Tennessee Information Protection Act

Tennessee’s Information Protection Act (TIPA), enacted through HB1181/SB0073 and codified at Tenn. Code Ann. § 47-18-3201 et seq., becomes enforceable on 1 July 2025. The statute largely mirrors the Virginia/Colorado full privacy model—mandating purpose limitation, data minimization, transparent notices, and consumer rights handling—while covering controllers that meet specific revenue and volume thresholds. The Tennessee Attorney General holds exclusive enforcement authority with civil penalties up to $7,500 per violation and a 60-day cure period available through 31 December 2025.

Scope and thresholds: Applicability attaches to controllers or processors that (a) conduct business in Tennessee or target residents, and (b) control or process personal data of at least 175,000 consumers in a calendar year (excluding personal data processed solely for payment transactions), or 25,000 consumers when over 25% of gross revenue derives from selling personal data. The law exempts state and local government entities, nonprofit organizations, higher-education institutions, financial institutions and data subject to GLBA, entities and data regulated by HIPAA/HITECH, and data sets covered by FCRA, DPPA, FERPA, and COPPA.

Key obligations:

• Privacy notices: Provide clear disclosures on categories of personal data processed, purposes, third-party sharing/sales, methods for exercising rights (including appeals), and categories of personal data sold or used for targeted advertising.
• Consumer rights and timelines: Enable access, correction, deletion, portability, and opt-out of targeted advertising, sale of personal data, and significant profiling decisions. Controllers must respond within 45 days (extendable once by 45 days when reasonably necessary) and deliver appeal outcomes within 60 days, including Attorney General contact information when denying a request.
• Data minimization and security: Limit collection to what is adequate, relevant, and reasonably necessary for disclosed purposes; process sensitive data only with opt-in consent; and maintain reasonable administrative, technical, and physical safeguards.
• Assessments and contracts: Conduct data protection assessments for targeted advertising, sales of personal data, profiling that presents foreseeable risks, processing of sensitive data, and any activity posing heightened harm. Processor agreements must include documented instructions, confidentiality, subprocessor controls, assistance with rights/assessments, and secure deletion or return of data at termination.

Virginia model alignment

TIPA closely follows the Virginia Consumer Data Protection Act, allowing organizations with VCDPA compliance programs to extend coverage efficiently. Key differences include Tennessee's higher 175,000-consumer threshold (versus 100,000 in Virginia) and the longer 60-day cure period. If you are affected, document a crosswalk between VCDPA and TIPA requirements, identifying where existing controls satisfy both statutes and where Tennessee-specific adjustments are needed.

Appeals process setup

Tennessee's 60-day appeals timeline creates operational pressure on intake workflows. Design ticketing systems to automatically escalate unresolved appeals, assign dedicated reviewers, and generate Attorney General notification templates when required. Maintain audit trails of all appeal communications, including timestamps, reviewer identities, and decision rationale.

Data sale revenue tracking

The 25% revenue threshold for smaller-volume processors requires finance and legal coordination to accurately calculate data sale revenue. Establish accounting methodologies that separate data monetization revenue streams, document allocation assumptions, and review calculations quarterly. Changes in revenue mix may trigger applicability even when consumer volumes remain below 175,000.

Detailed guidance

Successful implementation requires a structured approach that addresses technical, operational, and organizational considerations. Organizations should establish dedicated implementation teams with clear responsibilities and sufficient authority to drive necessary changes across the enterprise.

Project governance should include regular status reviews, risk assessments, and stakeholder communications. Executive sponsorship is essential for securing resources and removing organizational barriers that might impede progress.

Change management practices help ensure smooth transitions and stakeholder acceptance. Training programs, communication plans, and feedback mechanisms all contribute to effective change management outcomes.

Assurance and verification

Compliance verification involves systematic evaluation of implemented controls against applicable requirements. Organizations should establish verification procedures that provide objective evidence of compliance status and identify areas requiring remediation.

Internal audit functions play an important role in providing independent assurance over compliance activities. Audit plans should incorporate risk-based prioritization and coordination with external audit requirements where applicable.

Continuous compliance monitoring capabilities enable early detection of control failures or compliance drift. Automated monitoring tools can provide real-time visibility into compliance status across multiple control domains.

