TIPA

Tennessee Information Protection Act

Flag of US
Tennessee, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
July 1, 2025
Enacted
May 11, 2023
Enforcing Authority
Tennessee Attorney General
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Entities with $25M+ revenue AND (175,000+ consumers OR 25,000+ consumers and 50%+ revenue from selling PI)

Overview

Tennessee's TIPA uniquely offers a NIST safe harbor — controllers maintaining a written privacy program conforming to the NIST privacy framework can assert an affirmative defense against enforcement. The law has the highest consumer threshold (175,000) among US states and treble damages for willful violations.

What This Means for Your Website

  • Opt-in consent is required for sensitive data and children under 13
  • A NIST-conforming privacy program provides an affirmative defense (unique safe harbor)
  • Treble damages may apply for willful/knowing violations
  • The 60-day cure period is permanent
  • Highest consumer threshold (175,000) limits applicability

Key Requirements

The Tennessee AG enforces TIPA with penalties up to $7,500 per violation, with treble damages for willful violations. Consumer requests must be fulfilled within 45 days. The dual threshold ($25M+ revenue AND 175,000+ consumers) creates the highest applicability bar alongside Utah.

How ConsentStack Handles This

ConsentStack detects Tennessee visitors and applies the TIPA opt-out model with opt-in for sensitive data. The platform's compliance approach aligns with NIST privacy framework principles.

Penalties

Up to $7,500 per violation; treble damages for willful/knowing violations.

Maximum Fine
USD7,500 per violation

Key Requirements

  • Opt-in consent for sensitive data and children under 13
  • Privacy notice detailing data practices
  • Consumer rights: access, correct, delete, portability, opt-out
  • Data protection assessments for high-risk processing
  • Optional NIST-conforming privacy program for safe harbor

Notable Provisions

  • Highest consumer threshold (175,000) among US states
  • First NIST safe harbor — affirmative defense
  • Treble damages for willful violations
  • Revenue + data volume dual threshold

US State Specifics

Cure Period
60 days
Private Right of Action
No
Global Opt-out Required
No
Sensitive Data Opt-in
Yes
Children Provisions
Under 13: COPPA-aligned opt-in consent for sale, targeted advertising, and profiling.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Frequently Asked Questions

What is the NIST safe harbor?

Tennessee uniquely allows controllers with a written privacy program conforming to the NIST privacy framework to assert an affirmative defense against enforcement action.

What are the TIPA penalties?

Up to $7,500 per violation, with treble damages for willful/knowing violations. The 60-day cure period is permanent.

Why does TIPA have narrow applicability?

TIPA requires both $25M+ revenue and 175,000+ consumers — the highest consumer threshold among US state privacy laws.

Stay compliant with TIPA

ConsentStack helps you implement Opt-out consent for Tennessee, United States automatically.

Get started