Are You Ready for the Tennessee Information Protection Act?

Blog / Are You Ready for the Tennessee Information Protection Act?

Key Takeaways

TIPA grants Tennessee consumers new data rights, requiring businesses to implement processes for access, correction, deletion, and opt-out requests.
A unified approach to compliance can reduce redundancy, lower costs, and streamline regulatory obligations across various frameworks.
Strong data security practices, breach response plans, and independent compliance assessments help businesses maintain regulatory adherence and protect consumer trust.

The Tennessee Information Protection Act, known as TIPA, will take effect on July 1, 2025. This marks a significant shift in current regulations within the state regarding data privacy. This legislation looks to improve protections for personal information in Tennessee, which should help align the state with other consumer data rights laws such as GDPR and CCPA. Businesses operating in Tennessee or handling data for their residents must understand and prepare for potential changes and ensure business compliance.

Understanding the Scope and Requirements of TIPA

TIPA applies to entities conducting business in Tennessee or producing products or services targeted at Tennessee residents, provided they meet certain thresholds. Specifically, it affects businesses with annual gross revenues exceeding $25 million that control or process the personal information of 175,000 or more Tennessee consumers, or those that control or process the personal information of 25,000 or more Tennessee consumers and derive over 50% of gross revenue from the sale of such data.

Under TIPA, consumers will receive specific rights that pertain to their personal information. These include:

the right to confirm whether a business is processing their data
a user’s right to access the data
the right to correct inaccuracies
the right to delete personal information
a user’s right to obtain a copy in a portable format
the right to opt out of the sale or processing of their data for targeted advertising

Businesses must establish processes to facilitate these consumer rights effectively. The process should include submission request mechanisms for consumers. This, in conjunction with assurances of timely response as per the law’s stipulations, should ensure compliance across organizations. The Tennessee Attorney General is responsible for enforcing TIPA and would initiate any actions against any organization that may not be fully compliant.

How To Simplify Compliance Across Multiple Regulatory Obligations

Many organizations navigate complex compliance and reporting requirements to operate proficiently. This includes SOC reports, PCI audits, HITRUST assessments, and ISO certifications, which create a web of requirements to prove organizational competence. These processes are time-consuming and can be financially problematic, especially for leaner organizations. Partnering with a single assessment and consulting company that addresses all these needs can help streamline the compliance journey while reducing assessment fatigue and associated costs.

Embracing a Proactive Approach to Data Privacy

As organizations can expect TIPA to take effect over the next few months, a cybersecurity stance that prioritizes data privacy is especially important. Organizations may need to perform proactive assessments of their data handling practices, along with how they handle data in general. Collection, storage, processing, and sharing processes are areas that may need additional attention to ensure TIPA compliance.

Developing and implementing comprehensive data privacy policies and procedures is crucial. These processes should facilitate compliance with TIPA and other similar regulations. These actions should underscore their commitment to consumer information protection. Periodic employee training programs can also further reinforce the effectiveness of your data privacy program, ensuring that staff have sufficient training in handling personal information, recognizing organizational obligations, and raising awareness of general data privacy principles.

Engaging with experienced compliance partners can provide valuable insights and support in navigating the complexities of TIPA. These partners can offer tailored guidance, helping organizations develop strategies that simplify compliance efforts while effectively protecting critical assets. By leveraging external expertise, businesses can enhance their compliance posture and mitigate potential risks associated with non-compliance. Having a third party assess your organization against a recognized privacy framework, such as the NIST Privacy Framework, can provide insights into program strengths and opportunities. Third party reports can also be useful during vendor risk management activities, when your organization is looking to demonstrate their data privacy program’s effectiveness to customers and partners.

The Imperative of Protecting What Matters

At the core of TIPA and similar regulations is the imperative to protect what matters most: the personal information of consumers. Beyond regulatory compliance, safeguarding this data is essential for maintaining consumer trust and upholding the organization’s reputation. Implementing robust security measures, such as encryption, access controls, and regular security and privacy assessments is fundamental to this endeavor.

Organizations should establish clear protocols during data breach responses and other security incidents within their team. Incident response plans must have clear details that protect the interests of the organization, especially in the event of a data breach.

Flexibility is also crucial to help mitigate damage and improve compliance with notification requirements, which protects consumers and shows organizations’ commitment to transparency and accountability. Regular reviews and updates of data protection strategies are necessary to adapt to evolving threats and regulatory changes.

Finally, organizations must be prepared to answer requests from individuals seeking to exercise one of the rights granted under TIPA. These requests are often referred to as Data Subject Access Requests (DSARs). TIPA requires that organizations respond to all DSARs within 45 days. TIPA also provides a 45- day extension period, plus an additional period for “complex or numerous requests.” After a DSAR is submitted, organizations are expected to fully carry out the request. For a Right of Deletion request, this means the organization has searched all data locations for any data that may identify the requesting individual, taken appropriate action to delete or redact that information, and then reported the final outcome of their request. It is anticipated that consumers will complain to the TN Attorney General if they feel their requests were not handled in accordance with the law.

Prepare Your Organization for TIPA

Taking proactive steps to comply with the Tennessee Information Protection Act will help organizations avoid legal risks. It can also help strengthen your data security practices while simplifying your processes and reducing costs. Rather than seeing TIPA as just another regulatory burden, view it as an opportunity to build consumer trust with your resilient security and privacy framework.

Partnering with a trusted expert can help you navigate the complexities of data privacy laws while protecting your business from costly missteps. Visit LBMC Cybersecurity to simplify compliance and protect what matters most.

Content provided by Van Steel, Shareholder, LBMC Cybersecurity, and Dennis McGough, Manager, LBMC Cybersecurity. Contact them at van.steel@lbmc.com or dennis.mcgough@lbmc.com.

Understanding the Scope and Requirements of TIPA

How To Simplify Compliance Across Multiple Regulatory Obligations

Embracing a Proactive Approach to Data Privacy

The Imperative of Protecting What Matters

Prepare Your Organization for TIPA

Privacy settings

With the slider, you can enable or disable different types of cookies:

This website will:

This website won\'t: