Compliance Briefing — June 2, 2025
Tennessee's Information Protection Act takes effect July 1, 2025 with 175k-consumer scope, revenue qualifiers, and Virginia-style duties around notices, consumer rights, and data minimization; teams should align opt-out handling, processor terms, and appeals before enforcement.
Executive briefing: Tennessee’s Information Protection Act (TIPA), enacted through HB1181/SB0073 and codified at Tenn. Code Ann. § 47-18-3201 et seq., becomes enforceable on 1 July 2025. The statute largely mirrors the Virginia/Colorado comprehensive privacy model—mandating purpose limitation, data minimization, transparent notices, and consumer rights handling—while covering controllers that meet specific revenue and volume thresholds. The Tennessee Attorney General holds exclusive enforcement authority with civil penalties up to $7,500 per violation and a 60-day cure period available through 31 December 2025.
Scope and thresholds: Applicability attaches to controllers or processors that (a) conduct business in Tennessee or target residents, and (b) control or process personal data of at least 175,000 consumers in a calendar year (excluding personal data processed solely for payment transactions), or 25,000 consumers when over 25% of gross revenue derives from selling personal data. The law exempts state and local government entities, nonprofit organizations, higher-education institutions, financial institutions and data subject to GLBA, entities and data regulated by HIPAA/HITECH, and data sets covered by FCRA, DPPA, FERPA, and COPPA.
Key obligations:
- Privacy notices: Provide clear disclosures on categories of personal data processed, purposes, third-party sharing/sales, methods for exercising rights (including appeals), and categories of personal data sold or used for targeted advertising.
- Consumer rights and timelines: Enable access, correction, deletion, portability, and opt-out of targeted advertising, sale of personal data, and significant profiling decisions. Controllers must respond within 45 days (extendable once by 45 days when reasonably necessary) and deliver appeal outcomes within 60 days, including Attorney General contact information when denying a request.
- Data minimization and security: Limit collection to what is adequate, relevant, and reasonably necessary for disclosed purposes; process sensitive data only with opt-in consent; and maintain reasonable administrative, technical, and physical safeguards.
- Assessments and contracts: Conduct data protection assessments for targeted advertising, sales of personal data, profiling that presents foreseeable risks, processing of sensitive data, and any activity posing heightened harm. Processor agreements must include documented instructions, confidentiality, subprocessor controls, assistance with rights/assessments, and secure deletion or return of data at termination.
Model alignment: TIPA follows the Virginia Consumer Data Protection Act structure (rights set, appeal window, opt-in for sensitive data, and detailed controller/processor terms) and shares Colorado’s emphasis on data protection assessments. Unlike Colorado, TIPA does not mandate honoring universal opt-out signals, but controllers operating across states should accept global privacy controls to streamline cross-jurisdiction opt-outs. The law also introduces an affirmative-defense path through documented privacy programs aligned to recognized frameworks such as NIST.
Implementation priorities (pre-July 2025 go-live):
- Stand up global opt-out signal handling (e.g., Global Privacy Control) even though not explicitly required, ensuring targeted advertising and sale processing can be shut off at the controller and vendor layers for Virginia/Colorado parity.
- Refresh processor and subprocessor contracts to incorporate TIPA-required clauses (instructional control, confidentiality, assistance, assessments, and secure return/deletion) and align with existing Virginia/Colorado templates.
- Finalize DSAR intake and appeals workflows with 45-day response and 60-day appeal deadlines, clear denial rationales, and escalation paths to the Attorney General information when requests are denied.
- Run data protection assessments for targeted advertising, sales, profiling, sensitive data processing, and any high-risk use cases; document minimization and purpose-compatibility rationales.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.