The Tennessee law will take effect July 1, 2025. It applies to businesses that produce products or services targeting Tennessee residents and that

• Exceed $25 million in revenue.
• Control or process personal information of at least 25,000 consumers and either (1) derive more than 50 percent of gross revenue from the sale of personal information, or (2) during a calendar year, control or process personal information of at least 175,000 consumers.

Tennessee’s new privacy law generally follows the same framework in the other seven state laws, but it has some unique characteristics. Here are the highlights:

Consumer rights. The TIPA grants consumers rights of

• Access
• Deletion
• Data portability
• Opting out of the sale of their personal information as well as the processing of their personal information for targeted advertising and profiling purposes.

Similar to Virginia, Colorado, Connecticut, Iowa, and Indiana, Tennessee also allows consumers to appeal a controller’s denial of a consumer data rights request.

Data Protection Impact Assessment. Joining California, Virginia, Colorado, Connecticut, and Indiana, Tennessee will require controllers to conduct and document data protection assessments for certain processing activities. Generally, a controller will be required to conduct a data protection impact assessment for processing activities that involve targeted advertising, the sale of personal information, profiling, or sensitive data; or that present a heightened risk of harm to consumers.

Voluntary Privacy Program as an Affirmative Defense. One unique feature of the TIPA is that it will allow controllers and processors to assert an affirmative defense to a claim alleging violations of the law. Businesses will be entitled to the defense if they create, maintain, and comply with a written privacy policy that “reasonably conforms” to the National Institute of Standards Technology privacy framework or other documented policies, standards, and procedures designed to safeguard consumer privacy. The privacy policy must be updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two years of the publication of the revision. In assessing whether a voluntary privacy program is appropriate in scale and scope, the TIPA provides for consideration of the size and complexity of the business, the nature and scope of the activities of the controller or processor, the sensitivity of the personal information processed, the cost and availability of tools to improve privacy protections and data governance, and compliance with a comparable state or federal law.

Right to cure. Under the TIPA, the Tennessee attorney general must provide a controller or processor 60-days’ written notice before initiating an enforcement action. A controller or processor can cure the noticed violations during that 60-day period and provide a written statement that the alleged violations have been cured and that no such further violations will occur. Although this 60-day cure period is longer than the 30-day periods provided by the statutes in Indiana, Utah, and Virginia, Iowa’s cure period of 90 days remains the longest.

Exemption for Insurance Companies and Producers. As with many of its counterparts, the TIPA also contains both entity-level and data type exemptions. One exemption that is distinct to the TIPA is for insurance companies and producers licensed under Tennessee law. An insurance “producer” is “a person required to be licensed under the laws of this state to sell, solicit, or negotiate insurance.”

Private right of action. There is no private right of action under the new Tennessee law. So far, California’s privacy law is the only one that allows lawsuits for alleged violations.