If you own or operate a business in Tennessee, there's a new law on the books that directly impacts how you collect, store, and use personal data. The Tennessee Information Protection Act (TIPA), signed into law in May 2023 and enforceable as of July 1, 2025, makes Tennessee the latest state to join the growing wave of comprehensive data privacy legislation. For business owners across Johnson City, Kingsport, Bristol, and the broader Tri-Cities region, understanding your obligations under TIPA isn't optional — it's a legal requirement.
What Is TIPA?
The Tennessee Information Protection Act is a comprehensive consumer data privacy law modeled in many ways after Virginia's Consumer Data Protection Act (VCDPA). It establishes rights for Tennessee residents regarding their personal data and creates obligations for businesses that process that data. In plain terms: if your business collects personal information from Tennessee consumers — through a website, customer database, patient intake form, or any other channel — TIPA may apply to you.
TIPA defines "personal data" broadly. It includes any information that is linked or reasonably linkable to an identified individual: names, email addresses, phone numbers, IP addresses, purchase histories, geolocation data, and more. Certain categories are classified as "sensitive data" and receive additional protections, including biometric data, health information, precise geolocation, and data revealing racial or ethnic origin.
Who Does TIPA Apply To?
TIPA applies to businesses that conduct operations in Tennessee or target products and services to Tennessee residents, and meet one of the following thresholds during a calendar year:
- Process the personal data of 175,000 or more consumers, or
- Process the personal data of 25,000 or more consumers and derive more than 50% of gross revenue from the sale of personal data.
These thresholds are higher than some other state privacy laws, which means many smaller Tri-Cities businesses may technically fall outside TIPA's direct requirements. However — and this is important — that does not mean data privacy best practices are irrelevant for smaller organizations. We'll address that below.
Consumer Rights Under TIPA
TIPA grants Tennessee consumers several specific rights over their personal data:
- Right to access: Consumers can request confirmation of whether a business is processing their personal data and obtain a copy of that data.
- Right to deletion: Consumers can request that a business delete the personal data it holds about them.
- Right to correction: Consumers can request correction of inaccurate personal data.
- Right to opt out: Consumers can opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.
- Right to data portability: Consumers can obtain their personal data in a portable, readily usable format to transmit to another controller.
Businesses must respond to authenticated consumer requests within 45 days, with a possible 45-day extension when reasonably necessary. You cannot charge a fee for processing these requests unless they are manifestly unfounded or excessive.
Not Sure If TIPA Applies to Your Business?
Blue Ridge Security's compliance team can assess your data processing activities and help you understand your obligations under Tennessee's new privacy law.
Schedule a Compliance ReviewYour Obligations as a Business
If your business meets TIPA's applicability thresholds, you must comply with several key requirements:
Privacy Policy Requirements
You must publish a clear, accessible privacy policy that discloses the categories of personal data you process, the purposes for processing, the categories of third parties with whom you share data, and instructions for consumers to exercise their rights. This isn't the generic privacy policy template you downloaded five years ago — it needs to be specific, accurate, and current.
Data Protection Assessments
TIPA requires businesses to conduct and document data protection assessments for certain processing activities, including targeted advertising, selling personal data, profiling, and processing sensitive data. These assessments evaluate the benefits of processing against the potential risks to consumers and must be made available to the Attorney General upon request.
Vendor Due Diligence
If you share personal data with third-party processors — cloud storage providers, marketing platforms, payroll services, or any other vendor — you must have written contracts in place that specify data processing instructions, confidentiality obligations, and data deletion requirements. Simply handing data to a vendor without contractual safeguards is a compliance violation.
Data Minimization and Purpose Limitation
TIPA requires that you collect only the personal data that is adequate, relevant, and reasonably necessary for the disclosed purpose. You can't collect data "just in case" or repurpose data for uses that weren't disclosed to the consumer at the time of collection.
Enforcement and Penalties
TIPA is enforced exclusively by the Tennessee Attorney General. There is no private right of action, meaning individual consumers cannot sue businesses directly under TIPA. Before taking enforcement action, the AG must provide a written notice identifying the specific provisions believed to be violated. The business then has a 60-day cure period to address the violations.
If the cure period expires without adequate remediation, the AG can bring an action seeking injunctive relief and civil penalties of up to $7,500 per violation. Given that each affected consumer record can constitute a separate violation, the potential exposure adds up quickly for businesses with large customer databases.
How TIPA Compares to Other State Laws
Tennessee's approach is most similar to Virginia's VCDPA, with comparable consumer rights and a focus on AG enforcement rather than private lawsuits. Compared to Colorado's Privacy Act (CPA), TIPA is somewhat more business-friendly: the applicability thresholds are higher, and the 60-day cure period is more generous than Colorado's approach. California's CCPA/CPRA remains the most aggressive state privacy law, with broader applicability, a dedicated enforcement agency, and a private right of action for certain data breaches.
For Tri-Cities businesses that also serve customers in other states, it's worth noting that compliance with TIPA alone may not be sufficient. If you process data from Virginia, Colorado, or California residents, you may need to comply with those states' laws as well.
What Tri-Cities Businesses Should Do Now
Whether or not your business meets TIPA's applicability thresholds, here are the steps every Tri-Cities organization should take:
1. Inventory Your Data
You can't protect or manage data you don't know you have. Conduct a thorough inventory of all personal data your business collects, where it's stored, who has access, and how long you retain it. This includes customer databases, email lists, employee records, website analytics, and everything in between.
2. Update Your Privacy Policy
Review and revise your privacy policy to meet TIPA's disclosure requirements. Be specific about what data you collect, why, and with whom you share it. Make the policy easy to find on your website.
3. Implement Data Subject Request Processes
Establish a clear, repeatable process for receiving, verifying, and responding to consumer data requests. Identify who in your organization will handle these requests and document your procedures.
4. Review Vendor Contracts
Audit your agreements with third-party processors. Ensure that every vendor contract includes the data processing provisions required by TIPA. This is especially critical for Tri-Cities businesses that rely on cloud-based services for accounting, CRM, or patient management.
5. Train Your Staff
Employees who handle personal data need to understand TIPA's requirements, your internal data handling procedures, and how to recognize and route consumer requests to the right team.
Even If You're Below the Thresholds
Many businesses in the Tri-Cities — particularly small medical practices, local retailers, and professional services firms — will fall below TIPA's processing thresholds. That doesn't mean you can ignore data privacy. Consumer expectations around data protection are rising rapidly, and a data breach that exposes customer information can devastate a small business regardless of whether TIPA technically applied. Additionally, other regulations like HIPAA, PCI-DSS, or industry-specific requirements may impose their own data handling obligations.
Adopting strong data privacy practices isn't just about legal compliance — it's about building trust with your customers and protecting your business from risk.
How Blue Ridge Security Can Help
Navigating data privacy regulations can feel overwhelming, especially for businesses without in-house legal or compliance staff. Blue Ridge Security's Compliance & Reporting services help Tri-Cities businesses understand their obligations, implement required safeguards, and build sustainable data governance programs. From data inventories and privacy policy development to vendor contract reviews and employee training, we provide hands-on guidance tailored to your business.
Don't wait for an AG inquiry to find out you're not compliant. Contact Blue Ridge Security today to schedule a TIPA readiness assessment for your organization.