Update Applicable to:

Applicable to employers conducting business in Tennessee producing products or services that are targeted to TN residents and meets the two criteria listed below.

What happened?

The Tennessee Information Protection Act (TIPA) was signed into law on 5/11/2023 and is effective as of July 1, 2025.

What are the details?

TIPA applies to any for-profit business (subject to certain exemptions) that (a) conducts business in Tennessee or produces products or services that are targeted to Tennessee, (b) exceeds $25 million in annual revenue, and (c) meets either one of two criteria:

• During a calendar year, the business controls or processes personal information of at least 175,000 Tennessee residents; or
• Controls or processes personal information of at least 25,000 Tennessee residents and derive more than 50% of gross revenue from the sale of personal information.

Tennessee does NOT treat employees as consumers. Therefore, the law fully exempts data collected in the employment context, whether from employees, job applicants, or independent contractors. This exemption for employee data subjects does not have a sunset. It is a permanent exemption. Also, there is no private right of action under either law that would allow individuals to sue for any violation. 

Other notable provisions of the TIPA include:

• Exclusions: The TIPA does not apply to, among other entities, financial institutions and data subject to GLBA, covered entities or business associates and information governed by HIPAA, institutions of higher education, information regulated by FERPA, or certain information subject to FCRA.

• B2B data: The statute defines “consumers” to include only a natural person who is a resident of Tennessee and who is acting only in a personal context.

• Consumer rights: Consumer rights include: (1) the right to demand deletion of data; (2) the right to access data; (3) the right to correct data; (4) the right to data portability for data previously provided by the consumer; (5) the right to disclosure of information relating to the sale of personal information or disclosure of such information for a business purpose; and (6) opt-out rights for the purpose of the sale of personal data, and targeted advertising.

• Authentication requests: Controllers may decline to comply with a request if they cannot authenticate the request using commercially reasonable efforts.

• Right to appeal: If a consumer’s request is denied, the controller must provide instructions for how to appeal the decision. Controllers must establish a process for consumers to appeal that must be conspicuously available, at no cost, and like the process for submitting requests to initiate action pursuant to the statute.

• Data protection assessments: The TIPA requires data protection assessments for the following processing activities involving personal information: (1) targeted advertising; (2) the sale of personal data; (3) for the purposes of profiling in which the profiling presents certain reasonably foreseeable risks; (4) the processing of sensitive data; and (5) processing activities involving personal information that present a heightened risk of harm to consumers. Controllers may use data protection assessments performed to comply with other state laws, as long as they have reasonably comparable scope and effect. Data protection assessment requirements must apply to processing activities created or generated after July 1, 2024.

• Penalties: The statute permits civil penalties of up to $7,500 for each violation, in addition to reasonable attorneys’ fees and investigative costs, and other relief the court deems to be appropriate, as well as injunctive relief and a declaratory judgment that an act or practice violates the TIPA.

• Right to cure: The statute contains a 60-day cure period for violations.

• Privacy program requirements: The TIPA requires controllers or processors to create, maintain, and comply with a written privacy program that reasonably conforms to the NIST privacy framework. If businesses comply with this requirement, they will be entitled to an affirmative defense for alleged violations of the act.

For more information, please see the links below:

Bill HB1181: LINK

Bill Page: LINK

Law Firm Article: LINK, LINK 2

What do employers need to do?

Employers subject to the TIPA should develop a roadmap for compliance and begin executing on the plan. The Fisher Phillips law firm suggests employers conduct a gap assessment of their current data collection and privacy practices, as that would help identify immediate vs. long-term priorities, with the next step being the completion of an employer’s data inventory, which are the results that would feed into the drafting of compliant privacy notices and policies.

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.