	Global Data Privacy Guide
	USA, Tennessee
	(United States) Firm Bass, Berry & Sims PLC Updated 05 Aug 2025
1. What is the key legislation?	Key legislation in Tennessee is: The Tennessee Information Privacy Act (“TIPA”). Tenn. Code Ann. §47–18–3301 to § 47–18–3315. Tennessee’s Identity Theft Deterrence Act (the “Act”). Tenn. Code Ann. §§ 47-18-2101 to 47-18-2111.
2. What are the key decisions applying that legislation?	The legislation recently went into effect, and as of this writing no cases have yet interpreted it.
1. How are “personal data” and “sensitive data” defined?	Under TIPA: “Personal information” is defined as information identifying or reasonably linkable to a specific consumer (e.g., name, SSN, IP address, biometric data). Tenn. Code Ann. §47-18-3302(17). “Sensitive data” is defined as a category of personal information that includes: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; processing of genetic or biometric data for the purpose of uniquely identifying a natural person; personal information collected from a known child; or precise geolocation data. Tenn. Code Ann. §47-18-3302(26). Under the Act: “Personal Information” means “(A) an individual’s first name or first initial and last name, in combination with any one (1) or more of the following data elements: (i) Social security number; (ii) Driver license number; or (iii) Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; and (B) does not include information that is lawfully made available to the general public from federal, state, or local government records or information that has been redacted, or otherwise made unusable.” Tenn. Code Ann. § 47-18-2107(A)(4).
2. How is the defined data protected?	In the case of personal information, controllers must implement reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal information to protect its confidentiality, integrity, and accessibility. Tenn. Code Ann. §47-18-3305(a)(3). For sensitive data, controllers are specifically prohibited from processing sensitive data without obtaining the consumer’s consent. For data concerning known children, processing must comply with the federal Children’s Online Privacy Protection Act (COPPA). Tenn. Code Ann. §47-18-3305(a)(6).
3. Who is subject to privacy obligations?	Persons that conduct business in Tennessee producing products or services targeted to Tennessee residents and that either (1) control or process personal information of at least 175,000 consumers; or (2) control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information. There are exemptions, including for: Governmental bodies; Entities subject to the Gramm-Leach-Bliley Act (GLBA); covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA); institutions of higher education under the federal Family Educational Rights and Privacy Act (FERPA); entities subject to the Farm Credit Act (FCA), and those covered by various insurance laws; Nonprofit organizations; Health records and information that is subject to various privacy laws such as protected health information (PHI) under HIPAA, public health activities, educational information under FERPA, credit information under the Fair Credit Reporting Act (FCRA), etc.; and Information relating to research subject to 45 CFR Part 46, subject to 21 CFR Parts 6, 50, and 56, or in accordance with good clinical practice guidelines. The statute also does not apply to employment information.
4. How is “data processing” defined?	“Processing” means an operation or set of operations performed, whether by manual or automated means, on personal information or on sets of personal information, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal information. Tenn. Code Ann. §47-18-3302(19).
5. What are the principles applicable to personal data processing?	1) Data Minimization – Controllers must collect only personal data that is adequate, relevant, and reasonably necessary for the purposes for which it is processed as disclosed to the consumer. Tenn. Code Ann. §47-18-3305(a)(1). 2) Purpose Limitation – Personal data must not be processed for purposes that are beyond or incompatible with the disclosed purposes unless the consumer provides consent. Tenn. Code Ann. §47-18-3305(a)(2). 3) Data Security – Controllers must implement reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and accessibility of personal data that are appropriate to the volume and nature of the personal information. Tenn. Code Ann. §47-18-3305(a)(3). 4) Non-Discrimination – Controllers cannot process personal information in violation of state or federal discrimination laws or discriminate against consumers for exercising their rights under the Act (e.g., by denying goods/services, charging different prices or providing a different level of quality). Tenn. Code Ann. §47-18-3305(a)(5). 5) Consent for Sensitive Data – Sensitive data cannot be processed without obtaining the consumer’s explicit consent, or compliance with COPPA for children’s data. Tenn. Code Ann. §47-18-3305(a)(6). 6) Transparency – Controllers must provide a clear and accessible privacy notice detailing categories of data processed, purposes, consumer rights, and data sharing practices (§47-18-3305(c)) as well as means to exercise the consumer’s rights (§47-18-3305(e)). If the controller sells personal information or processes such information for targeted advertising, this must be noted in the notice as well. Tenn. Code Ann. §47-18-3305(d).
6. How is the processing of personal data regulated?	Processors must adhere to the instructions of a controller and assist the controller in meeting its obligations. The assistance must include, taking into account the nature of processing and the information available to the processor, assisting the controller fulfill its obligation to respond to consumer rights requests and providing necessary information for data protection assessments. Tenn. Code Ann. §47-18-3306(a).
