On Thursday, May 11, Gov. Bill Lee (R) signed into law the Tennessee Information Protection Act. The new TIPA follows the recent enactment of data privacy laws in Iowa and Indiana. The other states with data privacy laws are California, Colorado, Connecticut, Utah, and Virginia.
The Tennessee law will take effect July 1, 2025. It applies to businesses that produce products or services targeting Tennessee residents and that
- Exceed $25 million in revenue.
- Control or process personal information of at least 25,000 consumers and either (1) derive more than 50 percent of gross revenue from the sale of personal information, or (2) during a calendar year, control or process personal information of at least 175,000 consumers.
Tennessee’s new privacy law generally follows the same framework in the other seven state laws, but it has some unique characteristics. Here are the highlights:
Consumer rights. The TIPA grants consumers rights of
- Data portability
- Opting out of the sale of their personal information as well as the processing of their personal information for targeted advertising and profiling purposes.
Similar to Virginia, Colorado, Connecticut, Iowa, and Indiana, Tennessee also allows consumers to appeal a controller’s denial of a consumer data rights request.
Data Protection Impact Assessment. Joining California, Virginia, Colorado, Connecticut, and Indiana, Tennessee will require controllers to conduct and document data protection assessments for certain processing activities. Generally, a controller will be required to conduct a data protection impact assessment for processing activities that involve targeted advertising, the sale of personal information, profiling, or sensitive data; or that present a heightened risk of harm to consumers.
Right to cure. Under the TIPA, the Tennessee attorney general must provide a controller or processor 60-days’ written notice before initiating an enforcement action. A controller or processor can cure the noticed violations during that 60-day period and provide a written statement that the alleged violations have been cured and that no such further violations will occur. Although this 60-day cure period is longer than the 30-day periods provided by the statutes in Indiana, Utah, and Virginia, Iowa’s cure period of 90 days remains the longest.
Exemption for Insurance Companies and Producers. As with many of its counterparts, the TIPA also contains both entity-level and data type exemptions. One exemption that is distinct to the TIPA is for insurance companies and producers licensed under Tennessee law. An insurance “producer” is “a person required to be licensed under the laws of this state to sell, solicit, or negotiate insurance.”
Private right of action. There is no private right of action under the new Tennessee law. So far, California’s privacy law is the only one that allows lawsuits for alleged violations.
The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, please contact us at firstname.lastname@example.org.
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
- Suzie Allen
- John Babione
- Dafina Buçaj
- Jason Cherry
- Maria Efaplomatidis
- Jordan L. Fischer
- Sebastian Fischer
- Laura Funk
- Lauren Godfrey
- Amir Goodarzi
- Taren N. Greenidge
- Julie Hess
- Carolyn C. Ho
- Sean Hoar
- Julie A. Keersmaekers
- Donna Maddux
- David McMillan
- Amanda Novak
- Ashley L. Orler
- Alyssa Pearce
- Rebecca Pollack
- Allison Prout
- Todd Rowe
- Sarah Rugnetta
- Allen Sattler
- Alyssa Watzman
- Aubrey Weaver