Tennessee Information Protection Act (TIPA)

Overview

Tennessee was the eighth state to enact comprehensive data privacy legislation when the Governor signed the Tennessee Information Protection Act into law in 2023. However, it has one of the longest preparation periods, with the Act not going into effect until July 2025. TIPA aligns more closely with the Virginia Consumer Data Protection Act and other business-oriented state privacy laws like those enacted in Utah and Iowa. While TIPA provides meaningful privacy protections for consumers, it is generally considered less stringent than the more consumer-focused privacy laws seen in California (CCPA/CPRA), Indiana (INCDPA), and Colorado (CPA).

Key Dates

• Signed into law: May 11, 2023
• Effective date: July 1, 2025

Thresholds

The TIPA applies to controllers that conduct business in Tennessee by producing products or services that are targeted to the residents of Tennessee,and that:

• exceed $25 million in revenue; and
• either (1) control or process personal information of at least 25,000 consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information, or (2) during a calendar year, control or process personal information of at least 175,000 consumers.

Consumer Rights

• The right to confirm whether the controller is processing their personal information and provide them access to their personal information.
• The right to correct inaccuracies in their personal information.
• The right to delete personal information provided by or obtained about them.
• The right to obtain a copy of the consumer's personal information that the consumer previously provided to the controller (i.e., data portability).
• The right to opt out of the processing of their personal information for targeted advertising, selling personal information about them, or profiling.

Sensitive Data

Sensitive data is defined as:

• Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person
• The personal information collected from a known child (e.g., a natural person under 13 years of age)
• Precise geolocation data

Penalties

Up to $7,500 per violation.

Configure Your Consent Banner for TIPA

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. TIPA in Tennessee). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like TIPA in Tennessee).

Recommended Consent Settings

Based on the current laws, we recommend the following regional settings:

• Consent Mode: Implied
• Blocking Mode: Strict
• Google Consent Mode V2: Basic
• Consent Duration: 12 months
• Enable Limit Sensitive Information: Enabled
• Enable Do Not Sell Consent: Enabled
• Enable Global Privacy Control: Enabled

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.

Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.