← Back to all briefings
Policy 5 min read Published Updated Credibility 86/100

State privacy law

Tennessee’s Information Protection Act takes effect July 1, 2025, requiring controllers to support sale and ad opt-outs, close consumer requests within 45 days, and retain DPIA plus 60-day cure evidence for attorney-general enforcement.

Kodi C.

Editor & Research Lead

Verified for technical accuracy — Kodi C.

Policy pillar illustration for Zeph Tech briefings
Policy, regulatory, and mandate timeline briefings

The Tennessee Information Protection Act (TIPA) becomes enforceable on 1 July 2025. The law imposes obligations on businesses processing personal data of at least 25,000 Tennessee consumers and generating more than US$25 million in revenue, with additional triggers tied to targeted advertising or sale of personal data. Although the Attorney General retains sole enforcement authority, boards should treat TIPA as part of the multi-state privacy environment—alongside Virginia, Colorado, and Texas—and ensure governance, evidence, and reporting frameworks can withstand regulatory scrutiny.

Applicability and data inventory

Begin with a defensible applicability assessment that documents revenue thresholds, consumer counts, and data processing activities. Maintain a personal data inventory mapping systems, data categories, sensitivity levels, and processing purposes. Identify service providers and third parties receiving data, noting contractual obligations. Capture data lineage diagrams illustrating flows between marketing platforms, CRM systems, data warehouses, and AI models. Update records of processing to reflect TIPA-specific rights, especially opt-outs for targeted advertising, profiling, and sales.

Governance structure and oversight

set up a privacy governance charter endorsed by the board or risk committee. Assign executive accountability to the chief privacy officer, general counsel, or chief data officer, with direct escalation routes to the board. Create a cross-functional steering committee including security, marketing, product, customer service, procurement, and internal audit. Document meeting agendas, decisions, risk acceptances, and resource approvals. Integrate TIPA into enterprise risk management by updating privacy risk appetite statements and key risk indicators.

Policy and control framework

Update privacy notices, internal policies, and procedures to reflect TIPA terminology and consumer rights. Key documents include data subject request handling procedures, targeted advertising governance, sensitive data handling standards, and de-identification guidelines. Align with FTC guidance on dark patterns and deception. Ensure policies reference Tennessee-specific requirements, such as the 60-day cure period and affirmative defense for NIST Privacy Framework-aligned programs. Retain redlines showing policy evolution, approval records, and setup communications.

Data protection impact assessments

TIPA requires documented data protection assessments for activities such as targeted advertising, sale of personal data, profiling with legal effects, and processing sensitive data. Build an assessment template capturing business purpose, data categories, benefits, risks, mitigations, residual risk ratings, and approval signatures. Store assessments in a searchable repository linked to system inventories. Implement triggers for reassessment when products change, new datasets are ingested, or regulators issue guidance. Provide the board with a quarterly summary of completed assessments, outstanding actions, and high-risk items requiring oversight.

Consumer rights operations

Establish workflows to intake, authenticate, fulfil, and document consumer requests for access, correction, deletion, data portability, and opt-outs. Implement omnichannel intake—web forms, email, phone—with identity verification controls proportionate to risk. Track response timelines to ensure completion within 45 days, with extension approvals documented. Maintain a rights request log capturing request type, source, decision, rationale for denial, and escalations. For targeted advertising and profiling opt-outs, configure preference centers and cookie consent tools with auditable logs.

While TIPA generally allows opt-out regimes for targeted advertising, sensitive data (such as precise geolocation, children’s data, and genetic information) requires opt-in consent. Implement consent management platforms capable of storing granular preferences, timestamps, and revocation events. Integrate consent signals into downstream systems—ad tech platforms, personalization engines, data brokers—so they honor choices in near real time. Document testing of consent propagation and maintain screenshots showing successful suppression across channels.

Vendor and data sharing governance

TIPA distinguishes between processors and third parties. Update contract templates to include required processor terms: confidentiality, assistance with consumer rights, deletion at end of engagement, and audit rights. Build a vendor risk management workflow that categorizes processors, captures due diligence questionnaires, and tracks compliance certifications. Maintain evidence of contract reviews, negotiation notes, and exceptions approved by legal. Ensure data-sharing inventories reflect sales, targeted advertising partnerships, and joint controller arrangements.

Security and breach response alignment

The affirmative defense for TIPA relies on having a documented privacy program aligned to the NIST Privacy Framework or similar. Align data governance with cybersecurity controls such as zero trust, encryption, access management, and logging. Verify that incident response playbooks integrate privacy breach obligations, including coordination with Tennessee’s data breach notification law. Retain tabletop exercise reports demonstrating readiness to notify the Attorney General and affected consumers if required.

Evidence pack structure

Create a digital evidence room segmented by control domain: governance, policies, DPIAs, consumer rights operations, consent management, vendor oversight, and security alignment. Store meeting minutes, training records, system screenshots, and assurance reports. Include metrics dashboards showing request volumes, response times, opt-out rates, DPIA status, and vendor risk ratings. Maintain traceability matrices linking TIPA requirements to policies, controls, and evidence artifacts.

Reporting and assurance

Provide monthly management reports covering consumer request statistics, complaint trends, DPIA pipeline, and open remediation actions. Present quarterly board or committee briefings summarizing compliance posture, notable incidents, and regulatory developments across other states. Coordinate internal audit reviews focusing on consumer rights workflows, vendor management, and control effectiveness. Document management responses and remediation status for audit findings.

Training and culture

Deliver targeted training modules for frontline staff, marketing teams, engineers, and executives on TIPA obligations and broader U.S. privacy trends. Track completion rates, assessment scores, and feedback. Incorporate privacy-by-design principles into product development training, ensuring developers understand DPIA triggers and consent requirements. Highlight enforcement cases from other states to reinforce expectations.

Regulatory engagement and monitoring

Monitor Attorney General rulemaking, guidance, and enforcement activity. Maintain a regulatory watchlist summarizing developments in companion states (for example, Texas TDPSA, Colorado CPA) to ensure harmonized controls. Document interactions with the Attorney General, industry groups, or advocacy teams. Prepare holding statements and communication templates for potential investigations or consumer complaints.

Next steps to reach July 2025 readiness

Within the next quarter, complete gap assessments against TIPA requirements, remediate policy updates, and finalize DPIA templates. Conduct dry runs of consumer rights fulfillment and consent revocation scenarios, logging lessons learned. Secure board approval for any remaining technology investments, such as consent platforms or rights automation tools. Plan for an independent readiness review in June 2025, and ensure the evidence pack is audit-ready to show a mature, defensible privacy governance program when the law takes effect.

See also

Selected articles on related subjects.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Policy Advocacy Roadmap

    Coordinate cross-border policy advocacy aligned with EU Better Regulation, U.S. Administrative Procedure Act, Lobbying Disclosure rules, and Canadian transparency requirements.

  • AI Policy Implementation Guide

    Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

  • Export Controls and Sanctions Policy Guide

    Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…

Cited sources

  1. Tennessee Public Chapter No. 31 (SB73/HB1181) — publications.tnsosfiles.com
  2. JD Supra: Tennessee Information Protection Act — jdsupra.com
  3. Husch Blackwell: Tennessee enacts privacy law — huschblackwell.com
  • State privacy law
  • Consumer rights
  • Attorney general enforcement
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.