Tennessee’s reputation as a business-friendly state is well earned; however, when it comes to data protection, the regulatory landscape has evolved rapidly. Over the last few years, the state has enacted several new laws governing how businesses collect, use and safeguard personal data, as well as how they deploy emerging technologies such as artificial intelligence (AI). From the Tennessee Information Protection Act to first-of-its-kind AI legislation, these laws carry real operational implications across industries, and the consequences of non-compliance are significant. This guide provides a practical overview of the key Tennessee requirements with respect to privacy, data security and technology, equipping businesses with the foundation they need to navigate this shifting terrain.

Privacy

Tennessee has adopted a comprehensive consumer privacy law as well as industry-specific privacy requirements, creating a state-specific patchwork of obligations. Businesses in Tennessee must understand both the generally applicable laws as well as those that apply specifically to their industry.

The Tennessee Information Protection Act

Like many other states, Tennessee has adopted a comprehensive consumer privacy law. The Tennessee Information Protection Act (TIPA) went into effect on 1 July 2025, and certain aspects are similar to comprehensive privacy laws enacted in other states. However, as discussed in more detail below, many of TIPA’s requirements are unique, and businesses should carefully assess compliance.

Applicability

TIPA applies to persons who meet the following criteria:

• either conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee; and
• have more than USD25 million in annual revenue; and
• either control or process the personal information of at least 175,000 Tennessee consumers during a calendar year, or control or process the personal information of at least 25,000 Tennessee consumers and derive 50% of their gross annual revenue from the sale of that information.

Although these thresholds mean that many small businesses in Tennessee will not be subject to the law, it is important for businesses to regularly monitor both their revenue and their data-related activities to assess whether the law applies.

In addition to tailoring its scope via the thresholds discussed above, TIPA also limits its applicability with several exceptions. By way of example, TIPA does not apply to:

• governmental agencies;
• non-profit organisations;
• covered entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
• higher educational institutions (public or private);
• insurance companies licensed under state law; and
• financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act (GLBA).

However, as is the case in all jurisdictions, the entity-level exemptions under TIPA should be reviewed carefully.

Personal information

TIPA defines “personal information” broadly as “information that is linked or reasonably linkable to an identified or identifiable natural person”. However, the law narrows this scope through several data-level exemptions. For example, TIPA does not apply to:

• health records under state law and protected health information under HIPAA;
• personal information processed for research purposes under applicable law;
• consumer credit reporting data;
• personal or educational information regulated by the Family Educational Rights and Privacy Act (FERPA);
• personal information collected, processed, sold or disclosed under the federal Farm Credit Act;
• employment-related data processed in the course of an individual’s application, employment or work as an agent or independent contractor;

       publicly available information;

• de-identified data created under HIPAA;
• de-identified data as defined under TIPA, provided that certain requirements are met; and
• aggregate consumer information.

Given these exemptions, organisations should carefully identify the data they process and determine whether any exemptions apply.

It is also important to assess whether any personal information being processed is considered “sensitive data”. Under TIPA, “sensitive data” includes the following:

• personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• genetic or biometric data processed to uniquely identify a natural person;
• personal information collected from a known child; and
• precise geolocation data.

Sensitive data may only be processed with the consumer’s consent (ie, a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement), and any sensitive data concerning a known child must be processed in accordance with the Children’s Online Privacy Protection Act (COPPA).

Basic responsibilities of controllers and processors

Like other US state privacy laws and the EU’s General Data Protection Regulation (GDPR), TIPA assigns responsibilities to parties based on their roles, using the common terminology of “controllers” (ie, those determining the purpose and means of processing personal information) and/or “processors” (ie, those who process the personal information on the controller’s behalf). This is a fact-based determination that depends on the context in which the personal information is being processed.

Under TIPA, controllers must meet the following requirements.

