Skip to main content

On-demand webinar coming soon...

Blog

Tennessee passes Information Protection Act

The Act becomes the latest privacy bill to be passed in the US, adding another layer of complexity to the existing patchwork

Robb Hiscock
Senior Content Marketing Specialist, CIPP/E, CIPM
April 27, 2023

Tennessee state house

On April 21, 2023, the Tennessee State Senate passed the Tennessee Information Protection Act (TIPA). The passing of this privacy bill is the latest in a flurry of privacy legislation being passed in the first half on 2023 and adds to an increasingly complex privacy landscape in the US. 

The TIPA will enter into effect on July 1, 2025, and will introduce several requirements for businesses covered by its scope including risk assessments, data minimization requirements, and obtaining opt-in consent for processing sensitive personal information. 

Keep reading to learn more about the key provisions and compliance areas of the latest comprehensive privacy bill to be passed. 

 

Key requirements of the Tennessee Information Protection Act

A good place to start with the TIPA is to understand its scope and what businesses it will cover. The TIPA will apply to persons that conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee. TIPA will apply to businesses that exceed $25,000,000 in revenue and meet one of the following criteria:

  • Control or process personal information of at least 175,000 consumers; or
  • Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.

One unique feature of the TIPA is that businesses can voluntarily “create, maintain, and comply with a written privacy program” in line with the National Institute of Standards and Technology’s (NIST) Privacy Framework which can be used as an affirmative defense against a cause of action for violations of the law. 

There are further requirements that must be worked into a TIPA-compliant privacy program which we will look at in more detail below. 

 

Consumer rights

The TIPA introduces a range of consumer rights, referred to as personal information rights, that are similar to those found under other US state privacy laws. 

Consumer rights under the TIPA include: 

  • The right to know
  • The right to access
  • The right to correction
  • The right to deletion
  • The right to data portability
  • The right to opt out of:
  • Sale
  • Targeted advertising
  • Profiling

Although not listed as a personal information right, consumers will have the right to not be discriminated against including denying goods or services, charging different prices or rates. Businesses will have a 45-day period respond to consumer requests with the possibility of a 45-day extension. 

 

Controller responsibilities

There are several responsibilities placed upon the controller under the TIPA. These are requirements that are commonplace among many privacy laws in the US and that will form a key part of any TIPA-compliant privacy program. 

  • Data minimization and purpose limitation - Controllers under the TIPA will be required to limit the collection of personal information to what is adequate, relevant, and reasonably necessary for the purposes of the processing activity and must not process personal information for purposes other than those outlined in the controller’s privacy notice unless further consent is obtained. 
  • Security measures – Controllers will be required to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices.”
  • Opt-in consent for processing sensitive personal information – Controllers are prohibited from processing sensitive data without first obtaining the consumer's consent. Additionally, processing the personal data of a known child should be done in line with the Children's Online Privacy Protection Act (COPPA) 
  • Privacy notices – Controllers must present the consumer with “a reasonably accessible, clear, and meaningful privacy notice” this should include: 
  • The categories of personal information 
  • The purposes for processing 
  • How consumers may exercise their consumer rights 
  • The categories of personal information sold to third parties
  • The categories of third parties that personal information is sold 

 

Data protection assessments

Under the TIPA, there is a requirement for controllers to conduct and document a data protection assessment for certain processing activities that identifies and balances the benefits and risks of the processing activity. Activities that require a data protection assessment include:

  • The processing of personal information for purposes of targeted advertising
  • The sale of personal information
  • The processing of personal information for purposes of profiling
  • The processing of sensitive data
  • Processing activities involving personal information that present a heightened risk of harm to consumers

Similar to the risk assessments requirements found in Virginia, the TIPA allows a single data protection assessment for similar processing operations that include similar activities as well as data protection assessments that have been conducted in compliance with other laws for comparable processing activities.

 

Enforcement

The TIPA will be enforced by the Tennessee Attorney General and controllers found to be in violation of the law will be granted a 60-day cure period. Controllers that do not remediate violations within 60 days are liable for civil penalties of up to $7,500 per violation. There is no private right of action. 

 

How businesses can prepare for the TIPA

The TIPA will still need to be signed into law by the Governor of Tennessee before officially becoming part of the US privacy landscape, however this looks to be a formality. OneTrust DataGuidance Research can help you to keep up to date with the status of the law as well as further amendments and developments to privacy laws right across the US. 

For businesses that want to get a head start on TIPA compliance, OneTrust Data Mapping Automation can help you to create a central view of your organizations data so you can understand what you have, where it is stored, and what rules will apply once TIPA comes into effect. 

Request a demo to see how the OneTrust Privacy & Data Governance Cloud can help you prepare for the new era of US privacy laws or stay up to date on all the latest updates with the OneTrust DataGuidance Research US Privacy Law tracker


You may also like

Webinar

Privacy Management

2024 to 2025: Preparing for the next wave of privacy regulations

Prepare for 2025's privacy changes with this recap webinar on 2024's regulations and explore upcoming laws, trends, and compliance strategies.

January 23, 2025

Learn more

Webinar

Privacy Management

Staying equipped for compliance: A global recap of emerging privacy laws

Join us for a global regulatory recap, where we will explore the latest privacy regulations and key developments impacting compliance in 2024 and beyond. This webinar will offer a streamlined analysis of newly adopted privacy laws, emerging AI regulations, and the evolving cyber regulations such as the NIS2 Directive.

November 20, 2024

Learn more

eBook

Consent & Preferences

Mastering US opt-out requirements: A practical guide for marketers

Discover how to manage US opt-out requirements and enhance your marketing efforts with this guide. Download now to simplify compliance and build trust.

October 22, 2024

Learn more

Webinar

Privacy Automation

Global regulatory update: Recent privacy developments and compliance trends

Join us for a webinar on the latest updates and emerging trends in global privacy regulations.

September 12, 2024

Learn more

Webinar

Privacy Management

Preparing for child data protection laws in the US

Join DataGuidance and a panel of experts as we discuss  US privacy laws the protection of minors' data. 

August 07, 2024

Learn more

Webinar

Privacy Management

The road to 50 states: Rhode Island joins the US privacy landscape with a new law

Rhode Island has become the 20th US State to pass a privacy law. On June 25, 2024, the Governor of Rhode Island transmitted the Data Transparency and Privacy Protection Act (RIDTPPA) without signature allowing the Act to become law. Join the webinar to learn more.

July 16, 2024

Learn more

Webinar

Privacy Management

Preparing for the future of privacy in healthcare: Going beyond HIPAA compliance

Join us for a discussion on preparing your organization for healthcare privacy compliance that goes beyond HIPAA.

July 11, 2024

Learn more

Webinar

Privacy Management

The road to 50 states: Minnesota and Vermont join the US privacy landscape

In this webinar, OneTrust DataGuidance and expert contributors unpack the MCPA and VDPA, examining the requirements, exceptions, and practical implications of the legislations on the data controllers and processors.

June 17, 2024

Learn more

Webinar

Privacy Management

From legislation to operation: How to prepare for the new wave of US Privacy laws

Prepare your organization for the new wave of US privacy laws.

June 06, 2024

Learn more

Checklist

Third-Party Risk

TPRM privacy compliance: Questions to ask when working with third parties

Download this checklist to learn what questions to ask when designing a third-party risk management program that enables privacy compliance.

May 31, 2024

Learn more

Infographic

Comparing US state privacy law requirements

Download our infographic and compare the many US state privacy law requirements that have been enacted or will soon come into effect.

May 14, 2024

Learn more

Webinar

Privacy Management

Federal US privacy bill on the horizon? Exploring the draft APRA & new state privacy legislation

Join OneTrust DataGuidance and expert contributors for an overview of the Kentucky Consumer Privacy Act (KCPA), Maryland's Senate Bill 0541, and the draft American Privacy Rights Act and explore how a federal bill could shape the US privacy landscape.

April 23, 2024

Learn more

Infographic

Privacy Management

US state privacy laws timeline

View our timeline to understand the progression of current US state privacy laws and key dates.

April 23, 2024

Learn more

Webinar

Privacy Management

Spring into action! Navigating CPRA: Ensuring compliance and protecting privacy

Join us for an interactive webinar we dive into the CPRA, which will go into force on March 29th.

