Tennessee Information Protection Act (TIPA)
Tennessee's consumer privacy law effective July 1, 2025 — unique in US privacy law for offering an affirmative defense to controllers who demonstrate conformance with the NIST Privacy Framework or comparable standards.
Overview
The Tennessee Information Protection Act (HB 1181, 2023), codified at Tenn. Code Ann. Sec. 47-18-3201 et seq., took effect on July 1, 2025. TIPA follows the Virginia operational model but carries one distinguishing feature found nowhere else in US privacy law: it offers a statutory affirmative defense to controllers that demonstrate conformance with the NIST Privacy Framework (or comparable recognized standards).
This safe-harbor-adjacent design creates a concrete legal incentive to adopt industry-recognized privacy-management frameworks. It does not confer full immunity — the controller must affirmatively plead and prove conformance — but it reshapes the risk calculus for enforcement exposure in Tennessee.
Applicability tracks Virginia exactly: a controller must, in a calendar year, process personal data of 100,000 or more Tennessee consumers, or 25,000 or more consumers while deriving over 50% of gross revenue from the sale of personal data.
Exemptions follow the Virginia family: government, HIPAA, GLBA, non-profits, higher-education, and data covered by FCRA, DPPA, FERPA, COPPA. Employee and B2B data are excluded.
Consumer Rights
Tennessee provides the full Virginia-family rights bundle: access, correction, deletion, portability, opt-out of sale, opt-out of targeted advertising, opt-out of profiling with significant effects, and right to appeal.
Sensitive data follows the standard Virginia-family definition (race, religion, health, sexual orientation, citizenship, genetic, biometric, precise geolocation, children under 13) and requires opt-in consent.
Compliance Requirements
Controllers must publish a privacy notice, honor DSRs within 45 days (extendable +45 days), conduct DPIAs for heightened-risk processing, and execute processor contracts. UOOM / GPC recognition is NOT required under TIPA — Tennessee-only compliance footprints do not need to detect Sec-GPC.
NIST Privacy Framework safe-harbor: To invoke the affirmative defense, controllers must document policies, procedures, and controls aligned with the NIST Privacy Framework (v1.0 or later) and cover the core functions — Identify-P, Govern-P, Control-P, Communicate-P, Protect-P. Comparable standards (e.g., ISO/IEC 27701) may also qualify. Evidence must be current, implemented, and auditable.
Cure Period + Enforcement
The Tennessee Attorney General has exclusive enforcement authority — no private right of action. Violators receive a 60-day cure period. Civil penalties reach up to $7,500 per violation plus costs.
Controllers that successfully raise the NIST Privacy Framework affirmative defense shift the litigation posture substantially — the AG must overcome documented framework conformance rather than simply prove violation.
How Inori Addresses This
Inori's v1.2 privacy.mdx lists Tennessee in the applicable-states section with its July 1, 2025 effective date. Our /api/dsar endpoint services the full rights bundle with a 45-day SLA. GPC handling is active platform-wide even though TIPA does not require it, giving Tennessee residents the stronger posture by default.
Inori's roadmap includes a NIST Privacy Framework alignment track tied to our broader SOC 2 paving plan — the same governance artifacts that satisfy SOC 2 Trust Services Criteria (CC6, CC7, P-series) map directly to NIST Privacy Framework Core functions. Achieving documented conformance will position Inori customers to inherit the TIPA affirmative defense as part of the platform control set. Hard-purge via cron at 90 days closes the deletion lifecycle.
Related Concepts
See how Inori handles tennessee information protection act (tipa)
Try our free COI checker first, or start a free trial of the full platform.