New Tennessee privacy law limits business use of consumer data

Companies that do business in Tennessee will face new limits to the way they collect, use, and transfer customer information as a result of the new Tennessee Information Protection Act (TIPA).

The law, effective July 1, 2025, will require companies to obtain consent for the processing of sensitive personal data and will allow consumers to opt out of data sales, targeted advertising, and other significant sales and marketing initiatives. Tennessee joins eight other states with consumer data privacy laws, but like Iowa, Utah, and Virginia, it narrowly defines the types of disclosures involved and provides a 60-day grace period for businesses to resolve compliance issues.

The bipartisan legislation passed unanimously in both houses of the Tennessee legislature and was signed into law by Gov. Bill Lee.

Businesses impacted

Specifically, the law will apply to businesses that post more than $25 million in annual revenue and:

  • Control or process the personal information of 175,000 or more Tennessee consumers, or
  • Control or process the personal information of 25,000 or more Tennessee consumers and obtain more than 50% of gross revenue from the sale of that information.

Noncompliance is punishable by a fine of $7,500 per violation, although a business found in violation will have 60 days to comply before fines are levied. Companies with existing consumer privacy policies can be exempt if the programs “reasonably conform” to the National Institute of Standards and Practices (NIST) Privacy Framework or “other documented policies, standards, and procedures designed to safeguard consumer privacy.”

Who’s protected?

The TIPA will require companies to obtain consent from a consumer to collect and process sensitive information such as race, ethnic origin, religious affiliation, mental or physical health, sexual orientation, precise geolocation, genetic and biometric data, and citizenship and immigration status.

The privacy rule applies to any Tennessee resident “acting only in a personal context” and does not shield the personal data of individuals acting in a commercial or employment role. The privacy laws also will not shield data collected by government agencies, insurance companies, nonprofit organizations, financial institutions, higher education facilities, and businesses already subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health Act (HITECH).

If you’re unsure whether your business will be subject to new TIPA regulations, reach out to an advisor with our risk assurance and advisory services team for guidance.

© 2023 KraftCPAs PLLC

KraftCPAs can help.

Call us at 615-242-7351 or complete the form below to connect with an advisor.

  • Should be Empty:
  • Topic Name:

Search Site

Search Team

Search Articles