Working with vendors

Third-party relationships require careful management to ensure compliance obligations are properly addressed throughout the vendor ecosystem. Due diligence procedures should evaluate vendor compliance capabilities before engagement.

Contractual provisions should clearly allocate compliance responsibilities and establish appropriate oversight mechanisms. Service level agreements should address compliance-relevant performance metrics and reporting requirements.

Ongoing vendor monitoring ensures continued compliance throughout the relationship lifecycle. Periodic assessments, audit rights, and incident response procedures all contribute to effective third-party risk management.

What planners should consider

Strategic alignment ensures that compliance initiatives support broader organizational objectives while addressing regulatory requirements. Leadership should evaluate how this development affects competitive positioning, operational efficiency, and stakeholder relationships.

Resource planning should account for both immediate implementation needs and ongoing operational requirements. Organizations should develop realistic timelines that balance urgency with practical constraints on resource availability and organizational capacity for change.

How to measure progress

Effective monitoring programs provide visibility into compliance status and control effectiveness. Key performance indicators should be established for critical control areas, with regular reporting to appropriate stakeholders.

Metrics should address both compliance outcomes and process efficiency, enabling continuous improvement of compliance operations. Trend analysis helps identify emerging issues and evaluate the impact of improvement initiatives.

Final notes

Organizations should prioritize assessment of their current posture against the requirements outlined above and develop actionable plans to address identified gaps. Regular progress reviews and stakeholder communications help maintain momentum and accountability throughout the implementation journey.

Continued engagement with industry peers, professional associations, and regulatory bodies provides valuable opportunities for knowledge sharing and influence on future policy developments. Organizations that address emerging requirements position themselves favorably relative to competitors and build stakeholder confidence.

Sustaining progress

Compliance programs should incorporate mechanisms for continuous improvement based on lessons learned, emerging best practices, and evolving requirements. Regular program assessments help identify enhancement opportunities and ensure sustained effectiveness over time.

Organizations that approach this development strategically, with appropriate attention to governance, risk management, and operational excellence, will be well-positioned to achieve compliance objectives while supporting broader business goals.

See also

Selected articles on related subjects.

Compliance · Credibility 86/100 · August 13, 2025

Compliance — State privacy

Seven months into enforcement, New Hampshire’s privacy law is testing whether controllers can maintain opt-out fulfillment, data protection assessments, and 60-day cure evidence ahead of the statute’s cure-period sunset…

Compliance · Credibility 89/100 · July 1, 2023

Connecticut Data Privacy Act

Connecticut's Data Privacy Act went into effect. Another state joins the U.S. privacy patchwork with access, deletion, correction, and opt-out rights. If you are selling to Connecticut residents, add it to your…

Compliance · Credibility 87/100 · June 23, 2025

Compliance Reminder — June 23, 2025

Tennessee's privacy law enforcement deadline is approaching. If you have not implemented consumer rights processes, data protection assessments, and privacy notices for Tennessee residents, you are running out of time.

Compliance · Credibility 86/100 · August 1, 2025

Compliance — State privacy

Minnesota's Consumer Data Privacy Act became effective July 31, 2025. It requires universal opt-out signal recognition, teen consent for 13-15 year olds, and data protection assessments. One of the stricter state privacy…

Compliance · Credibility 86/100 · August 8, 2025

Compliance — State privacy

Tennessee’s Information Protection Act has been enforceable for just over a month, and controllers must now evidence universal opt-out, data protection assessment, and appeals workflows to satisfy the law’s cure-based…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

June 2, 2025

Coverage pillar

Compliance

Source credibility

87/100 — high confidence

Topics

Tennessee Information Protection Act · State privacy compliance · Consumer rights · Data protection assessments

Sources cited

3 sources (publications.tnsosfiles.com, capitol.tn.gov, iso.org)

Reading time

5 min

Cited sources

1. Tennessee Information Protection Act (HB1181/SB0073) — Public Chapter 31 (2023) — publications.tnsosfiles.com
2. Tennessee General Assembly Fiscal Review — HB1181 Fiscal Memorandum — capitol.tn.gov
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization