What TIPA Covers and Who It Applies To
The Tennessee Information Protection Act (TIPA) took effect on 1 July 2025, making Tennessee one of over 20 US states with a comprehensive consumer data privacy law. Signed by Governor Bill Lee in May 2023, the act follows the opt-out model pioneered by the Virginia Consumer Data Protection Act (VCDPA) rather than the opt-in approach favoured by California.
TIPA applies to organisations that conduct business in Tennessee or target products and services at Tennessee residents, provided they meet two conditions simultaneously: annual revenue exceeding USD 25 million, and either processing personal information of at least 175,000 Tennessee consumers in a calendar year, or processing data of at least 25,000 consumers while deriving more than 50 per cent of gross revenue from selling that data.
The revenue threshold sets TIPA apart from laws like the Texas Data Privacy and Security Act, which has no revenue floor at all.
Exemptions: Who Gets a Pass
TIPA carves out several entity-level and data-level exemptions. Government bodies, nonprofits, and higher-education institutions (both public and private) fall outside TIPA's scope. Entities already regulated under HIPAA, the Gramm-Leach-Bliley Act, or Tennessee's insurance licensing framework are also exempt.
On the data side, TIPA excludes health records governed by HIPAA, consumer credit-reporting data, information covered by the Family Educational Rights and Privacy Act (FERPA), personal motor vehicle records, and employment-related data processed in a purely employment context. If your website only processes data that falls into these carve-outs, TIPA's consent and transparency rules do not apply to that data.
Consumer Rights Under TIPA
Tennessee consumers gained five core rights when TIPA took effect:
- Right to access - confirm whether a controller is processing their personal information and access that data
- Right to delete - request deletion of personal information provided by the consumer
- Right to data portability - obtain a copy of their data in a portable, readily usable format
- Right to opt out - refuse processing for targeted advertising, sale of personal information, or profiling that produces legal or similarly significant effects
- Right to non-discrimination - exercise any of these rights without facing degraded service
Controllers must respond to verified consumer requests within 45 days. A 45-day extension is permitted where reasonably necessary, provided the consumer is informed of the delay and its reason.
Sensitive Data and Consent Requirements
TIPA defines sensitive data as information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship and immigration status. Genetic and biometric data processed to identify an individual also qualify, as does any personal information collected from a known child.
Processing sensitive data requires the consumer's explicit consent - opt-in, not opt-out. Data concerning a known child must be handled in accordance with COPPA requirements.
For website owners, this means cookies or tracking technologies that collect health-related browsing data, biometric identifiers, or information from children under 13 all require affirmative consent before firing.
The NIST Safe Harbour: TIPA's Unique Affirmative Defence
TIPA's most distinctive feature is its affirmative defence provision. A controller or processor can defend against an enforcement action by demonstrating that it created, maintained, and complied with a written privacy programme that reasonably conforms to the NIST Privacy Framework or a comparable documented framework.
No other US state privacy law offers this explicit safe harbour. To qualify, the privacy programme must also be updated to reflect subsequent revisions to the chosen framework within two years and provide consumers with the substantive rights TIPA requires.
The practical implication: if your organisation already maintains a NIST-aligned privacy programme, you have a built-in defence should the Tennessee Attorney General initiate enforcement proceedings. This gives TIPA a distinctly business-friendly character compared to stricter laws like the Maryland Online Data Privacy Act.
Cookie Consent and Opt-Out Obligations
TIPA follows an opt-out model for non-sensitive data processing. Cookies used for targeted advertising or data sale must be blockable after a consumer opts out, but they do not require prior consent in the way that GDPR or the ePrivacy Directive demand.
Your privacy notice must clearly disclose whether your website sells personal information or uses it for targeted advertising, and must explain how consumers can exercise their opt-out rights. An accessible mechanism - typically a link labelled "Do Not Sell My Personal Information" or similar - should be present on your site.
TIPA does not recognise universal opt-out signals such as Global Privacy Control (GPC). Unlike Colorado, Connecticut, or Montana, Tennessee does not require honouring browser-based opt-out preferences. Each consumer must opt out individually through the mechanism your site provides.
| Requirement | TIPA (Tennessee) | VCDPA (Virginia) | TDPSA (Texas) |
|---|---|---|---|
| Effective date | 1 July 2025 | 1 January 2023 | 1 July 2024 |
| Revenue threshold | USD 25 million | None | None |
| Consumer threshold | 175,000 or 25,000 + 50% revenue | 100,000 or 25,000 + 50% revenue | Operates outside Texas and processes data |
| Universal opt-out signal | Not required | Not required | Not required |
| NIST safe harbour | Yes | No | No |
| Cure period | 60 days | 30 days (expired) | 30 days |
| Private right of action | No | No | No |
Data Protection Assessments
TIPA requires controllers to conduct data protection assessments before engaging in processing activities that present a heightened risk to consumers. These include processing for targeted advertising, selling personal information, profiling that risks unfair or deceptive treatment, and processing sensitive data.