7. How are storage, security and retention of personal data regulated?	Controllers and processors must implement reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and accessibility of personal data that are appropriate to the volume and nature of the personal information. Tenn. Code Ann. §47-18-3305(a)(3). Retention is not regulated beyond requirements relating to security practices and as may be required under a data protection assessment.
8. What are the data subjects' rights under the data legislation?	Consumers have the right to request: 1) That a controller confirm whether personal information is processed; 2) Access personal information; 3) Correct inaccuracies; 4) Delete personal information; 5) Obtain a portable copy; and/or 6) Opt-out of the sale of personal information, targeted advertising, or profiling that produces a legal or similarly significant effect. Tenn. Code Ann. §47-18-3304(a).
9. What are the consent requirements for data subjects?	Consent must be a clear, affirmative, specific, informed, and unambiguous act. Sensitive data processing requires consent, and for children under 13, processing must comply with COPPA. Tenn. Code Ann. §47-18-3302(6), §47-18-3305(a)(6).
10. How is authorization for use of data handled?	TIPA does not have a concept of authorization for the use of data or a need for a “lawful basis for processing”. There are requirements relating to notice, consent for processing of particular types of personal data, impact assessments, and consumer rights as addressed elsewhere.
11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?	No
12. How are data "incidents" and "breaches" defined?	TIPA does not define or address data incidents or breaches. The Act defines a “Breach of System Security” as: “(A) . . . the acquisition of [(i) Unencrypted computerized data, or (ii) Encrypted computerized data and the encryption key] by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder; and (B) Does not include the good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder if the personal information is not used or subject to further unauthorized disclosure.” Tenn. Code Ann. §47–18–2107(A)(1). Note: • “Encrypted” means “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2. Tenn. Code Ann. § 47-18-2107(A)(2).
13. Are there any notification requirements for incidents and/or data breaches?	Information Holders are required under the Act to notify affected individuals following any Breach of the Security System, subject to certain exceptions. “Information Holder” means any person or business that conducts business in the State of Tennessee, or any agency of the State of Tennessee or any of its political subdivisions, that owns or licenses computerized data that includes Personal Information. Tenn. Code Ann. § 47-18-2107(a)(3). Note: • Notification Obligation – The Act mandates that an Information Holder disclose any Breach of the Security of the System, following discovery or notification of such breach, to any resident of Tennessee whose Personal Information was, or is reasonably believed to have been, acquired by an Unauthorized Person immediately, but no later than forty-five (45) days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement. Tenn. Code Ann. § 47-18-2107(b). • Delay for Law Enforcement – Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. Notification shall be made no later than forty-five (45) days after the law enforcement agency determines that it will not compromise its investigation. Tenn. Code Ann. § 47-18-2107(d). • Third-Party Notification – The Act mandates that any Information Holder that maintains computerized data that includes Personal Information that the Information Holder does not own shall notify the owner or licensee of the Personal Information of any breach of the security of the data immediately, but no later than forty-five (45) days from when the breach became known by the Information Holder, if the Personal Information was, or is reasonably believed to have been, acquired by an Unauthorized Person. Tenn. Code Ann. § 47-18-2107(c). • Form of Notice – Notice may be provided by one of the following methods: (i) written notice; (ii) electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in the E-SIGN Act (15 U.S.C. § 7001); or (iii) substitute notice consisting of (a) e-mail notice, (b) conspicuous posting of the notice on the Information Holder’s Internet website page, and (c) notification to major statewide media. Tenn. Code Ann. § 47-18-2107(e). • Substitute Notice – To utilize substitute notice, the Information Holder must demonstrate that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the Information Holder does not have sufficient contact information. Tenn. Code Ann. § 47-18-2107(e)(3). • Own Notification Policy Exception – An Information Holder that maintains its own notification procedures as part of an information security policy for the treatment of Personal Information, and is otherwise consistent with the timing requirements of the Act, shall be deemed in compliance with the notification requirements of the Act if it notifies subject persons in accordance with its policies in the event of a Breach of Security of the System. Tenn. Code Ann. § 47-18-2107(f). • Notification to Consumer Reporting Agencies – If an Information Holder must notify more than one thousand (1,000) persons at one time, the Information Holder shall notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. § 1681a, of the timing, distribution, and content of the notices. Tenn. Code Ann. § 47-18-2107(g).
14. Who is/are the privacy regulator(s)?	The Tennessee Attorney General and Reporter (AG) has exclusive enforcement authority under TIPA (Tenn. Code Ann. §47-18-3313(a)). A violation of the Act constitutes a violation of the Tennessee Consumer Protection Act, and the Attorney General, at the request of the division, may institute a proceeding against such violator. Tenn. Code Ann. § 47-18-2106.
15. What are the consequences of a data breach?	TIPA does not address data security breaches. The Attorney General may enforce and seek civil penalties for violations of the Act. An individual or business entity affected by a Breach of the Security of the System may initiate a private right of action for a violation of the Act. Note: • The Attorney General may seek civil penalties equal to the greater of: (i) $10,000; (ii) $5,000 per day for each day that a person’s identity has been assumed; or (iii) ten (10) times the amount obtained or attempted to be obtained by the person using the identity theft. The civil penalty is supplemental, cumulative, and in addition to any other penalties and relief available under the Tennessee Consumer Protection Act, or other laws, regulations, or rules. Tenn. Code Ann. § 47-18-2105(d). • Any knowing or willful violation of the terms of an injunction or order issued pursuant to an action commenced by the Attorney General shall be punishable by a civil penalty of not more than $5,000 for each violation of the order, in addition to any other appropriate relief, including without limitation contempt sanctions and the awarding of attorneys’ fees and costs to the State of Tennessee for any filings relating to the violation of the order. Tenn. Code Ann. § 47-18-2105(h). • Any affected individual who is a person or business entity, but who is not an agency of the state or any political subdivision of the state, may institute a civil action to recover damages and to enjoin the Information Holder from further action in violation of the Act. The rights and remedies under the Act are cumulative to each other and to any other rights and remedies available under law. A violation of the Act is punishable by a civil penalty of the greater of (i) $10,000, (ii) $5,000 per day for each day that a person’s identity has been assumed, or (iii) ten (10) times the amount obtained or attempted to be obtained by the person using the identity theft. The civil penalty is supplemental, cumulative, and in addition to any other penalties and relief available under the Tennessee Consumer Protection Act, or other laws, regulations, or rules. Tenn. Code Ann. § 47-18-2107(h).
16. How is electronic marketing regulated?	Neither TIPA nor the Act explicitly regulate electronic marketing, but TIPA does require that controllers honor opt-outs from targeted advertising. Tenn. Code Ann. §47-18-3304(a)(2)(E).
17. Are there sector-specific or industry-specific privacy requirements?	There are no heightened privacy requirements for any specific industry. TIPA does, however, exempt certain entities as described above. Tenn. Code Ann. §47-18-3311(a).
18. What are the requirements for appointing Data Protection Officers or similar roles?	Neither TIPA nor the Act mandates a Data Protection Officer.
19. What are the record-keeping and documentation obligations?	Controllers must document Data Protection Assessments (DPAs) for certain processing activities. Tenn. Code Ann. §47-18-3307. Controllers may maintain a written privacy policy as described in question 22 below.
20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?	Data Protection Assessments are required for processing involving: 1) Targeted advertising; 2) Sale of personal information; 3) Processing of personal information for purposes of profiling that presents a reasonably foreseeable risk of harm as delineated in the statute; 4) Processing of sensitive data; and 5) Any processing posing heightened risk. Tenn. Code Ann. §47-18-3307(a). Such DPIA must identify and weigh the benefits and risks that may flow, directly and indirectly, from the processing, as mitigated by safeguards. Tenn. Code Ann. §47-18-3307(b).
21. What are the requirements for third-party vendor management and data sharing?	Processors must adhere to instructions of a controller and assist in meeting the controller’s obligations under the statue. Such assistance includes responding to consumer requests and conducting and documenting data protection assessments. Controllers must enter into a contract with each processor that sets forth instructions for processing, types of data to be processed, duration, and rights and obligations of each party. Specific provisions must include those governing: confidentiality, return/deletion of data, review and auditing by the controller, and the requirement for similar agreements with subcontractors. Tenn. Code Ann. §47-18-3306.
22. What are the penalties and enforcement mechanisms for non-compliance?	Prior to any action under TIPA, the AG must provide 60 days’ written notice and period to cure. If there is a continuing violation, the AG may seek the following relief: 1) Declaratory judgment; 2) Injunctive relief; or 3) Civil penalties up to $7,500 for each violation (and for willful and knowing violations, a court may, in its discretion, award treble damages). TIPA does not provide for a private right of action. Tenn. Code Ann. §47-18-3313. TIPA also provides for an affirmative defense if the controller or processor creates, maintains, and complies with a written privacy policy that: (1) reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework or other documented policies designed to safeguard consumer privacy, which policy is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two years of the publication date; and (2) provides consumers with substantive rights required by the statute. Tenn. Code Ann. §47-18-3313.
23. What are the ongoing compliance and audit requirements?	If relying on the above affirmative defense, the written privacy program must conform with NIST (or similar) requirements, as such standards may be amended. Such privacy programs must be scaled to the size, complexity, and sensitivity of the data collected, as well as the availability of tools to improve privacy protections and data governance. Tenn. Code Ann. §47-18-3314.
24. Are there any recent developments or expected reforms?	TIPA is effective July 1, 2025. No amendments currently appear close to passage.

Global Data Privacy Guide

Back XLS

1. What is the key legislation?

Key legislation in Tennessee is:

The Tennessee Information Privacy Act (“TIPA”). Tenn. Code Ann. §47–18–3301 to § 47–18–3315.
Tennessee’s Identity Theft Deterrence Act (the “Act”). Tenn. Code Ann. §§ 47-18-2101 to 47-18-2111.

2. What are the key decisions applying that legislation?

The legislation recently went into effect, and as of this writing no cases have yet interpreted it.

1. How are “personal data” and “sensitive data” defined?

Under TIPA:
“Personal information” is defined as information identifying or reasonably linkable to a specific consumer (e.g., name, SSN, IP address, biometric data). Tenn. Code Ann. §47-18-3302(17).
“Sensitive data” is defined as a category of personal information that includes: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; processing of genetic or biometric data for the purpose of uniquely identifying a natural person; personal information collected from a known child; or precise geolocation data. Tenn. Code Ann. §47-18-3302(26).
Under the Act:
“Personal Information” means “(A) an individual’s first name or first initial and last name, in combination with any one (1) or more of the following data elements: (i) Social security number; (ii) Driver license number; or (iii) Account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; and (B) does not include information that is lawfully made available to the general public from federal, state, or local government records or information that has been redacted, or otherwise made unusable.” Tenn. Code Ann. § 47-18-2107(A)(4).

2. How is the defined data protected?

In the case of personal information, controllers must implement reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal information to protect its confidentiality, integrity, and accessibility. Tenn. Code Ann. §47-18-3305(a)(3).
For sensitive data, controllers are specifically prohibited from processing sensitive data without obtaining the consumer’s consent. For data concerning known children, processing must comply with the federal Children’s Online Privacy Protection Act (COPPA). Tenn. Code Ann. §47-18-3305(a)(6).

3. Who is subject to privacy obligations?

Persons that conduct business in Tennessee producing products or services targeted to Tennessee residents and that either (1) control or process personal information of at least 175,000 consumers; or (2) control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.

