Support Centre

Tennessee

Summary

Law: The Tennessee Information Protection Act ('TIPA')

Regulator: The Tennessee Attorney General ('AG')

Summary: On 11 May 2023, the Tennessee Governor signed the TIPA into law, which shall enter into force on 1 July 2025. The TIPA sets out obligations for businesses covered by its scope, such as risk assessments, data minimisation requirements, and obtaining opt-in consent for processing sensitive personal information, and establishes consumer rights, including the right to know, access, correction, deletion, and data portability, as well as a right to opt out of the sale of personal information, targeted advertising, and profiling. Moreover, the TIPA provides the AG with exclusive authority to bring actions, while also recognising that a controller or processor that complies with a privacy program that reasonably conforms to the National Institute of Standards of Technology ('NIST') or other documented policies, standards, and procedures designed to safeguard consumer privacy, has an affirmative defence to a cause of action for a violation of the TIPA.

Furthermore, Tennessee has recognised the common law tort of invasions of privacy, and like all US States, it has enacted a data breach notification law under §47-18-2107 of the Tennessee Code, as amended in 2017. Notably, Tennessee was the first State in the US requiring notification of a breach of both encrypted and unencrypted information. In addition, the Tennessee legislature, in 2017, amended the definition of a breach of system security to not include the good faith acquisition of personal information by an employee if the personal information is not used or subject to further unauthorised disclosure. Other Tennessee privacy laws tend to focus on consumer protection, including laws governing the privacy of consumer reports, security freeze requests, identity theft, and the protection of personally identifiable information of consumers of video tape sellers or service providers. In addition, Tennessee has sector-specific laws limiting the disclosure or redisclosure and reuse of non-public personal information by insurers and agents.

In addition, on 28 April 2023, the Tennessee Governor signed into law the Genetic Information Privacy Act, which shall enter into effect on 1 July 2023.

You can track other US State bills through our US State Law Tracker.

Insights

The Tennessee Information Protection Act (TIPA) was signed into law by the Governor of Tennessee, Bill Lee, on May 11, 2023, having passed both Houses of the Tennessee General Assembly.

The TIPA will enter into effect on July 1, 2025.

The Tennessee Information Protection Act (TIPA) (HB 1181) was signed into law by Governor Bill Lee on May 11, 2023. As of the publication of this Insight article, Tennessee is one of 11 states that have passed 'comprehensive' privacy laws (laws that protect an individual's general right to privacy, instead of only regulating certain data processing contexts), joining California, Colorado, Virginia, Utah, Connecticut, Iowa, Indiana, Montana, Texas, and Oregon.

In this Insight article, Kirk Nahra, Ali Jessani, Genesis Ruano, and Samuel Kane, from Wilmer Cutler Pickering Hale and Dorr LLP, provide a detailed breakdown of TIPA's applicability, exemptions, key definitions, substantive requirements, and enforcement provisions.

The Tennessee Information Protection Act (TIPA) was introduced, on January 31, 2023, to the Tennessee House of Representatives. Since then, the TIPA has passed both State Houses and was signed by the Tennessee Governor, on May 11, 2023. The TIPA introduces obligations for both data controllers and data processors, as well as consumer rights, and will enter into effect on July 1, 2025. OneTrust DataGuidance Research provides an overview of the key provisions under the TIPA.

Feedback