Tennessee became one of the growing number of U.S. states to enact comprehensive consumer privacy legislation when Governor Bill Lee signed the Tennessee Information Protection Act (TIPA) on May 11, 2023. The law took effect on July 1, 2025, giving Tennessee residents a defined set of rights over their personal data and imposing obligations on businesses that collect and process it. Here is what you need to know about your privacy rights under Tennessee law.
The Tennessee Information Protection Act (TIPA)
TIPA establishes a framework for how businesses must handle the personal data of Tennessee residents. It grants consumers specific rights over their information and requires businesses to be transparent about their data practices. The law was modeled in part on Virginia's VCDPA, adopting a business-friendly approach that includes a generous cure period and enforcement exclusively through the state Attorney General.
TIPA applies to businesses that conduct business in Tennessee or produce products or services targeted to Tennessee residents and meet both of the following criteria:
- Annual revenue exceeding $25 million
- Either: control or process personal data of 175,000 or more consumers, or control or process personal data of 25,000 or more consumers and derive more than 50% of gross revenue from the sale of personal data
This dual-threshold requirement means TIPA applies primarily to larger businesses or those that are heavily involved in the data trade. Small local businesses and startups are unlikely to be covered unless they are specifically in the data brokerage or advertising business.
Key Dates
TIPA was signed into law on May 11, 2023, and took effect on July 1, 2025. The law includes a 60-day cure period for violations, meaning businesses have two months to fix problems before facing enforcement action from the Tennessee Attorney General.
Your Rights Under TIPA
As a Tennessee resident, you have the following rights with respect to your personal data:
Right to Confirm and Access
You have the right to confirm whether a business is processing your personal data and to access the specific data it holds about you. This means you can ask any covered business to tell you exactly what information they have collected and how they are using it.
Right to Correct
If a business holds inaccurate personal data about you, you can request that they correct it. This is particularly important when errors in your data could affect credit decisions, insurance, employment, or other significant areas of your life.
Right to Delete
You can request that a business delete the personal data it has collected from you or about you. There are limited exceptions, such as data needed to complete a transaction, comply with a legal obligation, or detect security incidents.
Right to Data Portability
You can request a copy of your personal data in a portable, readily usable format. This allows you to transfer your information to another service provider without unnecessary barriers.
Right to Opt Out
TIPA gives you the right to opt out of three specific types of data processing:
- Sale of personal data -- the exchange of your personal data for monetary consideration
- Targeted advertising -- ads based on personal data collected from your activities across different websites, applications, and services
- Profiling -- automated processing that produces legal or similarly significant effects on you, such as decisions about employment, credit, insurance, or housing
How to Exercise Your Rights
Businesses covered by TIPA must provide clear methods for consumers to submit privacy requests. Look for links labeled "Privacy," "Your Privacy Rights," or similar language in a company's website footer. Businesses must respond to your request within 45 days. If a business needs additional time due to the complexity of the request, they may extend the response period by an additional 45 days, but they must notify you of the extension and the reason for it.
If your request is denied, you have the right to appeal. The business must provide a process for appeal and must respond to your appeal within 60 days. If the appeal is also denied, you can file a complaint with the Tennessee Attorney General's office.
No Private Right of Action
Like Virginia's VCDPA, TIPA does not grant consumers the right to sue businesses directly for privacy violations. Enforcement is exclusively handled by the Tennessee Attorney General. If you believe a company has violated your rights, your recourse is to file a complaint with the AG's office rather than pursue a private lawsuit.
Sensitive Data Requires Opt-In Consent
TIPA treats certain categories of personal data as sensitive and requires businesses to obtain your opt-in consent before collecting or processing them. Sensitive data under TIPA includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data used for identification
- Personal data from a known child
- Precise geolocation data
This is an important safeguard. A company cannot collect your health records, biometric scans, or geolocation data without first asking for and receiving your explicit permission.
Data Protection Impact Assessments
TIPA requires businesses to conduct Data Protection Impact Assessments (DPIAs) before engaging in processing activities that present a heightened risk of harm to consumers. These assessments are mandatory for:
- Processing personal data for targeted advertising
- Selling personal data
- Processing personal data for profiling where there is a foreseeable risk of harm
- Processing sensitive data
- Any processing activity that presents a heightened risk of harm to consumers
The assessments must weigh the benefits of the processing to the business, the consumer, and the public against the potential risks to consumer rights. The Tennessee Attorney General can request these assessments during an investigation.
The 60-Day Cure Period
One of TIPA's most distinctive features is its 60-day cure period. Before the Attorney General can bring an enforcement action, the business must be given written notice of the alleged violation and 60 days to cure (fix) the problem. This is longer than the cure periods in most other state privacy laws and reflects Tennessee's business-friendly approach to regulation.
If the business cures the violation within 60 days and provides the AG's office with a written statement confirming the cure and explaining how it will prevent future violations, no enforcement action is taken. If the business fails to cure the violation, the AG can pursue civil penalties.
Exemptions Unique to Tennessee
TIPA includes several exemptions that are worth noting, some of which are broader than those found in other state privacy laws:
- Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
- HIPAA-covered entities and their business associates
- Nonprofit organizations
- Higher education institutions
- Insurance providers -- this exemption is relatively unique to Tennessee and reflects the state's significant insurance industry
These exemptions mean that your interactions with banks, hospitals, universities, charities, and insurance companies in Tennessee are not covered by TIPA. Those entities are instead governed by their respective federal regulatory frameworks.
How TIPA Compares to Other State Laws
Tennessee's privacy law occupies a middle ground in the national landscape:
- More restrictive thresholds than some states: The $25 million revenue requirement plus the data volume threshold means fewer businesses are covered compared to states like Colorado or Connecticut.
- Longer cure period: At 60 days, Tennessee's cure period is among the longest, giving businesses more time to address violations before facing penalties.
- Broader exemptions: The insurance industry exemption is unusual and means a significant sector of Tennessee's economy operates outside the law's scope.
- AG-only enforcement: Like Virginia, enforcement rests solely with the Attorney General, with no private right of action for consumers.
How to Protect Your Privacy Today
TIPA gives you real rights, but exercising them across every company that holds your data takes time and persistence. Here is how to take action:
- Search for yourself online. Look up your name on Google and popular people-search sites to see what personal data is publicly available about you.
- Submit opt-out and deletion requests. Use the privacy links on company websites to opt out of data sales and targeted advertising, and request deletion of data you do not want them to hold.
- Review privacy notices. Before signing up for new services, read the privacy notice to understand what data will be collected and how it will be used.
- File complaints when companies do not respond. If a business ignores or denies your request without valid justification, file a complaint with the Tennessee Attorney General's office.
- Use PrivacyOn to automate the process. Manually contacting hundreds of data brokers is time-consuming, and brokers frequently re-list your information after removal. PrivacyOn removes your data from over 100 data broker sites, continuously monitors for re-listings, and includes dark web monitoring to alert you if your information surfaces in places you cannot reach on your own.
Tennessee's TIPA is a meaningful step forward for consumer privacy, but no law can fully address the sprawling ecosystem of data brokers and people-search sites that trade in your personal information every day. Combining your legal rights with a service like PrivacyOn ensures that your data stays private -- not just in theory, but in practice.