There are exemptions, including for:

Governmental bodies;
Entities subject to the Gramm-Leach-Bliley Act (GLBA); covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA); institutions of higher education under the federal Family Educational Rights and Privacy Act (FERPA); entities subject to the Farm Credit Act (FCA), and those covered by various insurance laws;
Nonprofit organizations;
Health records and information that is subject to various privacy laws such as protected health information (PHI) under HIPAA, public health activities, educational information under FERPA, credit information under the Fair Credit Reporting Act (FCRA), etc.; and
Information relating to research subject to 45 CFR Part 46, subject to 21 CFR Parts 6, 50, and 56, or in accordance with good clinical practice guidelines.
The statute also does not apply to employment information.

4. How is “data processing” defined?

“Processing” means an operation or set of operations performed, whether by manual or automated means, on personal information or on sets of personal information, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal information. Tenn. Code Ann. §47-18-3302(19).

5. What are the principles applicable to personal data processing?

1) Data Minimization – Controllers must collect only personal data that is adequate, relevant, and reasonably necessary for the purposes for which it is processed as disclosed to the consumer. Tenn. Code Ann. §47-18-3305(a)(1).
2) Purpose Limitation – Personal data must not be processed for purposes that are beyond or incompatible with the disclosed purposes unless the consumer provides consent. Tenn. Code Ann. §47-18-3305(a)(2).
3) Data Security – Controllers must implement reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and accessibility of personal data that are appropriate to the volume and nature of the personal information. Tenn. Code Ann. §47-18-3305(a)(3).
4) Non-Discrimination – Controllers cannot process personal information in violation of state or federal discrimination laws or discriminate against consumers for exercising their rights under the Act (e.g., by denying goods/services, charging different prices or providing a different level of quality). Tenn. Code Ann. §47-18-3305(a)(5).
5) Consent for Sensitive Data – Sensitive data cannot be processed without obtaining the consumer’s explicit consent, or compliance with COPPA for children’s data. Tenn. Code Ann. §47-18-3305(a)(6).
6) Transparency – Controllers must provide a clear and accessible privacy notice detailing categories of data processed, purposes, consumer rights, and data sharing practices (§47-18-3305(c)) as well as means to exercise the consumer’s rights (§47-18-3305(e)). If the controller sells personal information or processes such information for targeted advertising, this must be noted in the notice as well. Tenn. Code Ann. §47-18-3305(d).

6. How is the processing of personal data regulated?

Processors must adhere to the instructions of a controller and assist the controller in meeting its obligations. The assistance must include, taking into account the nature of processing and the information available to the processor, assisting the controller fulfill its obligation to respond to consumer rights requests and providing necessary information for data protection assessments. Tenn. Code Ann. §47-18-3306(a).

7. How are storage, security and retention of personal data regulated?

Controllers and processors must implement reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and accessibility of personal data that are appropriate to the volume and nature of the personal information. Tenn. Code Ann. §47-18-3305(a)(3). Retention is not regulated beyond requirements relating to security practices and as may be required under a data protection assessment.

8. What are the data subjects' rights under the data legislation?

Consumers have the right to request:
1) That a controller confirm whether personal information is processed;
2) Access personal information;
3) Correct inaccuracies;
4) Delete personal information;
5) Obtain a portable copy; and/or
6) Opt-out of the sale of personal information, targeted advertising, or profiling that produces a legal or similarly significant effect. Tenn. Code Ann. §47-18-3304(a).

9. What are the consent requirements for data subjects?

Consent must be a clear, affirmative, specific, informed, and unambiguous act. Sensitive data processing requires consent, and for children under 13, processing must comply with COPPA. Tenn. Code Ann. §47-18-3302(6), §47-18-3305(a)(6).

10. How is authorization for use of data handled?

TIPA does not have a concept of authorization for the use of data or a need for a “lawful basis for processing”. There are requirements relating to notice, consent for processing of particular types of personal data, impact assessments, and consumer rights as addressed elsewhere.

11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?

12. How are data "incidents" and "breaches" defined?

TIPA does not define or address data incidents or breaches.
The Act defines a “Breach of System Security” as: “(A) . . . the acquisition of [(i) Unencrypted computerized data, or (ii) Encrypted computerized data and the encryption key] by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder; and (B) Does not include the good faith acquisition of personal information by an employee or agent of the information holder for the purposes of the information holder if the personal information is not used or subject to further unauthorized disclosure.” Tenn. Code Ann. §47–18–2107(A)(1).
Note:
• “Encrypted” means “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2. Tenn. Code Ann. § 47-18-2107(A)(2).