• Data minimisation: controllers must limit their collection of personal information to what is adequate, relevant and reasonably necessary for the disclosed processing purpose.
• Privacy notice: controllers must provide a clear, reasonably accessible privacy notice disclosing the categories and purposes of data processed, how consumers may exercise their rights, and information about any sales or personal information or targeted advertising activity, including how to opt out.
• Secondary use prohibition: controllers may not process personal information beyond the purposes disclosed to the consumer without first obtaining the consumer’s consent.
• Data security: controllers must implement reasonable administrative, technical and physical safeguards appropriate to the volume and nature of the personal information they process.
• Non-discrimination: controllers must not process personal information in a manner that violates anti-discrimination laws and may not discriminate against consumers who exercise their rights under TIPA.
• Data protection assessments – controllers must conduct and document data protection assessments, which may be requested by the Tennessee Attorney General, regarding the following processing activities:
1. processing personal information for purposes of targeted advertising;
2. sales of personal information;
3. processing personal information for the purpose of profiling in certain situations;
4. processing of sensitive data; and
5. processing activities that present a heightened risk of harm to consumers.
• Data processing agreements: controllers must enter into a binding contract with each processor that processes personal information on their behalf. The agreement must instruct the processor about the processing of data and describe the nature, purpose, type of data and duration of processing, as well as the rights and obligations of both parties. The agreement must also require the processor to:
1. impose confidentiality obligations on those involved in the processing;
2. delete or return personal information at the controller’s request at the end of the provision of services;
3. make compliance-related information available to the controller;
4. co-operate with assessments; and
5. flow down equivalent requirements to any subcontractors.

Beyond their contractual duties, TIPA also imposes direct obligations on processors, requiring them to:

• adhere to the controller’s instructions;
• enter into binding data processing agreements; and
• assist the controller with its obligations under TIPA, including by adopting appropriate measures to help respond to consumer requests and providing information necessary for data protection assessments.

Consumer rights

Similar to the privacy laws enacted in other states, TIPA affords Tennessee consumers the following rights with respect to their personal information:

• the right to confirm whether a controller is processing the consumer’s personal information;
• the right to access their personal information;
• the right to correct inaccuracies in their personal information;
• the right to delete their personal information;
• the right to obtain a portable copy of the personal information that the consumer previously provided to the controller; and
• the right to opt out of the sale of personal information about them, targeted advertising, and  profiling in furtherance of decisions that produce legal or significant effects.

Controllers must respond to consumer requests without undue delay, and, in all cases, within 45 days of receiving the request. Similar to other states, Tennessee has also implemented authentication requirements, a framework under which the controller can extend the timeline for responding, and an appeals process that can be utilised by the consumer.

Enforcement and unique affirmative defence

TIPA is enforced exclusively by the Tennessee Attorney General, and there is no private right of action. The law also specifically prohibits violations of TIPA from serving as the basis for private claims or class action lawsuits. Controllers and processors found in violation may face civil penalties of up to USD7,500 per violation, and courts may impose treble damages for knowing or wilful violations.

One of TIPA’s most distinctive features is its affirmative defence provision. A controller or processor that adopts and maintains a privacy programme that “reasonably conforms” to the National Institute of Standards and Technology (NIST) Privacy Framework, or similar documented policies, standards and procedures designed to safeguard consumer privacy, can establish an affirmative defence against enforcement actions. The programme must also provide individuals with the rights afforded under TIPA and be regularly updated and appropriately tailored to the organisation. This creates a meaningful incentive for businesses to invest in robust privacy programmes – not only to improve their operations but to build a concrete legal safeguard against potential enforcement.

Tennessee’s Genetic Information Privacy Act

In addition to TIPA, Tennessee has also adopted the Genetic Information Privacy Act (GIPA). GIPA regulates direct-to-consumer genetic testing companies and requires them to provide consumers with information about the collection, use and disclosure of their genetic data as well as a publicly available privacy notice covering the company’s data collection, consent, use, access, disclosure, transfer, security, retention and deletion practices. Companies must obtain the individual’s express consent for collecting, using and disclosing genetic data, and other uses and disclosures – such as disclosures to an individual’s employer – require separate consents.

In addition to the notice and consent requirements, genetic testing companies must also:

• develop, implement and maintain a comprehensive security programme;
• support processes that allow consumers to access their genetic data, delete their account and genetic data, and destroy biological samples; and
• only disclose genetic data to law enforcement or government entities in response to valid legal process if the consumer has not provided express written consent.

This law is enforced by the Tennessee Attorney General.

Data Security

Beyond the data security obligations imposed by TIPA, Tennessee has adopted several other laws that establish data security and breach notification requirements for businesses.

Breach notification

Tennessee’s breach notification law applies broadly to any person or business that conducts business in the state and owns or licenses computerised personal information of Tennessee residents. Under the law, an “information holder” must notify affected individuals within 45 days of discovering or being notified of a breach of “system security”, which is defined as the unauthorised acquisition of data that materially compromises the security, confidentiality or integrity of personal information. Importantly, the law does not apply to entities subject to the GLBA or HIPAA, and it includes a “materially compromises” threshold that effectively limits the notification obligation to breaches that pose a meaningful risk of harm to affected individuals.

Notably, unlike TIPA, the breach notification law provides a private right of action, and injured individuals may bring civil claims for damages and injunctive relief. However, Tennessee enacted a significant class action shield in 2024 providing that a private entity is not liable in a class action lawsuit resulting from a cybersecurity event unless the event was caused by wilful and wanton misconduct or gross negligence. This heightened standard substantially limits class action exposure for businesses that experience a data breach but have otherwise maintained reasonable cybersecurity practices. This protection is particularly significant given the nationwide surge in data breach class action filings in recent years, and it goes further than the approach taken in other states, such as Ohio and Connecticut, which offer only affirmative defences to entities that maintain conforming cybersecurity programmes, rather than a broad class action shield tied to the defendant’s level of culpability. Notably, courts have held that this provision does not apply retroactively to cybersecurity events that occurred before its effective date.

The Insurance Data Security Law

Tennessee has also adopted an Insurance Data Security Law, which requires licensed insurers to develop, implement and maintain a comprehensive information security programme. Licensees must investigate cybersecurity events and notify the Commissioner of Commerce and Insurance as well as affected consumers within 45 days of determining that a cybersecurity event has occurred. This law includes exceptions for smaller licensees (eg, those with fewer than 25 employees or less than USD5 million in gross annual revenue).

Record disposal and Social Security number protections

Finally, Tennessee imposes additional data security obligations through its identity theft statutes. Businesses must take reasonable steps to destroy personal identifying information contained in customer records before disposal, with violations punishable by civil penalties of up to USD500 per record (capped at USD10,000 per customer). Separately, businesses that obtain Social Security numbers must make reasonable efforts to protect them from public disclosure, including prohibitions on transmitting them over unsecured internet connections and printing them on mailed materials.

Taken together, these laws create a layered set of data security obligations for businesses operating in Tennessee. While the class action shield provides meaningful protection, businesses should not treat it as a substitute for robust cybersecurity practices. Proactive investment in cybersecurity infrastructure and incident response planning remains the most effective strategy for minimising both legal exposure and operational risk.

Technologies

Finally, in addition to the privacy and security laws discussed above, Tennessee has adopted various laws focused on specific technologies that also impact how businesses in Tennessee consider their data protection obligations and strategies.

The Protect Tennessee Minors Act

In 2024, following several other states, Tennessee enacted the Protect Tennessee Minors Act, which is an age verification law aimed at shielding minors from accessing explicit material online. The law applies to any person or commercial entity that publishes or distributes in Tennessee a website where 33.33% or more of the content is “harmful to minors”. "Harmful to minors" is defined as including nudity, certain sexual content, excess violence or sadomasochistic abuse that:

• would appeal predominantly to the prurient, shameful or morbid interests of minors;
• is patently offensive to prevailing standards in the adult community as a whole with respect to what is suitable for minors; and
• lacks serious literary, artistic, political or scientific values for minors.

The law requires covered entities to verify users’ ages using a “reasonable age-verification method” that cannot be easily bypassed and either matches a live photograph to a valid government-issued ID or uses a commercially reasonable method relying on transactional data to confirm that the user is at least 18 years of age.

Entities performing age verification must retain at least seven years of anonymised verification data but may not retain any personally identifying information after access is granted.

Failing to implement the required age verification is a Class C felony, and the Tennessee Attorney General may bring enforcement actions against non-compliant entities.

The Protecting Children from Social Media Act

Tennessee has also adopted the Protecting Children from Social Media Act, which requires websites and applications that allow users to create accounts and communicate with others to verify users’ ages. If a user is under 18 years old, the platform must obtain express parental consent before allowing the minor to create an account, and must provide parents with tools to supervise the account including privacy settings, daily time restrictions and scheduled breaks. The law is enforced by the Tennessee Attorney General, with civil penalties of up to USD1,000 per violation.

AI legislation

Tennessee has not yet adopted a comprehensive AI law. Instead, the state’s legislative efforts have focused on niche areas.

By way of example, in 2024, Tennessee adopted a first-of-its-kind law addressing the use of AI. The Ensuring Likeness Voice and Image Security (ELVIS) Act amended Tennessee’s existing right of publicity statute to include protections for individuals’ voices from the misuse of AI, expanding upon the protections already given to name, photograph and likeness. The term “voice” includes “a sound in a medium that is readily identifiable and attributable to a particular individual, regardless of whether the sound contains the actual voice or a simulation of the voice of the individual”. As a result of the updates, the unauthorised use of an individual’s name, photograph, voice or likeness gives rise to a civil claim, and the violation is also a Class A misdemeanour.

The ELVIS Act also established a cause of action that can be asserted against providers of AI tools whose “primary purpose or function” is producing an individual’s photograph, voice or likeness without proper authorisation. This provision may subject certain AI technology providers to a new form of liability, although the “primary purpose or function” requirement remains somewhat ambiguous.

Tennessee also adopted education-specific requirements related to AI in 2024, requiring all state universities, local education agencies, and public charter schools to adopt policies regarding the use of AI by students, teachers and staff. Additionally, in 2025, the state required the Department of Education to develop guidance on social media and internet safety, including the importance of evaluating AI-generated information and understanding the potential for misinformation.

Finally, while the state’s current AI-related legislation is relatively narrow in scope, the Tennessee legislature appears poised to enact further AI-related legislation. The legislature is currently considering bills that would:

• prohibit AI systems from being advertised as qualified mental health professionals;
• criminalise training AI to, among other items, encourage suicide or homicide, act as a licensed health professional, or develop emotional relationships with individuals; and
• require disclaimers in political advertising containing AI-generated content and deepfakes.

It is unclear which, if any, of these bills will become law, but businesses must be mindful of the new and emerging requirements applicable to AI in Tennessee.

Conclusion

Tennessee’s privacy and data protection landscape has expanded significantly in recent years, and the pace of change shows no signs of slowing. From TIPA’s comprehensive consumer privacy framework to the state’s first-of-its-kind AI legislation, businesses operating in Tennessee must navigate a growing web of obligations that touch nearly every aspect of how they collect, use and safeguard personal data.

While this guide has addressed the state’s generally applicable privacy, data security and technology laws, businesses should also be mindful that additional requirements may apply depending on their industry. For example, entities in the healthcare, financial services, insurance and education sectors may be subject to overlapping federal and state requirements that impose additional or more specific data protection obligations. Given the breadth and evolving nature of these requirements, businesses should regularly assess their compliance posture, invest in robust privacy and security programmes, and monitor legislative developments to stay ahead of new obligations as they arise.