Tennessee Privacy Law Takes Effect With High Penalties, Business-Friendly Safe Harbor

With the Tennessee Information Protection Act (TIPA), which was signed about two years ago (see 2305120043), 16 of 20 comprehensive state privacy laws are now in effect. Later this year, sweeping privacy laws will also take effect in Minnesota (July 31) and Maryland (Oct. 1), while measures go on the books in Kentucky and Rhode Island on Jan. 1. Despite many other states considering similar legislation this year, not one bill has made it across the finish line in 2025.

“Some of the larger companies are going to be more prepared” for TIPA because it’s modeled after existing state privacy laws, including Virginia's, said Baker Donelson’s Matt White, a Tennessee-based privacy lawyer, in an interview. For companies doing business in states with similar laws, “the list to come into compliance with TIPA won't be as deep” and might amount to “documentation around the fringes.”

On the other hand, businesses that are “solely Tennessee-focused … may not be as prepared to come into compliance,” said White. Having two years between the law’s enactment and effective date certainly gave them “time to deal with the specifics of Tennessee’s law,” but that said, White noted that some companies have put TIPA compliance on the back burner.

TIPA follows a similar model to several states, including Virginia and Connecticut. Enforced solely by the state attorney general without a private right of action, TIPA applies to companies that exceed $25 million in annual revenue and either (1) control or process data of at least 25,000 consumers and derive more than 50% of revenue from selling personal data, or (2) control or process personal data of at least 175,000 consumers. Most states’ privacy laws lack a revenue threshold.

“Because the threshold is rather high, the universe of companies to whom this law applies will be more limited,” said Larose, co-chair of the Mintz privacy practice. “The 175,000-consumer threshold is the highest of any state privacy law to date.”

However, White pointed out a difference in how the threshold is written that could potentially capture more companies than it might appear on first glance. Unlike several other states’ privacy laws, TIPA doesn’t “apply only to Tennessee residents -- it’s any Tennessee consumers,” he said. As a result, visitors or other people in the state temporarily “would have rights under [TIPA] while they’re here." While the law “was touted as being pretty business-friendly,” in part because the numbers in its applicability thresholds are higher than those in many other states, “this is just undercut a little bit because it’s not only [counting] residents.”

Tennessee companies that haven’t had to comply with privacy laws in other states should map their data to start, said White. “What do they have? From where do they collect it? With whom do they share it? … Once that piece is done, a lot of the rest of it is easier to comply with.” Next, the company should review and update its privacy policy, ensuring that it has a mechanism to honor consumer rights requests and assess vendor agreements, he said.

Larose noted that TIPA includes an entity-level exemption for state-licensed insurance companies, “a first among state privacy laws.” But like other states, Tennessee provides entity-level exemptions for state and local governments, nonprofits, higher education, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and those subject to the Health Information Portability and Accountability Act (HIPAA). Additionally, the law has data-level exemptions, including for employee and B2B data, plus information covered by GLBA, HIPAA, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act and the Driver's Privacy Protection Act.

A Novel Affirmative Defense

If a company determines that TIPA applies, it should review its existing privacy program to make sure it can take advantage of a novel safe harbor in the Tennessee law, said Larose: “TIPA allows businesses to avoid liability for violations if they have [a] written privacy program that adheres to the [National Institute of Standards and Technology] Privacy Framework or similar documented policies.”

White said this affirmative defense is among the most important unique features of Tennessee’s law. Moreover, it could be a big help for compliance because many Tennessee businesses, especially larger ones, have followed NIST standards for years, he said.

Among other novel features, White highlighted a “very broad definition of sale of data” in TIPA that could “cover a lot of transactions and data,” since it applies anytime data is exchanged for monetary or other considerations. “This is just another way that compliance is eased a little bit for them, as long as they're maintaining that program.”

Tennessee doesn’t require a universal opt-out mechanism. But like many other states, it provides the following rights to consumers:

• Confirm controller is processing personal data
• Access personal data
• Correct inaccuracies in personal data
• Delete personal data
• Obtain copies of personal data in a portable format
• Opt out of personal data sale, targeted advertising and profiling

Sensitive data requiring opt-in consent for processing includes:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data
• Children's data
• Precise geolocation data

High Fees for Noncompliance

While TIPA provides no private right of action, “the penalties for violations are rather high,” warned Larose: Courts may award up to $7,500 per violation, plus treble damages for willful or knowing violations.

“Penalties for noncompliance can be significant,” the Cooley law firm noted in a blog post last week. The Tennessee law allows “up to $22,500 per intentional violation,” it said, “so companies should undertake a review of their existing notices and practices to ensure compliance.”

On the other hand, TIPA has a 60-day right to cure, which is one of the longest grace periods included in a state privacy law, with no apparent expiration date. White said that "very business-friendly" grace period should help “those that are trying to get their compliance together right now.”

Even so, said Larose, it “might be inferred that, given the lengthy cure period, a failure to cure” will probably be enforced. And considering that companies have had two years to prepare for TIPA -- “a more generous ramp-up period” than many other states provided -- one “could expect that the AG’s office will be expecting that there has been sufficient time for compliance.”

“Tennessee, especially over the last several years, has become a very business-friendly" state, noted White: A major question, though, is “how strenuously is [TIPA] going to be enforced?”

That said, the state attorney general's office has shown over the years that it will investigate and enforce if it believes individuals are being harmed, added the Tennessee lawyer. “I think we will see enforcement where [privacy] rights are being violated.”