What Is the Tennessee Information Protection Act?
TIPA applies to controllers with $25M+ in revenue who process data of 175,000+ Tennessee consumers (or 25,000+ while selling data). Rights include delete, access, correct, port, and opt-out. The unique NIST Privacy Framework safe harbor lets compliant controllers raise it as an affirmative defense. Enforcement is exclusive to the AG with a 60-day cure period and civil penalties up to $7,500 per violation, trebled for willful acts.
At a glance
- Full name
- Tennessee Information Protection Act
- Short code
- TIPA
- Effective date
- July 1, 2025
- Response deadline
- 45 days
- Cure period
- 60 days
- Private right of action
- No
- Enforcement
- Tennessee Attorney General — Consumer Protection Division
- Maximum penalty
- Up to $7,500 per violation · treble damages for willful violations
- Statutory citation
- Tenn. Code Ann. § 47-18-3201 et seq.
Who TIPA applies to
A business is covered if it meets the applicability thresholds set out in Tenn. Code Ann. § 47-18-3201 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Exceeds $25 million in annual revenue, AND
- During a calendar year, controls or processes personal data of 175,000+ Tennessee consumers, OR
- Controls or processes personal data of 25,000+ Tennessee consumers AND derives more than 50% of gross revenue from the sale of personal data
Consumer rights under TIPA
Delete, access, correct, port, opt-out
NIST Privacy Framework safe harbor defense
AG enforcement up to $22,500/violation for willful acts
Notable features (vs. CCPA)
TIPA is unique among US state privacy laws in offering an affirmative defense to businesses that maintain a written privacy program "reasonably conforming" to the NIST Privacy Framework (or a comparable framework). This is a strong business-friendly signal: a documented, audited privacy program materially reduces exposure to TIPA enforcement.
Enforcement & penalties
Enforcing agency: Tennessee Attorney General — Consumer Protection Division
Maximum penalty: Up to $7,500 per violation · treble damages for willful violations
Cure period: TIPA maintains a permanent 60-day cure period with no sunset.
Private right of action: TIPA has no private right of action. The Tennessee Attorney General has exclusive enforcement authority.
Where to file a complaint: Tennessee Attorney General — Consumer Protection
How to exercise your TIPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 300+ known brokers and applies TIPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Tennessee resident (e.g., ZIP code, email associated with your record).
- 3
Under TIPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Tennessee Attorney General — Consumer Protection at https://www.tn.gov/attorneygeneral/working-for-tennessee/consumer/consumer-complaint.html.
Use your rights
TIPA-compliant deletion emails, $5 one-time
OfflistMe drafts TIPA-compliant deletion emails for 300+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
What is the NIST Privacy Framework safe harbor?+
Tennessee controllers who document adherence to the NIST Privacy Framework (NIST PF) get an affirmative defense to TIPA claims. It does not prevent lawsuits but creates a rebuttable presumption of reasonable compliance. For consumers, it means some sophisticated brokers may claim the defense; the AG can still proceed with enforcement.
Official sources & citations
Compare with sibling state laws
TIPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date — useful when tracking how this law influenced or was influenced by neighbouring legislation: