Welcome to our beginner-friendly guide on the Tennessee Information Protection Act (TIPA)! If you're looking to understand how this law impacts businesses in Tennessee, especially those dealing with digital cookies, you're in the right place. This article will simplify the complexities of compliance and make them easy to grasp, even if you're just starting to learn about data privacy.

As we delve into the specifics of TIPA, we'll focus on practical tips and clear explanations to help you align your business practices with the law's requirements. Whether you’re updating your policies or ensuring full compliance, this guide is an invaluable resource for navigating the nuances of handling cookies and personal data under TIPA. Stay tuned for insights that will undoubtedly aid your compliance journey!

​​Enacted in May 2023, businesses were given a little over two years to prepare for compliance, as the Tennessee privacy law is set to take effect on July 1, 2025.

The Tennessee Information Protection Act (TIPA) is like a new set of rules that helps protect personal information that companies might collect from you when you visit their websites or use their services.

Imagine TIPA as a kind of promise that businesses in Tennessee make to handle your data carefully and responsibly. This law is crucial because it gives you more control over your personal information and ensures businesses are clear about what they are doing with your data.

If you run a business in Tennessee or deal with the personal information of Tennessee residents, you need to pay attention to TIPA. This includes both large and small businesses, whether they operate physically within Tennessee or simply handle information from Tennessee residents online. It's like having a rule that if you play in someone's backyard, you need to follow their house rules, and TIPA sets these rules for handling personal information.

Entities falling under the purview of the Tennessee privacy law are those with an annual revenue exceeding $25 million, engaging in business in the state, or offering products or services targeted at its residents. Compliance is mandated if the entity meets one or more of the following criteria during a calendar year:

1. Controls or processes personal information of at least 175,000 consumers.

2. Controls or processes personal information of at least 25,000 consumers and derives over 50 percent of gross revenue from selling personal information.

Certain exemptions exist, with state agencies, financial institutions, entities subject to federal laws like the Gramm-Leach-Bliley Act, and insurance companies being among those exempted. TIPA notably includes insurance companies in its entity-level exemptions, distinguishing it from other state privacy laws.

Further exemptions cover entities governed by HIPAA and the Health Information Technology for Economic and Clinical Health Act. De-identified data is excluded from the definition of personal data under TIPA.

Important

TIPA addresses Tennessee local businesses and other entities that may deal with the personal information of Tennessee residents. Double-check the Regulation criterias!

Understanding a few key terms can make TIPA less daunting:

• Personal Information: This is any data that can identify you personally, like your name, address, or email.

• Consent: This means giving permission knowingly and freely. Under TIPA, businesses must ensure they have your clear consent to process your data, not just assume they can.

• Sensitive Personal Information: This involves more delicate data, like your social security number or health information, which requires even higher protection.

• Data Controller: The main player who decides why and how your personal data is processed.

• Data Processor: The entity that processes data on behalf of the controller.

Each of these roles has its own responsibilities under TIPA to ensure that your data is handled safely and transparently.

Under TIPA, "Personal Information" is any data that can be used on its own or with other data to identify, contact, or locate a person. This could be your name, email, phone number,, address, or even an IP address. It's a broad definition that ensures any information that can connect back to you is protected.

Consent under TIPA must be an affirmative act —this means it can't just be assumed. 

A user needs to take clear and deliberate action to show they agree to their data being processed, like clicking an "I agree" button. This ensures that consent is always given freely and explicitly, making sure users know what they are signing up for.

Sensitive data refers to information that, if misused, could cause significant harm to an individual's privacy or welfare. This includes financial details, health information, social security numbers, and more.

TIPA mandates extra safeguards for such data, ensuring that businesses handle it with the highest care and security.

A "Controller" is the main decision-maker regarding personal data. This entity decides why and how personal information is processed.

In simple terms, if your company decides what to do with the data collected, it is considered a controller under TIPA. This role carries significant responsibility for compliance and protection of user data.

A "Processor" is any person or organization that processes personal data on behalf of the controller. They don't make decisions about the data's use but instead handle it as instructed by the controller.

Think of processors as the behind-the-scenes operators who manage data according to someone else's plan.

Under TIPA, a "data sale" involves transferring personal information to another business or a third party for monetary or other valuable consideration.

This definition is important as it regulates how and when personal information can be exchanged, ensuring that such transactions can't occur without clear user consent.

Targeted advertising refers to ads customized based on personal information derived from an individual's activities over time and across different websites or applications.

TIPA requires that users be informed about and must consent to their data being used for this purpose, providing greater control over what advertisements they see based on their personal data.

In this article we can help you with - How to Choose a CMP?

Cookies might seem a small and abstract concept, but they play a big role under laws like TIPA. When you visit a website, cookies help the site remember your visit and what you did there. Under TIPA, businesses must tell you about the cookies they use and get your consent before placing them on your device, unless they are strictly necessary for the website to function.

To manage this, companies use tools like AdOpt, a Consent Management Platform (CMP) that helps businesses comply with TIPA and other privacy laws by providing a clear cookie banner and managing user consents effectively.

DSAR or Data Subject Access Request are a response to rights given by the law. Below is a detailed description of each right.

Under the Tennessee Information Protection Act, individuals have the right to access the personal information that a business holds about them. This means you can ask to see what data a company has collected about you.

Additionally, you have the right to correct any inaccuracies in your personal information. This ensures that your data is not only transparent but also accurate, giving you more control over your personal details.

The right to deletion is also known as the "right to be forgotten." This right allows you to request that a business delete personal information about you, with certain exceptions.

Whether it's old data that's no longer necessary or information you no longer wish a company to hold, TIPA gives you the power to make that deletion request, reinforcing the idea of control over your digital footprint.

Data portability is a consumer's right to receive their personal data in a format that is readable and commonly used, and to transfer their data from one entity to another without hindrance.

Under TIPA, this means if you decide to switch services or simply want a copy of your data, companies must provide it in a way that's easy for you to move, use, or store elsewhere, enhancing your freedom and control over your personal information.

TIPA provides an affirmative defense to entities that can demonstrate they have a comprehensive privacy program that aligns with the act’s requirements. This means if a company is accused of non-compliance, they can defend themselves by proving that they have taken proactive, reasonable measures to protect personal data as stipulated by TIPA.

This includes adhering to industry-standard practices for data security and demonstrating a commitment to protecting consumer data.

Not all entities are required to comply with every aspect of TIPA, and the act outlines specific exemptions while also bolstering consumer rights to ensure personal data is handled respectfully and judiciously.

Certain types of data and entities are exempt from TIPA compliance. For example, government agencies, nonprofit organizations, and businesses that handle de-identified data or data that cannot be linked to a specific individual are not subject to the same requirements.

Additionally, data collected for certain journalistic, academic, or literary purposes may also be exempt, recognizing the balance between privacy and freedom of expression.

Compliance with the Tennessee Information Protection Act (TIPA) involves several critical steps that ensure the protection of personal information.

These steps not only safeguard data but also align business practices with legal requirements, enhancing trust and integrity between consumers and businesses.

Purpose limitation is a fundamental principle under TIPA, which means that businesses can only collect personal information for specific, explicit, and legitimate purposes. Once collected, the data must not be further processed in a manner that is incompatible with those purposes.

This requires companies to be clear about why they are collecting data and to stick to those reasons without deviation.

Data security is non-negotiable under TIPA. 

Businesses must implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. This could include encryption, ensuring secure access controls, and regularly updating and testing security practices.

Data Protection Assessments (DPAs) are critical evaluations that businesses must conduct to identify and mitigate risks associated with data processing activities.

Under TIPA, conducting a DPA is mandatory for processing activities that pose a high risk to consumer rights and freedoms, especially when using new technologies.

Obtaining consent under TIPA must be a clear affirmative action—a mere implication is not enough. Businesses must ensure that consent is freely given, specific, informed, and unambiguous.

This involves providing clear information about what data is being collected and for what purpose, and ensuring that the withdrawal of consent is as easy as giving it.

Count with AdOpt to help you with the best Consent Management Platform.

TIPA prohibits businesses from discriminating against consumers who exercise their privacy rights.

This means that a business cannot deny goods or services, charge different prices, or provide a different level of quality to consumers who, for example, choose not to share their personal data beyond what is necessary for the services.

Transparency is key under TIPA. Meaning that all businesses must provide clear and accessible information about how they process personal data.

The information must be easy to understand and readily available, often through privacy policies that explain the specifics of data processing activities.

When businesses outsource data processing to third parties, they must ensure these processors comply with TIPA through binding contracts.

These contracts should explicitly outline the responsibilities of the processor, including the nature and purpose of processing, the type of data involved, and the duration of processing.

The Global Privacy Control (GPC) signal is an internet standard that communicates a user's privacy preferences across websites.

Under TIPA, businesses must recognize and comply with the GPC signal, allowing users to automatically communicate their do-not-sell or do-not-share preferences, simplifying the process of protecting personal privacy online.

The Tennessee Information Protection Act (TIPA) establishes clear guidelines for enforcement and outlines the penalties for noncompliance. Understanding these aspects is crucial for businesses to ensure they meet legal standards and avoid potential repercussions.

TIPA is enforced by state authorities tasked with ensuring compliance and addressing violations. These authorities have the power to investigate complaints, conduct audits, and enforce the law through various means. This may include direct interaction with the alleged non-compliant entity, issuing orders to correct practices, or even initiating legal proceedings if necessary.

The goal is to ensure that businesses adhere to the stipulated privacy standards and rectify any lapses in their data handling processes.

Under TIPA, when a business is found to be non-compliant, it is often given a cure period.

This is a specified amount of time during which the business can rectify its non-compliant practices and come into alignment with TIPA requirements without facing immediate penalties.

The length and terms of the cure period depend on the nature of the violation and the extent of non-compliance. During this period, businesses must take clear, effective actions to address all issues identified by the enforcement authorities, ensuring full compliance by the end of the period.

Fines and penalties for failing to comply with TIPA can be substantial, serving as a deterrent against lax practices in data protection. The severity of fines is typically proportionate to the nature of the violation, the amount of data involved, the harm caused, and whether the non-compliance was intentional or repeated. Penalties can range from monetary fines to more severe consequences, such as restrictions on data processing activities or, in extreme cases, legal actions that can impact a company’s operations or its right to handle personal data.

In the table below you can compare several aspects of the State Privacy Laws.

Law	State	Revenue Threshold	Data Processing	Consent Required	Fines
TIPA	Tennessee	N/A	25,000 residents or 50% revenue	Yes	Up to $7,500 per violation
TDPSA	Texas	$25M	50,000 residents	Yes	Up to $7,500 per violation
CCPA	California	$25M	50,000 residents or 50% revenue	Yes	Up to $7,500 per violation
VCDPA	Virginia	$25M	100,000 residents or 50% revenue	Yes	Up to $7,500 per violation
CTDPA	Connecticut	N/A	100,000 residents or 25% revenue	Yes	Up to $7,500 per violation
OCPA	Oregon	$25M	100,000 residents	Yes	Up to $7,500 per violation
FDBR	Florida	-	50,000 residents or 50% revenue	Yes	Up to $5,000 per violation
CPA	Colorado	$25M	100,000 residents or 25% revenue	Yes	Up to $20,000 per violation

Cookies play a significant role in the context of the Tennessee Information Protection Act (TIPA) as they are often used to collect and store personal information. Understanding how to manage these effectively is key to ensuring compliance.

Cookies are small text files that websites place on a visitor's device. They are used for various functions such as tracking user behavior, enhancing site functionality, and personalizing advertising.

Under TIPA, cookies that store personal information or can identify a user need to be handled with care. Businesses must inform users about the use of such cookies and must secure consent before placing them on users' devices, except in cases where these cookies are strictly necessary for the basic functionality of the website.