March 21, 2024

Learn more

Webinar

Privacy Management

The road to 50 states: New Jersey and New Hampshire join the US privacy landscape

oin OneTrust DataGuidance for a webinar highlighting the key requirements within the new US laws, New Jersey Senate Bill 332 and New Hampshire Senate Bill 255.

February 01, 2024

Learn more

Webinar

Privacy Automation

Embedding Privacy by Design through PIA Automation

Join us for a webinar on Embedding Privacy by Design through PIA Automation.

January 11, 2024

Learn more

Webinar

Privacy Management

Automating fulfillment of subject rights requests in the US

Learn how Privacy Rights Automation helps to fully automate privacy rights requests. 

December 06, 2023

Learn more

Webinar

Privacy Management

December's deadline: Ensuring compliance with Utah's privacy regulation

Join us for a webinar as we explore the impending implementation of the Utah Privacy Law, set to take effect on December 31, 2023.

November 14, 2023

Learn more

Webinar

Privacy Management

The road to privacy compliance: A spotlight on Oregon & Delaware legislation

We explore the new Oregon and Delaware privacy laws, how they differ from other US privacy laws, and what they mean for your business.

September 14, 2023

Learn more

Regulation Book

Privacy Management

Utah Consumer Privacy Act law book

Download the Utah Consumer Privacy Act law book and have the official UCPA text at your fingertips for when the law takes effect on December 31, 2023.

September 04, 2023

Learn more

Blog

Privacy Management

The road to 50 states: Delaware and Oregon join the US privacy landscape

Get in-depth analysis on two upcoming US Privacy laws, the Oregon Consumer Privacy Act (OCPA) and the Delaware Personal Data Privacy Act (DPDPA), with OneTrust DataGuidence and a panel of experts.

August 10, 2023

Learn more

Resource Kit

Privacy Management

EU-US Data Privacy Framework resource kit

Download our EU-US Data Privacy Framework resource kit to better understand the new aggreement for cross-border personal data transfers and how to educate your stakeholders.

July 20, 2023

Learn more

Resource Kit

Privacy & Data Governance

US privacy resource kit

Download our US privacy resource kit designed to access a range of materials to help you understand how the US privacy landscape is evolving.

July 13, 2023

Learn more

Webinar

Privacy Management

Now in effect: Colorado and Connecticut privacy laws

In this free webinar, our privacy experts delve into the new Colorado and Connecticut privacy laws and how they differ from other US state regulations.

July 12, 2023

Learn more

Webinar

Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Learn more

Infographic

Consent & Preferences

Navigating Google's new CMP requirements

Adapt to Google's June 2023 CMP requirements with this infographic and confidently engage your audience while staying compliant.

June 20, 2023

Learn more

Webinar

Privacy Automation

US privacy laws on the horizon: Which states will be next?

Join our live webinar as OneTrust DataGuidence and privacy experts examine new privacy legislation in Indiana, Montana, Tennessee, Florida, and Texas.

June 15, 2023

Learn more

eBook

Consent & Preferences

The ultimate guide to consent and preferences for marketers

Download this eBook and learn how marketers can apply consent and preference principles to build a relationship with their audience built on trust.

June 02, 2023

Learn more

Regulation Book

Privacy Management

Colorado Privacy Act law book

The Colorado Privacy Act (CPA) comes into force on July 1. Get the law's official text right at your fingertips.

May 30, 2023

Learn more

Webinar

Privacy Management

Understanding Washington's My Health My Data Act

The Washington My Health My Data Act was signed into law on April 27, 2023 and will be enacted the following year. Join OneTrust DataGuidance and a team of legal experts and get the knowledge you need for compliance.

May 18, 2023

Learn more

Webinar

Privacy & Data Governance

Operationalizing the Iowa Consumer Data Protection Act

Join the Privacy experts at OneTrust for an update on the new law and learn key requirements of Iowa’s new privacy law and more.

May 16, 2023

Learn more

White Paper

AI Governance

Navigating responsible AI: A privacy professional's guide

Download our white paper and learn how privacy teams help organizations establish and implement polices that ensure AI applications are responsible and ethical. 

May 03, 2023

Learn more

Blog

Privacy & Data Governance

Comparing US privacy law exemptions infographic

Learn how to navigate the new US privacy law exemptions and see how they compare.

