Policy Briefing — July 1, 2025

Executive briefing: Tennessee’s Information Protection Act (TIPA) takes effect on July 1, 2025. Covered controllers—processing data on 100,000 residents annually or 25,000 with 50% of revenue from data sales—must deliver access, correction, deletion, and portability rights, honor opt-outs for targeted advertising and profiling, and implement documented privacy programs overseen by executive leadership.

Key statutory signals

• Reasonable privacy program mandate. TIPA requires controllers to maintain written policies for data minimization, secure handling, and governance aligned to industry standards such as NIST or ISO frameworks.
• Risk assessments. Controllers must conduct and retain privacy impact assessments for processing activities presenting increased risk of harm, including targeted advertising, data sales, and profiling decisions with legal or significant effects.
• Limited cure period. The Tennessee Attorney General enforces the law with a 60-day cure provision that sunsets after July 1, 2026, emphasizing early remediation readiness.

Operational priorities

• Reconcile opt-out workflows. Expand consent management platforms to capture Tennessee-specific signals and support universal opt-out mechanisms.
• Document program governance. Align policy repositories, executive reporting cadences, and training logs with TIPA’s "reasonable privacy program" definition.
• Centralize assessment evidence. Integrate TIPA assessment triggers into enterprise DPIA tooling with links to remediation tickets and vendor oversight.

Sources

• Tennessee Public Chapter No. 31 (SB73/HB1181)
• JD Supra: Tennessee Information Protection Act
• Husch Blackwell: Tennessee enacts privacy law

Zeph Tech is integrating Tennessee compliance with consent orchestration, privacy program maturity assessments, and cross-jurisdictional remediation tracking.