13. Are there any notification requirements for incidents and/or data breaches?

Information Holders are required under the Act to notify affected individuals following any Breach of the Security System, subject to certain exceptions.
“Information Holder” means any person or business that conducts business in the State of Tennessee, or any agency of the State of Tennessee or any of its political subdivisions, that owns or licenses computerized data that includes Personal Information. Tenn. Code Ann. § 47-18-2107(a)(3).
Note:
• Notification Obligation – The Act mandates that an Information Holder disclose any Breach of the Security of the System, following discovery or notification of such breach, to any resident of Tennessee whose Personal Information was, or is reasonably believed to have been, acquired by an Unauthorized Person immediately, but no later than forty-five (45) days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement. Tenn. Code Ann. § 47-18-2107(b).
• Delay for Law Enforcement – Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. Notification shall be made no later than forty-five (45) days after the law enforcement agency determines that it will not compromise its investigation. Tenn. Code Ann. § 47-18-2107(d).
• Third-Party Notification – The Act mandates that any Information Holder that maintains computerized data that includes Personal Information that the Information Holder does not own shall notify the owner or licensee of the Personal Information of any breach of the security of the data immediately, but no later than forty-five (45) days from when the breach became known by the Information Holder, if the Personal Information was, or is reasonably believed to have been, acquired by an Unauthorized Person. Tenn. Code Ann. § 47-18-2107(c).
• Form of Notice – Notice may be provided by one of the following methods: (i) written notice; (ii) electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in the E-SIGN Act (15 U.S.C. § 7001); or (iii) substitute notice consisting of (a) e-mail notice, (b) conspicuous posting of the notice on the Information Holder’s Internet website page, and (c) notification to major statewide media. Tenn. Code Ann. § 47-18-2107(e).
• Substitute Notice – To utilize substitute notice, the Information Holder must demonstrate that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the Information Holder does not have sufficient contact information. Tenn. Code Ann. § 47-18-2107(e)(3).
• Own Notification Policy Exception – An Information Holder that maintains its own notification procedures as part of an information security policy for the treatment of Personal Information, and is otherwise consistent with the timing requirements of the Act, shall be deemed in compliance with the notification requirements of the Act if it notifies subject persons in accordance with its policies in the event of a Breach of Security of the System. Tenn. Code Ann. § 47-18-2107(f).
• Notification to Consumer Reporting Agencies – If an Information Holder must notify more than one thousand (1,000) persons at one time, the Information Holder shall notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. § 1681a, of the timing, distribution, and content of the notices. Tenn. Code Ann. § 47-18-2107(g).

14. Who is/are the privacy regulator(s)?

The Tennessee Attorney General and Reporter (AG) has exclusive enforcement authority under TIPA (Tenn. Code Ann. §47-18-3313(a)).
A violation of the Act constitutes a violation of the Tennessee Consumer Protection Act, and the Attorney General, at the request of the division, may institute a proceeding against such violator. Tenn. Code Ann. § 47-18-2106.

