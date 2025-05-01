Nashville, TN – The Office of the Tennessee Attorney General’s Division of Consumer Affairs today announced the release of a guide to assist consumers and businesses in understanding the Tennessee Information Protection Act (TIPA), which will take effect on July 1st, 2025.

TIPA, passed by the Tennessee General Assembly and signed into law by Governor Bill Lee in 2023, requires certain businesses to ensure consumers’ data and information are protected and gives consumers more control over how their data is collected, processed, and used by those businesses.

“Tennessee’s Information Protection Act goes into effect July 1st. This new law protects consumer privacy and gives Tennesseans more transparency and control over corporate data collection and retention,” said Attorney General Jonathan Skrmetti. “Consistent with the law passed by our General Assembly and signed by Governor Lee, my office is glad to provide clear guidance so companies know what they need to do, because Tennessee wants to continue to be an easy place to build and run a business.”

The Division of Consumer Affairs has provided both consumers and businesses with a Frequently Asked Questions (FAQ) and terms list to help Tennesseans better understand the operation of this new law:

FAQ for Consumers

What is TIPA? The Tennessee Information Protection Act is a data protection and privacy law passed in Tennessee in 2023. The law applies to certain businesses collecting and processing the personal information of Tennesseans. The law aims to give Tennesseans control over how their data is collected, processed, and used, while also ensuring that companies comply with measures to help ensure effective data security practices. Who does TIPA apply to? TIPA generally applies to larger businesses that handle large amounts of data. The law governs both data “controllers” and data “processors,” as defined by TIPA. The data “controller” is the person or entity that actually controls the data and is responsible for determining why and how the data is processed. The data “processor” is responsible for processing the data provided to it by the controller in accordance with the controller’s instructions. Put simply, a controller provides data and direction to a processor to carry out processing activities—for example, analysis or interpretation—on its behalf. By way of example, a data “controller” could include an online retailer that collects and stores data regarding customers’ past purchases. Under these circumstances, the retailer is a controller to the extent it is responsible for deciding how to process the customer data. In the event the retailer retains a marketing firm to analyze its customer purchase data and generate additional product recommendations for the retailers’ customers, the marketing firm might qualify as a “processor” under TIPA. TIPA, however, does not apply to all businesses that control and/or process data. Certain entities, such as non-profit organizations, state agencies, financial institutions, healthcare companies, and higher education institutions, are exempt. (For more information, see “FAQ for Businesses” below). How has TIPA changed Tennessee law? TIPA changes Tennessee law by providing consumers with a set of rights regarding the controlling and processing of their data. In addition, TIPA places new obligations on businesses subject to the law in order to better protect consumers’ personal information. What rights do I have under TIPA? Under TIPA, Tennessee residents have the right to: (1) confirm if a controller is processing their personal information and gain access to that information, (2) correct inaccuracies in their personal information, (3) have a controller delete the personal information the controller obtains about them (however, the controller does not need to delete aggregated or de-identified information), (4) obtain a portable copy of their personal information, and (5) opt out of targeted advertising, profiling, or sale of their personal information. Consumers also have the right to know: (1) what categories of personal information the controller processes, (2) the purpose for processing their personal information, (3) how they can exercise their rights, including how to appeal a controller’s decision regarding a request, (4) the categories of personal information the controller shares with third parties, if any, and (5) the categories of third parties, if any, the controller shares their personal information with. An entity must respond to a consumer’s request to exercise one of these rights within 45 days of receipt of the request. If a consumer’s request is denied, the entity must provide a description of why the request was denied and must provide a process for submitting an appeal. What is “profiling”? Profiling is a completely automated way of processing personal information a controller obtains about a consumer. Profiling allows entities to evaluate, analyze, or predict personal aspects of a person’s life, including preferences, interests, location, behavior, socio-economic status, health, movements, political affiliation, etc. What is “targeted advertising”? Targeted advertising occurs when a consumer sees an advertisement that has been selected for that specific consumer’s viewing based on personal information about the consumer’s interests and preferences obtained from the consumer’s activities across websites or other online applications over time. What opt-out rights do I have under TIPA? Tennessee consumers have the right to opt out of having their personal information processed for the purposes of: (1) selling personal information of the consumer, (2) targeted advertising, or (3) profiling the consumer for certain purposes. How can I exercise my rights under TIPA? Under TIPA, entities subject to the statute are required to maintain a privacy notice that describes how consumers can exercise their rights, including how consumers can appeal a controller’s denial of a request to exercise TIPA rights. What is the effective date for TIPA? The law will go into effect on July 1, 2025.

Consumers can report suspected violations of TIPA to the Division of Consumer Affairs through the Division of Consumer Affairs complaint portal linked here (File a Complaint). You may also file a complaint by mail, fax, or email by printing and filling out the Complaint Form and sending it using the below contact information. For more information, please contact the Division of Consumer Affairs using the below contact information.

Email: consumer.affairs@ag.tn.gov

Mailing Address: Division of Consumer Affairs, Tennessee Attorney General’s Office, P.O. Box 20207, Nashville, TN 37202-0207

FAQ for Businesses