Applies to businesses with $25M+ revenue that process personal data of 175,000+ Tennessee residents, or 25,000+ if 50%+ of revenue comes from data sales. NIST safe harbor available.
Effective
2025-07-01
Penalty max
$15,000
Cure period
60 days
Honor GPC
Not required
Overview
The Tennessee Information Protection Act (TIPA) took effect July 1, 2025. Tennessee's law has two distinguishing features. First, it has a higher consumer-count threshold (175,000) than most states, and applies only to businesses with $25M+ in annual revenue. Second, it provides an affirmative defense to enforcement actions for businesses that maintain a written privacy program based on the NIST Privacy Framework or another widely-recognized framework — a unique 'safe harbor' provision in U.S. state privacy law. Tennessee has a permanent 60-day cure period.
Who it applies to
Businesses processing personal data of 175,000+ Tennessee residents annually.
Businesses processing personal data of 25,000+ Tennessee residents AND deriving 50%+ of revenue from selling personal data.
For-profit businesses with $25M+ in annual revenue (CCPA/CPRA-style threshold).
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to opt out of profiling
Consumers can opt out of automated profiling for decisions with legal or similarly significant effects.
What this means for e-commerce
Tennessee has a unique 'safe harbor' provision: businesses that maintain a written privacy program based on the NIST Privacy Framework or another industry-recognized framework get an affirmative defense in enforcement actions. Tennessee also has a higher consumer threshold (175,000 vs. the standard 100,000), and a willful-violation penalty cap that can reach 3x actual damages — meaning intentional violations can be much costlier than the headline $15K cap.
Penalties & enforcement
Enforced by the Tennessee Attorney General. Penalties range from $0 to $15,000 per violation.
Tennessee provides a 60-day cure period (permanent). The AG must give you written notice of an alleged violation and time to fix it before bringing an enforcement action.
Compliance checklist
Determine whether you cross the $25M revenue and 175K Tennessee consumer thresholds
Consider implementing a NIST Privacy Framework-based written privacy program for safe harbor protection
Add an opt-out link for targeted advertising and data sales in your site footer
Update privacy policy with TIPA-required disclosures
Implement a 45-day consumer request response process
Conduct data protection assessments for high-risk processing
Obtain opt-in consent before processing sensitive personal data
Does the TIPA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including Tennessee.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.