July 24, 2024
Tennessee's Privacy Law: Quick Facts
Tennessee has a new data privacy law that can affect businesses everywhere. Get a look at the law's major requirements.

Tennessee has passed its own data privacy laws, joining a growing list of U.S. states with similar legislation. While based closely on Virginia’s privacy law, the Tennessee Information Protection Act (TIPA) is not completely identical to any of its counterparts.

Here’s a quick rundown on the most important aspects of the Tennessee privacy law.

When Does It Go Into Effect?

Tennessee’s privacy law will go into effect on July 1, 2025.

What Businesses Must Comply?

For-profit businesses must comply with the TIPA if they do business in Tennessee (or produce products/services that are targeted to Tennessee residents), have at least $25 million in annual revenue, and meet at least one of the following conditions:

  1. Control or process the personal data of at least 175,000 Tennessee residents per year, OR
  2. Control or process the personal data of at least 25,000 Tennessee residents AND derive more than 50% of gross revenue from the sale of personal data

What Rights Do Consumers Have Under the Tennessee Law?

Tennessee consumers now have the following privacy rights:

  • Right to Know - Consumers have the right to confirm whether a business is processing their personal data and, if so, to access that data.
  • Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.
  • Right to Delete - Upon request, businesses must delete personal data provided by or obtained about the consumer.
  • Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.
  • Right to Opt Out - Consumers can opt out of:
    • The sale of their personal data
    • Targeted advertising
    • Profiling in furtherance of decisions that produce legal
      or similarly significant effects

What Is “Personal Data”?

Tennessee’s definition of personal information closely resembles that of other privacy laws, and is defined as "linked or reasonably linkable to an identified or identifiable natural person”

It’s a broad definition that covers everything from IP addresses to shopping habits. However, personal data does not include de-identified data, aggregate data, or publicly available information.

Are Data Protection Impact Assessments Required?

As is the case with several other states, the Tennessee Information Protection Act requires businesses to perform data protection impact assessments for certain types of processing activities. A DPIA is required for:

  • Targeted advertising
  • Sale of personal data
  • Profiling of consumers, where it presents a foreseeable risk of harm
  • Processing of sensitive personal data
  • Any other processing activity that presents a heightened risk of harm to consumers


Can Businesses Be Sued by Consumers?

The TIPA does not grant a private right of action to consumers, meaning they cannot sue a business over alleged violations.

Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.

Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.