How businesses can comply with Tennessee’s New Privacy Rights
Posted: March 25, 2025
The Tennessee Information Privacy Act (TIPA) takes effect on 1 July 2025, bringing new privacy rights to Tennessee consumers and new legal obligations on many businesses operating in the state.
Here’s some practical guidance on complying with the law’s rules around consumer privacy rights:
New consumer privacy rights under the TIPA
Let’s look at each of the six new consumer privacy rights that the TIPA provides Tennessee consumers.
The right to confirmation and access
The TIPA allows Tennessee consumers to confirm whether a “controller” (a business directly subject to the TIPA) is processing their personal information and—if so—to access that personal information.
Here’s the wording from the law itself:
1. Confirm whether a controller is processing the consumer’s personal information and to access the personal information.
This means consumers can contact your business and ask for a copy of the personal information you hold about them (if any).
The TIPA defines “personal information” as “information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with a particular consumer.” The law provides a list of examples, including:
- Names
- Aliases
- Unique identifiers
- IP addresses
- Email addresses
- Social security numbers
- Passport numbers
- Physical characteristics
- Addresses
- Phone numbers
- Insurance details
- Education
- Employment history
- Financial, medical, and health information
- Characteristics of protected classifications
- Commercial history
- Biometric data
- Internet activity
- Geolocation data
- Audio, visual, and other sensory information
- Non-public education records
- Inferences used to profile a consumer’s behavior, preferences, and abilities.
Publicly available information and de-identified or aggregate consumer data are exempt.
The right to correct
The TIPA allows consumers to correct inaccuracies in their personal information under certain conditions.
Here’s what the law says:
2. Correct inaccuracies in the consumer’s personal information, taking into account the nature of the personal information and the purposes of the processing.
Note that the law requires you to take into account the nature of the personal data and the purposes of the processing.
- The nature of the personal information matters because some data types, like names or addresses, are easier to correct than complex records such as financial or health data.
- The purposes of processing matter because inaccuracies in some contexts (e.g., credit scoring or medical records) could have serious consequences, requiring stricter correction processes.
You might not have to “correct” some types of personal information that the consumer alleges are inaccurate, such as opinions or risk assessments.
The right to delete
The TIPA allows consumers to request the deletion of their personal information under certain conditions.
Here’s the relevant part of the law:
3. Delete personal information provided by or obtained about the consumer. A business is not required to delete information that it maintains or uses as aggregate or de-identified data, provided that such data is not linked to a specific consumer.
This means businesses must generally comply with a consumer’s request to delete their personal information—but don’t have to delete data that has been anonymized or combined with other data in a way that it no longer identifies an individual.
This means businesses can retain useful insights from personal information without compromising people’s privacy.
The right to data portability
The TIPA includes an EU-inspired right to “data portability”, allowing consumers to easily move copies of their personal information between businesses.
Here’s the relevant extract from the TIPA:
4. Obtain a copy of the consumer’s personal information that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
The TIPA doesn’t include much detail on how to comply with data portability requests, but consider providing personal information in a file format such .csv, .json, depending on the context.
The right to request information about data sales
The TIPA enables consumers to request information about whether and how the business has sold their personal information. Here’s the text from the law:
5. Request that a controller that sold personal information about the consumer, or disclosed the information for a business purpose, disclose to the consumer:
- (i) The categories of personal information about the consumer the business sold;
- (ii) The categories of third parties to which the personal information about the consumer was sold, by category of personal information for each category of third parties; and
- (iii) The categories of personal information about the consumer that the business disclosed for a business purpose.
Here’s how the TIPA defines “selling” personal information:
“Sale of personal information” means the exchange of personal information for monetary or other valuable consideration by the controller to a third party.”
It does not include:
- Disclosures to a processor acting on behalf of the controller
- Disclosures to provide a requested product or service
- Transfers to an affiliate of the controller
- Information intentionally made public by the consumer
- Transfers as part of a merger, acquisition, or similar transaction
- Disclosures made at the consumer’s direction and with their consent
As such, “selling” personal information could include using cookies or other advertising technology.
If you “sell” personal information, you’ll need to carefully document:
- Which consumers’ personal information you’ve sold
- Which third parties (or types of third parties) you sold it to
Note that the TIPA also requires you to tell consumers whether you’ve disclosed personal information for a “business purpose”. However, outside of this provision, the TIPA doesn’t define or even mention what “business purpose” means.
The “business purpose” wording appears to originate from the California Consumer Privacy Act (CCPA), but it’s not clear how it applies in the context of the TIPA.
The right to opt out of data sales
Finally, consumers have the “right to opt out” of the sale of their personal data. Here’s how the TIPA puts it:
6. Opt out of a controller’s selling personal information about the consumer.
This means that if a consumer asks you to stop selling their personal information, you must do so.
Methods for submitting a request
A controller must provide at least one method for consumers to submit requests, which must be clearly described in the privacy notice. Acceptable methods include:
- A toll-free telephone number
- An email address
- A web form
- A clear and conspicuous link on the controller’s main website to a page where consumers can exercise their rights
Controllers must ensure the method can authenticate the identity of the consumer. They cannot require a consumer to create a new account to make a request but may require them to use an existing account.
Timelines and appeals
A controller must respond to a consumer request within 45 days. This can be extended once by another 45 days, if necessary, with notice and explanation given to the consumer within the initial period.
If a request is denied, the controller must inform the consumer within 45 days and provide instructions on how to appeal. Appeals must be resolved within 60 days, with a written explanation. If denied, the controller must provide a method for the consumer to contact the Tennessee Attorney General.
Consumers can make requests free of charge up to twice per year. Controllers may charge a fee or refuse excessive, unfounded, or technically infeasible requests.
Tennessee joins the age of consumer privacy
Along with similar laws in over 20 other states, the TIPA represents a new challenge for many businesses tackling comprehensive privacy legislation for the first time.
Businesses should implement clear processes for handling consumer requests, ensure timely responses, and set up accessible methods for submitting requests.
With the law taking effect on 1 July 2025, there’s still time to assess your data-handling practices, update your privacy policies, and establish procedures to comply with these new obligations.