Analyzing TIPA: Tennessee's Data Privacy Law
On May 11, Tennessee edged Montana to become the 8th American state to pass a comprehensive data privacy law. Officially signed into law, the Tennessee Information Protection Act, aka TIPA, keeps the momentum going after Iowa and Indiana passed their own data privacy regulation over the course of the past several weeks.
TIPA continues another positive precedent as well, with states starting to get these bills through in a condensed amount of time, with TIPA being introduced in February and passed within 3 months.
Like the few that have come before it, TIPA borrows heavily from Virginia’s VCDPA, as well as taking some parts from Connecticut's CTDPA and Utah’s UCPA. This will hopefully make it relatively simply to comply with, as businesses already compliant with these acts don’t need to alter their privacy programs much.
It’s appropriate for Tennessee to get on the bandwagon early, as it was actually the first state in the country to pass a law requiring data breach notifications. This comprehensive data privacy law will go into effect on July 1, 2025.
Tennessee Data Privacy Law at a Glance
The Tennessee data privacy law covers companies operating within the state or providing products or services to Tennessee residents, with applicability thresholds similar to Utah’s. Organizations that need to comply:
- Earn more than $25 mil in gross annual revenue AND
- control or process personal information of +175,000 Tennessee consumers OR
- control or process personal information of +25,000 Tennessee consumers while making +50% of revenue from the sale of that data.
TIPA defines "consumer" as a Tennessee resident “acting in a personal context.” This means the law does not cover employees or B2B contacts, a major deviation from California’s CPRA.
Its definition of “personal information” tracks with previous laws, “information that is linked or reasonably linkable to an identified or identifiable individual.” Like the VCDPA, this does not include deidentified data, aggregate data, or publicly available data. Likewise, companies do not need to include pseudonymous data when fulfilling consumer DSRs.
Sensitive data is extremely similar to other state laws, with the following categories classified as sensitive:
- racial/ethnic origin
- religious beliefs
- mental or physical health diagnoses
- sexual orientation
- citizenship or immigration status
- genetic or biometric information used to uniquely identify an individual
- information from a known child (under the age of 13)
- precise geolocation data (within a radius of 1,750 feet)
Tennessee Data Privacy Law Exemptions
The Tennessee data privacy law is following in the footsteps of Indiana as it goes the Virginia route when it comes to data privacy exemptions. This means that in some cases listed exemptions cover the entire entity rather than merely the covered data.
For example, a healthcare organization subject to HIPAA does not need to comply with TIPA, whereas in California, only the specific data subject to HIPAA would be exempt from the CCPA, while the rest of the healthcare organization’s data would still be subject to the comprehensive regulation.
Tennessee’s list is almost entirely similar to VCDPA and Indiana’s, although TIPA has created the unique exemption for the entire insurance industry, not featured or ever seriously discussed in other state privacy laws.
As you can imagine, exemptions–especially a long list of them, as if present in TIPA and other state laws–make for less strict legislation.
Exemptions in Tennessee are:
- Government or political organizations within the state
- Financial institutions or affiliates subject to the Gramm-Leach-Billey Act (GLBA)
- Licensed insurance companies* (not exempt in VCDPA)
- Nonprofit organizations
- Higher education institutions
- HIPAA-protected and/or authorized health information
- Health Information Technology for Economic and Clinical Health (HITECH)
- Children’s Online Privacy Protection Act (COPPA)
- Data covered by the Health Care Quality Improvement Act
- Data covered by the Patient Safety and Quality Improvement Act
- Data covered by the Fair Credit Reporting Act
- Data covered by the Driver's Privacy Protection Act
- Data covered by the Family Educational Rights and Privacy Act
- Data covered by the Farm Credit Act
Tennessee Consumer Data Rights
TIPA includes the typical consumer rights:
- Right to confirm whether or not their personal data is processed
- Right to access their personal data
- Right to correct their personal data
- Right to have their personal data deleted
- Right to data portability (being able to take and use your data elsewhere)
- Right to opt-out of the data processing for: selling their personal information; targeted advertising; or consumer profiling
Late amendments to the bill largely stripped further power, including lowering fine amounts from $15,000 to $7500, but they did introduce opt-out rights for targeted advertising and profiling.
However, the aforementioned carveout for pseudonymous data in the context of personal information might limit the scope of people’s opt-out rights, as companies may be able to argue certain targeted and profiling activity is run on pseudonymous data, making it ineligible for data subject rights (DSR) requests. This will be an important point of contention as TIPA enters enforcement.
As is the case with every American state-level legislation other than California’s, there is no private right of action, which means individuals cannot sue companies for TIPA violations.
Tennessee Data Privacy Law Requirements
TIPA sets out many of the principles found in the GDPR, including data minimization, accountability, and data security standards.
In regards to privacy notices and consent banners, companies must present people with “reasonably accessible, clear and meaningful” notices. They must also clearly and openly disclose any data processing for targeted advertising, including opt-outs.
For DSRs, the new Tennessee data privacy law follows California and Virginia, with a 45-day period to respond and address any consumer request.
Data protection impact assessments are also required, with any data processing activities occurring after July 1, 2024 needing to be documented and ready to hand over to the state Attorney General if requested (despite enforcement not starting until July 1, 2025).
TIPA & NIST Framework
While different states might include an extra exemption or two or set DSR timelines or cure periods at different amounts, most of what reaches the final version of privacy bills is par for the course.
However, Tennessee’s data privacy law has introduced an intriguing and never-before-seen factor, including a safe harbor for companies that “reasonably conform” to the National Institute of Standards and Technology cybersecurity framework.
NIST covers five areas of risk: Identify, Protect, Detect, Respond, and Recover. This acts as a guideline rather than a binding law for American companies, which is what makes its inclusion so interesting.
What this means in theory is that companies that have industry standard cybersecurity practices in place can claim that as a defense if they are found to be in violation of TIPA.
In practice, no one is quite sure how the AG or state courts will interpret this NIST defense section, or what “reasonably conforming” looks like, which could make TIPA the state data privacy law privacy professionals will track the most in the coming years.
Tennessee Data Privacy Enforcement
Fines for non-compliant behavior are the standard $7500 for each violation. Like other states, the Attorney General’s office is the only body capable of enforcement.
The cure period is 60 days and currently does not sunset, but considering Montana’s regulation, which passed at virtually the exact same time as Tennessee’s, features a 60-day cure period that will be removed in 2026, perhaps Tennessee will amend and follow suit.
To have another comprehensive state privacy law passed this Spring is a victory, but the thresholds for TIPA make it applicable only to a small percentage of companies operating within the state. The NIST Safe Harbor defense is a unique wrinkle, and insurance companies can breathe a sigh of relief that they are exempt, but otherwise much of the bill is what you’d expect: a safe starting point for data privacy regulation.