May 01, 2023

Learn more

Webinar

Privacy & Data Governance

Automate subject rights requests for compliance with US state privacy laws

Join this interactive webinar to learn how OneTrust Privacy Rights Automation helps you to fully automate privacy rights requests for your organization.

April 19, 2023

Learn more

Webinar

Privacy & Data Governance

Iowa joins US privacy landscape with a new law

OneTrust DataGuidance’s webinar discusses Iowa’s CDPA, its similarities to other US privacy laws, its implications on organizations, and steps for compliance.

April 10, 2023

Learn more

Webinar

Privacy & Data Governance

USA biometric laws: Key considerations and emerging trends

Biometric laws are emerging, and companies must ensure compliance to avoid hefty fines. Join the OneTrust DataGuidance panel of experts to learn more.

April 06, 2023 1 min read

Learn more

Infographic

Privacy Management

US privacy in 2023: Top 3 compliance priorities

Businesses at different stages of privacy maturity will need to approach US privacy compliance in different ways. Download the infographic to learn more.

March 08, 2023

Learn more

Webinar

Privacy & Data Governance

Assess privacy risk for compliance with US state privacy laws

Join this US Privacy Demo Series webinar to see a live demo of the OneTrust privacy risk or data protection assessments (PIA's) automation solution.

March 01, 2023

Learn more

Webinar

Privacy Automation

US Privacy Masterclass - Employee rights fulfilment

Learn the steps you can take to boost employee trust in compliance with US Privacy Laws in our US Privacy Masterclass on Employee Rights Fulfilment.

February 07, 2023

Learn more

Webinar

Privacy Automation

US Privacy Masterclass - Consumer rights & opt-outs

Join us in our US Privacy Masterclass as we delve into the evolving US privacy landscape and how you can build a trust-based privacy program in 2023.

February 07, 2023

Learn more

Webinar

Privacy Automation

US privacy masterclass - risk and DPIAs

Join us in our US Privacy Masterclass on Risk and DPIAs to understand the operational components for risk assessments/data protection assessments.

February 06, 2023

Learn more

Webinar

Privacy Automation

US privacy masterclass - retention & minimization

Our US Privacy Masterclass on Retention & Minimization will help you understand data policy requirements across US Privacy Laws.

February 06, 2023

Learn more

Webinar

Privacy Management

Data Privacy Day: Protiviti & OneTrust

Join industry experts at OneTrust & Protiviti for an operational deep dive and interactive Q&A on the upcoming US State laws set to go into effect in 2023.

January 26, 2023

Learn more

Checklist

Privacy Management

7 steps to CPRA compliance

Download this checklist to make sure your organization follows the right steps to implement processes that achieve California Privacy Rights Act compliance.

January 24, 2023

Learn more

eBook

Consent & Preferences

The ultimate guide to US opt-out requirements

Learn about the different opt-out requirements, such as a “Do Not Sell My Personal Information” in the US privacy landscape, and how to comply with them.

January 23, 2023

Learn more

eBook

Privacy & Data Governance

The ultimate guide to US privacy

Learn more about the three priorities for managing US privacy requirements, including addressing the most visible aspects of US privacy compliance.

December 12, 2022

Learn more

Webinar

Privacy Management

Expanded US consumer rights: What’s new and what should you do?

Join our experts to understand the operational impact of these newly-expanded US consumer rights and how to automate consumer rights request fulfillment.

August 25, 2022

Learn more

Webinar

Privacy Management

Privacy risk assessments in the US: Why, when, and what?

In this webinar, OneTrust experts discuss requirements for conducting PIAs: why they exist, when you should do them, and what they should include.

August 24, 2022

Learn more

Webinar

Privacy & Data Governance

A US federal privacy bill is on the horizon: get to know the ADPPA webinar

In this session, legal experts Michelle Schaap and Andy Lee are joined by OneTrust DataGuidance to provide an overview of what the ADPPA entails.

August 17, 2022

Learn more

Webinar

Privacy Management

Establishing and enforcing retention policies

Attend our webinar, "Establishing and enforcing retention policies," part of the US Privacy Laws Masterclass Series.