Managing cookie consent effectively is crucial under TIPA. This involves not only securing an affirmative and informed consent from users before any non-essential cookies are set but also providing clear and accessible information about what cookies are in use and for what purposes.

Users should be able to easily withdraw their consent at any time, reflecting the principle of ongoing consent management under data protection regulations.

To streamline the process of managing cookie consent, many businesses turn to Consent Management Platforms (CMPs). A CMP like AdOpt, which is Google certified and well-ranked on platforms like G2, can greatly simplify compliance with TIPA.

Such platforms help businesses design user-friendly consent interfaces, manage user preferences, ensure that no cookies are loaded without consent, and document and store consent records for compliance verification.

Using a CMP ensures that all aspects of cookie consent are handled in accordance with TIPA requirements, making compliance easier and more transparent.

As the Tennessee Information Protection Act (TIPA) sets new benchmarks for data protection, preparing your business for compliance is a must. This preparation not only helps avoid penalties but also enhances trust with your customers by demonstrating a commitment to protecting their personal information.

Implementing TIPA compliance measures involves a thorough assessment of your current data handling practices and making necessary adjustments to align with TIPA’s standards. Start by conducting a data audit to understand what personal information you collect, how it is used, stored, and shared.

Based on this information, establish robust data security measures, such as encryption, access controls, and regular security audits. Additionally, train your staff on TIPA compliance to ensure they understand the importance of data protection and how to handle personal information properly.

Transparency regarding data handling practices is paramount under TIPA. This requirement underscores the importance of maintaining clear and accessible privacy and cookie policies. For example, businesses must ensure their policies outline in detail the categories of personal data collected, the purposes for processing, and mechanisms for users to exercise their rights under TIPA, such as data access and deletion requests (TIPA, sec. 4.3)​

To comply effectively, update your policies regularly to reflect changes in business practices or technological advancements. For instance, if your website introduces new tracking technologies or expands its data processing activities, these updates must be clearly articulated in your policies. By maintaining transparency and keeping policies current, businesses can align with TIPA's principles and maintain trust with their users (TIPA, sec. 6.2)​

Learn more about Privacy Policies

Understanding how the Tennessee Information Protection Act (TIPA) compares to other state and federal privacy laws can help businesses better prepare for compliance and recognize the unique aspects of TIPA.

This comparison also highlights the evolving landscape of privacy laws in the United States.

TIPA distinguishes itself through its rigorous approach to defining and managing sensitive personal information. Unlike many privacy regulations that broadly address sensitive data, TIPA specifies explicit categories such as medical records, financial information, and biometric data, each requiring stringent handling procedures. For instance, under TIPA, medical records are categorized distinctly to ensure heightened protection, aligning closely with healthcare privacy standards (TIPA, sec. 3.2).

Moreover, TIPA introduces a robust mechanism for affirmative defense, which allows organizations to mitigate potential penalties. This unique feature incentivizes businesses to demonstrate proactive compliance efforts, such as implementing comprehensive data encryption and conducting regular audits. By showcasing adherence to TIPA's guidelines, companies can effectively reduce regulatory risks and uphold consumer trust (TIPA, sec. 5.1).

Below are some toopics that might guide your comparison analysis.

TIPA shares several common elements with other prominent privacy laws like California’s CCPA (California Consumer Privacy Act) or Virginia’s CDPA (Consumer Data Protection Act).

Like these laws, TIPA emphasizes consumer rights such as the right to access, correct, delete, and port personal data.

However, TIPA might differ in the specifics of enforcement mechanisms, the scope of applicable businesses, and the nuances of consumer rights.

For example, TIPA's requirements for data processors and controllers may be more stringent or differ slightly in terms of the thresholds for compliance.

Check the table below, this might help you visualize the differences that we have available per state, so far.

