What Is the Tennessee Information Protection Act?
TIPA applies to controllers with $25M+ in revenue who process data of 175,000+ Tennessee consumers (or 25,000+ while selling data). Rights include delete, access, correct, port, and opt-out. The unique NIST Privacy Framework safe harbor lets compliant controllers raise it as an affirmative defense. Enforcement is exclusive to the AG with a 60-day cure period and civil penalties up to $7,500 per violation, trebled for willful acts.
At a glance
- Full name
- Tennessee Information Protection Act
- Short code
- TIPA
- Effective date
- July 1, 2025
- Response deadline
- 45 days
- Cure period
- 60 days
- Private right of action
- No
- Enforcement
- Tennessee Attorney General. Consumer Protection Division
- Maximum penalty
- Up to $7,500 per violation · treble damages for willful violations
- Statutory citation
- Tenn. Code Ann. § 47-18-3201 et seq.
Who TIPA applies to
A business is covered if it meets the applicability thresholds set out in Tenn. Code Ann. § 47-18-3201 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Exceeds $25 million in annual revenue, AND
- During a calendar year, controls or processes personal data of 175,000+ Tennessee consumers, OR
- Controls or processes personal data of 25,000+ Tennessee consumers AND derives more than 50% of gross revenue from the sale of personal data
Consumer rights under TIPA
Delete, access, correct, port, opt-out
NIST Privacy Framework safe harbor defense
AG enforcement up to $22,500/violation for willful acts
Notable features (vs. CCPA)
TIPA is unique among US state privacy laws in offering an affirmative defense to businesses that maintain a written privacy program "reasonably conforming" to the NIST Privacy Framework (or a comparable framework). This is a strong business-friendly signal: a documented, audited privacy program materially reduces exposure to TIPA enforcement.
Enforcement & penalties
Enforcing agency: Tennessee Attorney General. Consumer Protection Division
Maximum penalty: Up to $7,500 per violation · treble damages for willful violations
Cure period: TIPA maintains a permanent 60-day cure period with no sunset.
Private right of action: TIPA has no private right of action. The Tennessee Attorney General has exclusive enforcement authority.
Where to file a complaint: Tennessee Attorney General. Consumer Protection
How to exercise your TIPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 500+ known brokers and applies TIPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Tennessee resident (e.g., ZIP code, email associated with your record).
- 3
Under TIPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Tennessee Attorney General. Consumer Protection at https://www.tn.gov/attorneygeneral/working-for-tennessee/consumer/consumer-complaint.html.
Use your rights
TIPA-compliant deletion emails, $7 one-time
OfflistMe drafts TIPA-compliant deletion emails for $500+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $7 →FAQ
What is the NIST Privacy Framework safe harbor?+
Tennessee controllers who document adherence to the NIST Privacy Framework (NIST PF) get an affirmative defense to TIPA claims. It does not prevent lawsuits but creates a rebuttable presumption of reasonable compliance. For consumers, it means some sophisticated brokers may claim the defense; the AG can still proceed with enforcement.
Official sources & citations
Compare with sibling state laws
TIPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date, useful when tracking how this law influenced or was influenced by neighboring legislation: