Tennessee has always done things its own way. The state that gave the world Elvis Presley also gave us one of the first right-of-publicity statutes in the nation – enacted in 1984 to protect The King’s estate from unauthorised commercial use. Forty years later, that same instinct is driving Tennessee to the front of the pack on artificial intelligence (AI).

So far, Tennessee’s approach to AI legislation has been surgical, not sweeping. The state has acted where specific harms demanded a response, rather than waiting for a comprehensive framework to take shape.

This article surveys the legal landscape for AI in Tennessee as it stands in 2026: the statutes already on the books and the practical implications for businesses and practitioners. The goal is not to predict where AI law is heading, but to map where it stands today and what that means for those operating in Tennessee.

Tennessee’s AI-Related Legislation

ELVIS Act

Tennessee has long been at the forefront of right of publicity law – a distinction traceable directly to The King himself (Elvis Presley). The state’s Personal Rights Protection Act (PRPA) of 1984 was enacted largely to secure the post-mortem commercial rights of Elvis Presley’s estate, prohibiting unauthorised use of a person’s name, image and likeness (NIL) for commercial purposes and creating civil and criminal remedies. That statute served its purpose for four decades, but it was drafted in an era when the greatest threat to a celebrity’s likeness was an unlicensed poster, not a generative AI model capable of cloning a voice.

That gap closed in 2024 when Tennessee adopted a first-of-its-kind law addressing the use of AI. The “Ensuring Likeness Voice and Image Security (ELVIS) Act” amended Tennessee’s existing right of publicity statute to include protections for individuals’ voices from the misuse of AI, expanding upon the protections already given to NIL. The term “voice” includes “a sound in a medium that is readily identifiable and attributable to a particular individual, regardless of whether the sound contains the actual voice or a simulation of the voice of the individual”. As a result of the updates, the unauthorised use of an individual’s name, photograph, voice or likeness gives rise to a civil claim, and the violation is also a Class A misdemeanour.

The ELVIS Act also established a private right of action that can be asserted against providers of AI tools whose “primary purpose or function” is producing an individual’s photograph, voice or likeness without proper authorisation. This provision reaches upstream to the developers and platforms supplying AI voice-cloning tools, not merely end users, and may subject certain AI technology providers to a new form of liability. Treble damages are available for knowing violations, with treble damages and attorney’s fees available where the victim is a veteran. An express fair use carve-out preserves First Amendment space for news, criticism, satire, and parody.

Preventing Deepfake Images Act

In 2025, Tennessee enacted the “Preventing Deepfake Images Act” to target AI-generated or AI-manipulated “deepfakes” that create “intimate digital depictions” or sexually explicit depictions of an identifiable person without valid consent. It creates a civil cause of action against anyone who intentionally discloses such material knowing (or recklessly disregarding) that the depicted person did not consent, and it makes clear that consent to creation is not consent to disclosure. To be effective, consent generally must be in a plain-language written agreement signed knowingly and voluntarily and describing the depiction (and any larger work into which it will be incorporated).

The law’s practical effect is to give victims strong remedies (ie,  disgorgement of the defendant’s gains, actual damages, including emotional distress, or USD150,000 liquidated damages, possible punitive damages, attorneys’ fees/costs, and injunctive relief) while allowing measures like pseudonymous filings to preserve confidentiality. It also adds criminal liability for disclosing (or threatening or soliciting disclosure of) an intimate deepfake with intent to harass or cause harm (or with knowledge or reckless disregard of likely harm), with enhanced penalties (Class C felony) when the conduct could be expected to affect governmental proceedings (including elections) or facilitate violence. At the same time, it carves out exceptions for good-faith disclosures tied to law enforcement, legal proceedings, or efforts reasonably intended to assist the depicted individual, and it limits liability for certain online service providers for third-party content and for good-faith content restriction actions.

Trade secrets and AI

The Tennessee Uniform Trade Secrets Act (TUTSA) provides robust protection for confidential business information that derives independent economic value from not being generally known, and that is subject to reasonable measures to maintain its secrecy. In the AI context, TUTSA operates on two distinct fronts, as described below.

First, AI systems themselves can constitute protectable trade secrets. Proprietary model architectures, training datasets, fine-tuning methodologies, system prompts, and output-evaluation frameworks all potentially qualify – provided the owner treats them with appropriate confidentiality protocols. Courts applying TUTSA have consistently held that the “reasonable measures” requirement demands more than a general policy of secrecy; companies must implement access controls, confidentiality agreements, and employee training commensurate with the value of the information at stake.

Second, AI tools present a serious TUTSA risk on the input side. When employees submit confidential business information (eg, customer data, pricing models, product roadmaps, litigation strategy) to third-party AI platforms, that information may be ingested for model training or otherwise leave the enterprise’s control. Disclosure of trade secret information to an AI platform, without adequate contractual protections governing data use and retention, may constitute a failure of the “reasonable measures” required to maintain trade secret status. TUTSA’s misappropriation definition broadly covers both improper acquisition and unauthorised disclosure, and a company that loses trade secret protection through inadvertent AI disclosure may find itself without a remedy against either the platform or subsequent third-party users of the information. Enterprise AI policies, vendor agreements with enforceable confidentiality and data segregation provisions, and employee training are essential components of a TUTSA-compliant AI program.

Legislative actions affecting education

Tennessee adopted education-specific requirements related to AI in 2024, requiring all state universities, local education agencies, and public charter schools to adopt policies regarding the use of AI by students, teachers, and staff. Additionally, in 2025, the state required the Department of Education to develop guidance on social media and internet safety, including the importance of evaluating AI-generated information and understanding the potential for misinformation.

Legislative actions affecting healthcare and preventing self-harm

In 2026, Tennessee adopted a new law specifically prohibiting any person who develops or deploys an AI system from advertising or representing to the public that such a system is, or is able to act as, a qualified mental health professional.

Tennessee Information Protection Act

Like many other states, Tennessee has adopted a comprehensive consumer privacy law. The Tennessee Information Protection Act (TIPA) went into effect on 1 July 2025, and certain aspects are similar to comprehensive privacy laws enacted in other states.

Although TIPA does not mention AI by name, its practical impact on AI product design and deployment is significant. AI-enabled features such as profiling, personalisation, behavioural analytics, targeted advertising, and automated decision-making are precisely the type of data processing activities that TIPA was designed to regulate.

Applicability

TIPA applies to persons who meet the following criteria:

• either conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee;
• have more than USD25 million in annual revenue; and
• either control or process the personal information of at least 175,000 Tennessee consumers during a calendar year, or control or process the personal information of at least 25,000 Tennessee consumers and derive 50% of their gross annual revenue from the sale of that information.

Although these thresholds mean that many small businesses in Tennessee will not be subject to the law, it is important for businesses to regularly monitor both their revenue and their data-related activities to assess whether the law applies.

In addition to tailoring its scope via the thresholds discussed above, TIPA also limits its applicability with several exceptions. By way of example, TIPA does not apply to:

• governmental agencies;
• non-profit organisations;
• covered entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
• higher educational institutions (public or private);
• insurance companies licensed under state law; or
• financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act (GLBA).

However, as is the case in all jurisdictions, the entity-level exemptions under TIPA should be reviewed carefully.

TIPA’s impact on AI products and services

In relation to AI products and services, the most impactful obligations under TIPA are:

• the requirement to limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose;
• the obligation to obtain consent before processing sensitive data (including precise geolocation, health data, and financial information)
• the opt-out right applicable to targeted advertising and profiling; and
• the prohibition on processing personal information in violation of laws that prohibit unlawful discrimination.

The last requirement, combined with TIPA’s general non-discrimination provision, means that AI-driven personalisation and decisioning tools that produce discriminatory outputs may create exposure under TIPA and other laws prohibiting discrimination.

TIPA also requires data controllers to conduct and document a data protection assessment, which may be requested by the Tennessee Attorney General, regarding the following processing activities:

• processing personal information for purposes of targeted advertising;
• sales of personal information;
• processing personal information for the purpose of profiling in certain situations;
• processing of sensitive data; and
• processing activities that present a heightened risk of harm to consumers.

Each assessment must identify and weigh the benefits of the processing against the potential risks to consumers, as mitigated by available safeguards. For AI products and services, businesses must consider all of the ways in which data can be processed and the unique risks presented by each AI tool. Because these assessments can be requested by the Tennessee Attorney General, businesses deploying AI features in Tennessee should treat each assessment as a substantive legal and risk analysis, not a checkbox exercise.

Vendor contracts

AI features are often delivered through third-party platforms, which means the data use restrictions, model training limitations, breach notification timelines, and audit rights that the law requires must be present in the vendor agreement. TIPA’s controller-processor framework requires written contracts with data processors that address the nature and purpose of processing, the type of personal information involved, the duration of processing, and the processor’s obligations to the controller (including confidentiality, deletion, and audit rights). Standard vendor agreements frequently lack these provisions or contain terms that are inconsistent with TIPA compliance. For Tennessee businesses, the practical takeaway is that AI vendor agreements require the same level of legal scrutiny as any other commercial contract.

Breach notification obligations

Tennessee’s breach notification statute requires any information holder that owns or licences computerised personal information of Tennessee residents to disclose a breach of system security no later than 45 days from discovery or notification – one of the stricter timelines in the country. Where a breach involves more than 1,000 Tennessee residents, the information holder must also notify consumer reporting agencies without unreasonable delay.

The statute covers any unauthorised acquisition of unencrypted personal information that materially compromises its security, confidentiality, or integrity. As a result, AI systems that ingest, store, or process personal information can implicate the breach notification statute, and the increasing use of AI in data pipelines creates new vectors for breach exposure (eg, a compromised AI model, unauthorised access to a training dataset, or a vendor-side incident involving AI-ingested data).

Separately, insurance licensees operating in Tennessee are subject to the Insurance Data Security Law, which imposes its own information security programme requirements, cybersecurity event investigation obligations, and a parallel 45-day consumer notification requirement, with additional reporting obligations to the Department of Commerce and Insurance.

Industry Approaches to AI

In addition to the state’s legislative efforts, the use of AI in Tennessee is also shaped by governance programmes and industry expectations. For those doing business in the state, the most immediate commercial questions are often how to:

• obtain and document consent;
• clear and allocate IP rights;
• handle personal data used by AI systems; and
• supervise AI-enabled products so they do not create consumer harm or regulatory exposure.

This section highlights those themes in Tennessee-relevant sectors – music, financial services, and healthcare – through the lens of the current legal framework, including AI-adjacent statutes and general consumer protection and privacy laws.

Music

Tennessee’s concentration of labels, publishers, studios, management, and music-tech vendors makes AI-related issues in the music industry more impactful than in many jurisdictions. The most common flashpoints are voice and likeness cloning, synthetic “feature” tracks, AI-assisted songwriting and production, and disputes over training data and rights clearance. Even when an AI tool is marketed as a “workflow enhancer”, it can generate outputs that create reputational harm, IP disputes, or claims of deception if audiences believe content is authorised or authentic. Further, in light of the potential for legal liability under Tennessee’s ELVIS Act, discussed above, for misuse of a person’s voice or likeness, “AI risk” is increasingly treated as a core business risk, not a niche legal issue.

The market has moved from informal norms to enforceable expectations around authorisation and consent, particularly where AI can produce realistic depictions or performances that consumers may attribute to a real artist. Tennessee’s legislative attention to deepfakes and digital replicas (including the ELVIS Act and other deepfake-related measures) has reinforced the need for clear permissioning and response processes. Practically, that means businesses should assume that unauthorised synthetic content can trigger rapid escalation, including takedown demands, litigation threats, and partner/platform pressure. The reputational and economic impact can be immediate, especially for high-profile talent.

Music companies are therefore building “provenance and authorisation” into their operating model. This shows up in tighter approval workflows, clearer contractual scope for permitted uses, and more aggressive monitoring and enforcement strategies. Importantly, these expectations extend beyond creators to distributors, promoters, and anyone monetising content at scale. Even if a company is not generating deepfakes, it may face commercial or legal exposure if it hosts, amplifies, or profits from contested content and cannot demonstrate a reasonable compliance process.

Copyright and portfolio strategy

Federal copyright principles remain central to Tennessee’s music economy, and the U.S. Copyright Office’s AI-related guidance and reporting have heightened focus on human authorship and documentation. For clients who depend on registration and enforcement, the practical question is how to preserve evidence of human creative contribution when AI tools are used in composition, sound design, or production. That matters not only for infringement disputes but also for diligence in catalog acquisitions, financing, and licensing deals. In short, buyers and partners increasingly expect “rights hygiene” that covers both classic chain-of-title and modern AI-workflow evidence.

Contracting

Music contracting is shifting toward more explicit treatment of voice, likeness, and “future uses” enabled by AI. Where deals historically focused on copyright ownership and royalties, parties now negotiate whether a licence covers training versus inference, marketing assets versus recordings, and one-time use versus ongoing reuse. Vendors and collaborators are also pressed on whether stems, vocal tracks, or metadata can be reused to improve models for other customers. The commercial trend is toward clearer allocation of risk and responsibility across the creative supply chain.

Marketing and consumer protection

AI-enabled marketing and fan engagement raise classic “truth in advertising” concerns when synthetic messages or endorsements blur authenticity. Tennessee’s Consumer Protection Act is not AI-specific, but it can become relevant where marketing implies affiliation, authorisation, or performance attributes that are not real. The operational response is a tighter review of marketing claims, clearer disclosures where appropriate, and stronger vendor controls for agencies producing high-volume generative content. As the volume and speed of content increase, scalable compliance processes become more important than one-off legal review.

Financial services

Tennessee’s financial services sector, spanning banks, payment vendors, mortgage companies, insurance companies, and investment advisers, is among the most active in the region for AI deployment, and the compliance stakes are correspondingly high.

AI is being used for customer-facing functions (eg, onboarding, personalisation, credit decisioning, and fraud detection) and back-office functions (eg, transaction monitoring, compliance testing, and Bank Secrecy Act (BSA)/anti-money laundering (AML) surveillance). This breadth creates exposure on multiple fronts simultaneously: model risk, third-party vendor risk, fair lending and consumer protection liability, and cybersecurity incidents. Unlike the music industry, where the primary legal frameworks are relatively new, financial services companies are deploying AI into an existing regulatory structure that is dense, examiner-driven, and largely indifferent to the novelty of the technology. The practical challenge is not identifying a single AI statute – there is not one – but managing AI adoption within a framework of existing obligations that were not written with AI in mind.

Model risk, fair lending, and consumer protection

Model risk is a significant AI risk for Tennessee financial institutions. Federal banking regulators have long required meaningful model risk management under guidance such as Supervisory Letter SR 11-7, and examiners have made clear that AI-driven models (including large language models) used in credit, fraud, or compliance functions are subject to those expectations regardless of whether the vendor calls them “models”. Institutions that cannot explain how an AI system works, what data it uses, and how outputs are validated may be at risk.

At the same time, AI used in credit decisioning raises distinct fair lending concerns. Where models produce disparate impact on a protected class under the Equal Credit Opportunity Act or the Fair Housing Act, the fact that a decision is AI-generated does not provide a defence. Tennessee lenders using AI in underwriting, pricing, or servicing decisions need a documented validation and monitoring process that can survive both regulatory scrutiny and litigation.

Further, while Tennessee’s Consumer Protection Act is not AI-specific, AI-enabled marketing, automated customer communications, and personalisation tools can implicate the Act where outputs are misleading or not adequately supervised.

Cybersecurity, vendor risk, and SEC disclosure

Cybersecurity is both an AI use case and an AI risk vector for Tennessee financial institutions. Firms often deploy AI tools for fraud detection, anomaly monitoring, and incident response, and they face AI-enabled threats, including deepfake-assisted social engineering, synthetic identity fraud, and AI-accelerated phishing. Managing both sides of this equation requires governance that addresses AI-enabled defences and AI-enabled attacks in tandem.

Vendor management adds another layer of complexity, as most AI features arrive through third-party platforms. These relationships must be governed by contracts that address data use restrictions, model transparency, incident notification, and audit rights – not just the standard service-level agreement (SLA) and confidentiality provisions.

For public companies and bank holding companies, Securities and Exchange Commission (SEC) cybersecurity disclosure rules require rapid materiality assessment and board-level escalation when incidents occur. AI-related incidents, whether a model failure with customer impact or a third-party data breach involving AI-ingested data, require the same disciplined response process as any other reportable event.

Tennessee financial institutions that treat AI governance as a compliance-only exercise, rather than integrating it into enterprise risk management and incident response, may be more likely to find gaps at the worst possible time.

Healthcare

Tennessee maintains a diverse and increasingly sophisticated healthcare market that includes large integrated health systems, academic medical centres, rural providers, payors, life sciences companies, and a growing concentration of healthcare technology and artificial intelligence vendors. While Tennessee has not enacted a comprehensive, healthcare‑specific artificial intelligence statute, healthcare organisations remain subject to a well‑established regulatory framework, including Health Insurance Portability and Accountability Act (HIPAA) and related federal and state privacy and security laws.

The use of AI in healthcare raises privacy, security, and data governance considerations, as many AI use cases rely on large volumes of sensitive health information. As AI tools increasingly depend on and utilise large volumes of patient data to train and operate models, healthcare providers and health‑technology companies must carefully evaluate whether the data involved is protected health information, whether the AI vendor is acting as a HIPAA business associate and can sign a compliant business associate agreement (BAA), and whether security controls meet HIPAA Security Rule expectations.

In addition, healthcare providers must also address clinical safety, performance, and accountability in how they deploy AI. Because AI outputs can be wrong, biased, or degrade over time (drift), strict governance frameworks are needed in connection with use cases that involve diagnostic support, triage, or treatment recommendations. In general, healthcare companies in Tennessee are working to address these issues by defining the permitted use of AI, validating performance for the target population and clinical setting, maintaining change control for model updates, and ensuring appropriate human oversight and escalation paths.

Conclusion

The legal landscape for AI in Tennessee is neither complete nor static – but it is already consequential. Tennessee has moved faster than most states on several key issues and established a demanding legal environment.

The practical implication is straightforward: AI governance is transactional and regulatory, and businesses in Tennessee should be implementing clear consent frameworks, enforceable data use restrictions, documented IP ownership chains, and vendor agreements that reflect the applicable legal obligations.

The state that protected Elvis from AI is not waiting for anyone – and neither is the law.