The assessment must weigh the benefits of the processing activity against the potential risks to consumer rights. Controllers were required to begin conducting these assessments from 1 July 2024 - a full year before TIPA's enforcement provisions activated.
If your website runs targeted advertising through tools like the Meta Pixel or Google Ads remarketing tags, a data protection assessment covering those activities is mandatory.
Enforcement: The Attorney General's Role
The Tennessee Attorney General holds exclusive enforcement authority over TIPA. There is no private right of action, and TIPA explicitly bars violations from serving as the basis for private lawsuits or class actions.
Before initiating proceedings, the AG must issue a 60-day written notice identifying the alleged violation and giving the controller or processor an opportunity to cure. If the organisation submits written confirmation within that period that the violation has been remedied and will not recur, the AG may not proceed with the action.
Penalties for uncured violations can reach USD 7,500 per violation. Courts may impose treble damages for knowing or wilful breaches, tripling the penalty to USD 22,500 per violation. As of early 2026, the Tennessee Attorney General has not publicly announced any enforcement actions under TIPA, though the AG's office published guidance for businesses and consumers in April 2025.
Practical Compliance Steps for Website Owners
Meeting TIPA's requirements does not demand a complete overhaul if you already comply with other US state privacy laws. The following steps address TIPA-specific obligations:
- Check the thresholds - confirm whether your organisation exceeds USD 25 million in revenue and meets one of the consumer-count tests for Tennessee residents.
- Update your privacy notice - disclose the categories of personal information processed, the purposes, the categories of third parties receiving data, and how consumers can exercise their rights including the appeal process.
- Add an opt-out mechanism - provide a clear, accessible way for Tennessee consumers to opt out of targeted advertising, data sales, and certain profiling activities.
- Obtain consent for sensitive data - ensure your cookie banner or consent mechanism captures opt-in consent before processing sensitive categories. A cookie scanning and consent tool can identify which cookies on your site fall into sensitive processing categories.
- Conduct data protection assessments - document assessments for targeted advertising, data sales, and any profiling that produces significant effects on consumers.
- Review processor contracts - verify that written agreements with processors include confidentiality obligations, data return or deletion provisions, and audit rights.
- Consider NIST alignment - adopting the NIST Privacy Framework gives you the affirmative defence unique to TIPA. If your organisation processes Tennessee consumer data at scale, this is a valuable investment.
How TIPA Fits the Broader US Privacy Landscape
TIPA sits comfortably within the Virginia model of US state privacy laws. Its thresholds are relatively high, its enforcement is AG-only, and its cure period is generous at 60 days. The NIST safe harbour adds an extra layer of protection that no other state offers.
For website owners already handling compliance across states like Colorado, Connecticut, and Indiana, TIPA is unlikely to require dramatic changes. The main additions are the formal opt-out mechanism (if you do not already have one), the data protection assessment documentation, and the optional but strategic NIST alignment.
States continue to pass privacy legislation at pace. Keeping a unified consent and data governance strategy across jurisdictions is far more efficient than addressing each law in isolation.
Frequently Asked Questions
Does TIPA require cookie consent before tracking visitors?
TIPA uses an opt-out model for non-sensitive data. You do not need prior consent to set analytics or advertising cookies, but you must provide Tennessee consumers with a clear way to opt out of targeted advertising and data sales. Sensitive data processing requires opt-in consent.
What is the NIST Privacy Framework safe harbour under TIPA?
TIPA provides an affirmative defence if a controller maintains a written privacy programme that reasonably conforms to the NIST Privacy Framework or a comparable framework. The programme must also grant consumers the rights TIPA requires and be updated within two years of any framework revisions.
Does TIPA recognise Global Privacy Control or universal opt-out signals?
No. TIPA does not include a universal opt-out mechanism requirement. Consumers must opt out through the mechanism your website provides, such as a dedicated opt-out link or preference centre.
What penalties can the Tennessee Attorney General impose under TIPA?
The AG can impose civil penalties of up to USD 7,500 per violation. For knowing or wilful violations, courts may award treble damages, bringing the maximum to USD 22,500 per violation.
Is there a private right of action under TIPA?
No. TIPA is enforced exclusively by the Tennessee Attorney General. The law explicitly prohibits TIPA violations from serving as the basis for private lawsuits or class action claims.
Does TIPA apply to small businesses?
Only if they exceed USD 25 million in annual revenue and meet one of the consumer-count thresholds. Organisations below these thresholds are not subject to TIPA, making it one of the narrower US state privacy laws in terms of applicability.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether they fall into sensitive categories under TIPA, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