July 27, 2022

Learn more

eBook

Privacy & Data Governance

How to comply with the CCPA opt-out requirement

Download this guide to learn how you can comply with the CCPA's opt-out requirements to get on the right track to CCPA compliance.

July 22, 2022

Learn more

White Paper

Privacy & Data Governance

How OneTrust helps with California privacy law compliance (CCPA & CPRA)

This guide to California privacy law compliance helps your organization understand the requirements under the CCPA and CPRA.

June 23, 2022

Learn more

Webinar

Privacy Management

Utah and Connecticut: Latest additions to the US Privacy landscape

Watch our webinars on the latest privacy laws from Utah and Connecticut and what you need to know to prepare in 2023.

June 17, 2022

Learn more

Webinar

Privacy & Data Governance

US privacy laws & regulations: answering your biggest questions

Join us for a Q&A on the several US state laws going in effect in 2023.

June 16, 2022

Learn more

eBook

Privacy & Data Governance

Comparing US state privacy laws

Download this eBook and explore the key areas of US state privacy laws and how they compare. 

June 15, 2022

Learn more

Resource Kit

Privacy Management

Your US privacy masterclass resource kit

These resources provide key information on US privacy law through blogs, webinars, and eBooks.

April 26, 2022

Learn more

Checklist

Privacy & Data Governance

6 step checklist for compliance with US privacy laws

Download our six step checklist for US privacy laws and ensure that your company remains compliant in 2023.

March 29, 2022

Learn more

Webinar

Privacy & Data Governance

Utah joins the US Privacy landscape with new comprehensive law

Join us for an overview of Utah's Consumer Privacy Act (UCPA) and its impact on your organization.

March 25, 2022

Learn more

Webinar

Privacy Management

Overview: Understanding the trio of US privacy laws

Attend our webinar, to better understand privacy laws in the US.

March 23, 2022

Learn more

Webinar

Privacy Management

New to US privacy: Privacy impact assessments

Watch our webinar as we discuss privacy impact assessments and how they relate to US privacy laws.

March 23, 2022

Learn more

Webinar

Privacy Management

Navigating opt-out of sale vs. share

Watch our US Privacy Law masterclass to  learn about opt-out of sales and share requirements and best practices for approaching compliance.

March 23, 2022

Learn more

Webinar

Privacy Management

US Privacy series: Effectively governing personal and sensitive personal information part 3

Watch our webinar on US privacy laws and gain insight on effective personal information managment strategies.

February 02, 2022

Learn more

Webinar

Privacy Management

US Privacy series: Effectively governing personal and sensitive personal information part 2

Join us for an overview of US privacy laws and strategies for dealing with compliance.

January 11, 2022

Learn more

Webinar

Privacy Management

[Part 1] US Privacy Series: Establishing a foundation for compliance

In the first part of our US Privacy Series, we discuss US privacy laws such as the CPRA and best practices towards compliance. 

December 21, 2021

Learn more

Infographic

Privacy & Data Governance

Employee rights under the CPRA

Download our infographic on employee rights under the CPRA to help prepare for the law's expansion in CPRA. 

December 07, 2021

Learn more

eBook

Privacy & Data Governance

The ultimate guide to CCPA compliance

The Ultimate Guide to CCPA Compliance eBook highlights key compliance areas of  the CCPA that you should consider when building a privacy program.

December 01, 2021

Learn more

eBook

Privacy & Data Governance

Download this eBook for an overview of the Virginia Consumer Data Protection Act (CDPA) to understand what it means for organizations.

Download this eBook for an overview of the Virginia Consumer Data Protection Act (CDPA) to understand what it means for organizations.

July 22, 2021

Learn more

Webinar

Privacy & Data Governance

CCPA compliance masterclass

Watch our OneTrust CCPA Masterclass Series and learn how to prepare your organization for CCPA compliance.

Learn more

Webinar

US Privacy Masterclass: Countdown to 2023 compliance

Join this US Privacy Masterclass series as we delve into the evolving US privacy landscape and how you can build a trust-based privacy program in 2023.

Learn more

Webinar

Privacy Management

US Privacy Masterclass 2022

Watch the OneTrust US Privacy Masterclass series and gain insight on the major US privacy law and best practices.

Learn more