Tennessee has passed its own data privacy laws, joining a growing list of U.S. states with similar legislation. While based closely on Virginia’s privacy law, the Tennessee Information Protection Act (TIPA) is not completely identical to any of its counterparts.

Here’s a quick rundown on the most important aspects of the Tennessee privacy law.

When Does It Go Into Effect?

Tennessee’s privacy law will go into effect on July 1, 2025.

What Businesses Must Comply?

For-profit businesses must comply with the TIPA if they do business in Tennessee (or produce products/services that are targeted to Tennessee residents), have at least $25 million in annual revenue, and meet at least one of the following conditions:

1. Control or process the personal data of at least 175,000 Tennessee residents per year, OR
2. Control or process the personal data of at least 25,000 Tennessee residents AND derive more than 50% of gross revenue from the sale of personal data

What Rights Do Consumers Have Under the Tennessee Law?

Tennessee consumers now have the following privacy rights:

• Right to Know - Consumers have the right to confirm whether a business is processing their personal data and, if so, to access that data.

• Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.

• Right to Delete - Upon request, businesses must delete personal data provided by or obtained about the consumer.

• Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.

• Right to Opt Out - Consumers can opt out of:

• • The sale of their personal data
  • Targeted advertising
  • Profiling in furtherance of decisions that produce legal
    or similarly significant effects

What Is “Personal Data”?

Tennessee’s definition of personal information closely resembles that of other privacy laws, and is defined as "linked or reasonably linkable to an identified or identifiable natural person”

It’s a broad definition that covers everything from IP addresses to shopping habits. However, personal data does not include de-identified data, aggregate data, or publicly available information.

Are Data Protection Impact Assessments Required?

As is the case with several other states, the Tennessee Information Protection Act requires businesses to perform data protection impact assessments for certain types of processing activities. A DPIA is required for:

• Targeted advertising
• Sale of personal data
• Profiling of consumers, where it presents a foreseeable risk of harm
• Processing of sensitive personal data
• Any other processing activity that presents a heightened risk of harm to consumers

Can Businesses Be Sued by Consumers?

The TIPA does not grant a private right of action to consumers, meaning they cannot sue a business over alleged violations.