Feature	Scope of Applicability	Rights Granted	Data Covered	Threshold for Compliance	Penalties
TIPA (Tennessee)	Businesses in Tennessee	Access, Correction, Deletion, Portability	Personal and Sensitive Data	Varies by type of data and processing	Based on violation severity
CCPA (California)	Businesses in California	Similar plus Opt-Out of Sale	Personal Information	Consumer, Household, or Device data	Up to $7,500 per violation
GDPR (EU)	Any business handling EU data	Access, Correction, Deletion, Portability, Object	Personal Data	No specific threshold; broad applicability	Up to 4% of annual global turnover
VCDPA (Virginia)	Businesses in Virginia	Access, Correction, Deletion, Portability, Opt-out	Personal and Sensitive Data	Based on data processing activities	Civil penalties enforceable by the Attorney General
CTDPA (Connecticut)	Businesses in Connecticut	Access, Correction, Deletion, Portability, Opt-out	Personal and Sensitive Data	Based on data processing activities	Civil penalties enforceable by the Attorney General
CPA (Colorado)	Businesses in Colorado	Access, Correction, Deletion, Portability, Opt-out	Personal and Sensitive Data	Based on data processing activities	Civil penalties enforceable by the Attorney General
OCPA (Oregon)	Businesses in Oregon	Access, Correction, Deletion, Portability, Opt-out	Personal and Sensitive Data	Based on data processing activities	Civil penalties enforceable by the Attorney General
FDBR (Florida)	Businesses in Florida	Access, Correction, Deletion	Personal Information	Consumer data covered	Civil penalties enforceable by the Attorney General
TDSA (Texas)	Businesses in Texas	Access, Correction, Deletion, Portability, Opt-out	Personal and Sensitive Data	Based on data processing activities	Civil penalties enforceable by the Attorney General

This table highlights key differences and similarities, showing how each law applies and the extent of its reach.

TIPA is a law designed to protect personal information that businesses collect from Tennessee residents. It ensures businesses handle data responsibly and transparently.

TIPA takes effect on July 1, 2025.

Any business operating in Tennessee or handling the personal information of Tennessee residents must comply if they meet certain criteria, such as having an annual revenue exceeding $25 million.

Businesses must obtain clear consent for data processing, protect sensitive data, ensure data security, and allow consumers to exercise their privacy rights.

Personal information includes any data that can identify an individual, such as name, address, email, phone number, and IP address.

Consent must be a clear, affirmative action by the user, such as clicking an "I agree" button. It cannot be implied.

Sensitive personal information includes data like social security numbers, health information, and financial details, requiring higher protection.

Consumers have rights to access, correct, delete, and port their personal information.

A data controller is the entity that decides why and how personal data is processed.

A data processor handles personal data on behalf of the controller, following their instructions.

A data sale involves transferring personal information to another entity for monetary or other valuable consideration.

Targeted advertising uses personal data to customize ads based on an individual's activities across websites and applications.

Cookies that store personal information must have user consent before being placed on a device, except for those necessary for website functionality.

Businesses can use a Consent Management Platform (CMP) to manage user consents effectively and ensure compliance.

An affirmative defense allows businesses to defend themselves against non-compliance accusations by proving proactive measures to protect personal data.

Exemptions include state agencies, financial institutions, entities subject to federal laws, and data that cannot be linked to an individual.

DPAs are evaluations businesses must conduct to identify and mitigate risks associated with data processing activities.

Penalties can include fines up to $7,500 per violation, depending on the severity and nature of the non-compliance.

TIPA requires businesses to implement appropriate technical and organizational measures to protect personal data.

GPC is an internet standard that communicates a user's privacy preferences across websites, and businesses must comply with it under TIPA.

Businesses should conduct data audits, update privacy and cookie policies, train staff on TIPA compliance, and use tools like CMPs for consent management.

TIPA shares common elements with laws like CCPA and GDPR but may have different enforcement mechanisms and thresholds for compliance.

The right to deletion allows consumers to request the deletion of their personal data, with certain exceptions.

Data portability allows consumers to receive their personal data in a readable format and transfer it to another entity without hindrance.

Businesses must ensure third-party processors comply with TIPA through binding contracts that outline their responsibilities and data handling practices.