15. What are the consequences of a data breach?

TIPA does not address data security breaches.
The Attorney General may enforce and seek civil penalties for violations of the Act.
An individual or business entity affected by a Breach of the Security of the System may initiate a private right of action for a violation of the Act.
Note:
• The Attorney General may seek civil penalties equal to the greater of: (i) $10,000; (ii) $5,000 per day for each day that a person’s identity has been assumed; or (iii) ten (10) times the amount obtained or attempted to be obtained by the person using the identity theft. The civil penalty is supplemental, cumulative, and in addition to any other penalties and relief available under the Tennessee Consumer Protection Act, or other laws, regulations, or rules. Tenn. Code Ann. § 47-18-2105(d).
• Any knowing or willful violation of the terms of an injunction or order issued pursuant to an action commenced by the Attorney General shall be punishable by a civil penalty of not more than $5,000 for each violation of the order, in addition to any other appropriate relief, including without limitation contempt sanctions and the awarding of attorneys’ fees and costs to the State of Tennessee for any filings relating to the violation of the order. Tenn. Code Ann. § 47-18-2105(h).
• Any affected individual who is a person or business entity, but who is not an agency of the state or any political subdivision of the state, may institute a civil action to recover damages and to enjoin the Information Holder from further action in violation of the Act. The rights and remedies under the Act are cumulative to each other and to any other rights and remedies available under law. A violation of the Act is punishable by a civil penalty of the greater of (i) $10,000, (ii) $5,000 per day for each day that a person’s identity has been assumed, or (iii) ten (10) times the amount obtained or attempted to be obtained by the person using the identity theft. The civil penalty is supplemental, cumulative, and in addition to any other penalties and relief available under the Tennessee Consumer Protection Act, or other laws, regulations, or rules. Tenn. Code Ann. § 47-18-2107(h).

16. How is electronic marketing regulated?

Neither TIPA nor the Act explicitly regulate electronic marketing, but TIPA does require that controllers honor opt-outs from targeted advertising. Tenn. Code Ann. §47-18-3304(a)(2)(E).

17. Are there sector-specific or industry-specific privacy requirements?

There are no heightened privacy requirements for any specific industry. TIPA does, however, exempt certain entities as described above. Tenn. Code Ann. §47-18-3311(a).

18. What are the requirements for appointing Data Protection Officers or similar roles?

Neither TIPA nor the Act mandates a Data Protection Officer.

19. What are the record-keeping and documentation obligations?

Controllers must document Data Protection Assessments (DPAs) for certain processing activities. Tenn. Code Ann. §47-18-3307.
Controllers may maintain a written privacy policy as described in question 22 below.

20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?

Data Protection Assessments are required for processing involving:
1) Targeted advertising;
2) Sale of personal information;
3) Processing of personal information for purposes of profiling that presents a reasonably foreseeable risk of harm as delineated in the statute;
4) Processing of sensitive data; and
5) Any processing posing heightened risk. Tenn. Code Ann. §47-18-3307(a).
Such DPIA must identify and weigh the benefits and risks that may flow, directly and indirectly, from the processing, as mitigated by safeguards. Tenn. Code Ann. §47-18-3307(b).

21. What are the requirements for third-party vendor management and data sharing?

Processors must adhere to instructions of a controller and assist in meeting the controller’s obligations under the statue. Such assistance includes responding to consumer requests and conducting and documenting data protection assessments.
Controllers must enter into a contract with each processor that sets forth instructions for processing, types of data to be processed, duration, and rights and obligations of each party. Specific provisions must include those governing: confidentiality, return/deletion of data, review and auditing by the controller, and the requirement for similar agreements with subcontractors. Tenn. Code Ann. §47-18-3306.

22. What are the penalties and enforcement mechanisms for non-compliance?

Prior to any action under TIPA, the AG must provide 60 days’ written notice and period to cure. If there is a continuing violation, the AG may seek the following relief:
1) Declaratory judgment;
2) Injunctive relief; or
3) Civil penalties up to $7,500 for each violation (and for willful and knowing violations, a court may, in its discretion, award treble damages).
TIPA does not provide for a private right of action. Tenn. Code Ann. §47-18-3313.
TIPA also provides for an affirmative defense if the controller or processor creates, maintains, and complies with a written privacy policy that: (1) reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework or other documented policies designed to safeguard consumer privacy, which policy is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two years of the publication date; and (2) provides consumers with substantive rights required by the statute. Tenn. Code Ann. §47-18-3313.

23. What are the ongoing compliance and audit requirements?

If relying on the above affirmative defense, the written privacy program must conform with NIST (or similar) requirements, as such standards may be amended. Such privacy programs must be scaled to the size, complexity, and sensitivity of the data collected, as well as the availability of tools to improve privacy protections and data governance. Tenn. Code Ann. §47-18-3314.

24. Are there any recent developments or expected reforms?

TIPA is effective July 1, 2025. No amendments currently appear close to passage.

Global Data Privacy Guide

USA, Tennessee

Global Data Privacy Guide

USA, Tennessee