary for specified purposes and ensure it is not used beyond those purposes.
• Security Measures: Use reasonable administrative, technical, and physical safeguards to protect personal data.
• Contracts with Processors: Ensure written contracts govern relationships with data processors, outlining confidentiality and processing limitations.
• Data Protection Assessments: Conduct risk assessments for processing activities that present heightened risks to consumer rights, such as targeted advertising or profiling.

TIPA also includes a unique requirement: businesses must create and maintain a data privacy program reasonably designed to ensure compliance with the law.

State Resources and Enforcement

The Tennessee Attorney General’s Office has published resources to assist businesses and consumers. Their guidance emphasizes the need for businesses to begin preparing now by:

• Reviewing and updating data maps
• Identifying data-sharing practices
• Drafting or updating privacy notices
• Developing response protocols for consumer requests
• Implementing staff training programs

Enforcement of TIPA will fall exclusively to the Tennessee Attorney General. There is no private right of action, but businesses are granted a 60-day cure period to address alleged violations. Failure to comply could result in civil penalties of up to $7,500 per violation.

How Small Businesses Can Prepare

Small businesses may feel overwhelmed by privacy compliance, but there are practical steps they can take to get ready for TIPA:

• Conduct a Readiness Assessment: Evaluate current data practices and compare them to TIPA requirements.
• Update Policies and Notices: Make sure your privacy policy reflects TIPA rights and includes a clear method for consumers to exercise those rights.
• Establish Internal Protocols: Set up a system to handle consumer requests efficiently and document your responses.
• Train Employees: Ensure your staff understands their role in protecting consumer data and complying with new procedures.
• Leverage Available Tools: Use checklists and resources provided by state agencies or industry associations to stay on track.

Get Ahead of the Deadline

TIPA is not just another piece of legislation—it signals a broader shift toward increased consumer privacy and business accountability. By starting preparations now, Tennessee businesses can avoid last-minute scrambles and demonstrate a commitment to responsible data stewardship. With guidance from the Attorney General’s Office and clear benchmarks in place, the path to compliance is manageable for organizations of all sizes. July 1, 2025, will be here sooner than you think. Don’t wait—start building your privacy program today.

Click here to learn how Truyo can help you prepare for the TIPA and other regulations.