# Tennessee Privacy Law (TIPA) Compliance Guide for Small Businesses

> Tennessee TIPA took effect July 1, 2025. It requires $25M+ revenue AND 175,000+ Tennessee consumers — among the most business-friendly thresholds.

_Published 2026-04-07 by Nikolas_

# Tennessee Privacy Law (TIPA): What Small Businesses Need to Know

The Tennessee Information Protection Act (TIPA) took effect **July 1, 2025**, and applies to any business with **annual revenue of $25 million or more** AND processing the personal data of **175,000 or more Tennessee consumers** in a calendar year. The threshold logic is **AND, not OR** — both conditions must be met. The 175,000 consumer threshold is also higher than the 100,000 used by most state privacy laws. Combined, TIPA is among the most business-friendly state privacy laws in the country, alongside Iowa ICDPA and Utah UCPA. The Tennessee Attorney General is the sole enforcement authority. TIPA also includes a unique safe harbor: businesses that maintain a written privacy program reasonably conforming to NIST or another recognized standard receive an affirmative defense in enforcement actions.

---

## Does TIPA Apply to My Business?

TIPA applies to any person that conducts business in Tennessee or produces products or services targeted to Tennessee residents AND meets **all** of the following:

- Has annual revenue of **more than $25 million**, AND
- Controls or processes personal data of **175,000 or more Tennessee consumers** during a calendar year, OR alternatively,
- Controls or processes personal data of **25,000 or more Tennessee consumers** AND derives more than **50%** of gross revenue from the sale of personal data (with the same $25M revenue floor).

The threshold logic is **AND for the primary path** — both the $25M revenue threshold and the 175,000 consumer threshold must be met. This is structurally similar to Utah UCPA and very different from Texas TDPSA, Virginia VCDPA, and most other state privacy laws.

| Threshold | Tennessee TIPA | Utah UCPA | CCPA/CPRA |
|-----------|----------------|-----------|-----------|
| Revenue | **$25M+ (required)** | $25M+ | $25M+ |
| Consumer count | **175,000** | 100,000 | 100,000 |
| Threshold logic | **AND** | AND | OR |

Tennessee accounts for roughly 2.1% of the US population. Reaching 175,000 Tennessee consumers requires approximately 8.3 million annual unique US visitors on a population basis. Combined with the $25 million revenue requirement, TIPA applies to a meaningfully smaller set of businesses than most other state privacy laws.

---

## What Does TIPA Require?

For the relatively narrow set of businesses in scope, TIPA grants Tennessee consumers a standard set of state privacy law rights.

**Consumer rights you must honor.** Access, correction, deletion, portability, and opt-out of targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. Response deadline is 45 days, with one possible extension. Consumers have the right to appeal denied requests.

**Disclosures you must publish.** Privacy notice covering categories of personal data processed, purposes, third-party sharing, rights, and appeals process.

**Operational practices you must implement.** Conduct data protection assessments for high-risk processing. Obtain affirmative opt-in consent before processing sensitive personal data. Establish reasonable security practices.

**Privacy program safe harbor (the unique provision).** TIPA grants an **affirmative defense** to businesses that maintain a written privacy program that reasonably conforms to the NIST Privacy Framework or another documented privacy framework. This is a substantial protection: businesses that adopt and document a recognized privacy standard get formal legal protection in enforcement actions. No other US state privacy law has this provision.

---

## How TIPA Affects Small Businesses

TIPA's high thresholds and AND logic mean that most small businesses are not in scope. If your annual revenue is below $25 million, TIPA does not apply regardless of consumer count. If your Tennessee consumer count is below 175,000, TIPA does not apply regardless of revenue. Both conditions must be met.

For Shopify merchants and direct-to-consumer brands below the $25 million revenue line, TIPA does not require any compliance work. Time and budget are better spent on the state laws that do apply — California, Texas, Virginia, Connecticut, and the others with broader thresholds.

For businesses that are in scope (above $25 million revenue with substantial Tennessee distribution), the compliance work is similar to other Virginia-model state laws, with the unique addition of the privacy program safe harbor. Adopting the NIST Privacy Framework — which provides a structured approach to privacy management — gives you formal legal protection in Tennessee enforcement actions, in addition to its broader compliance benefits.

---

## Key Differences from Other State Privacy Laws

TIPA stands out on three dimensions:

**AND threshold logic.** TIPA requires both the revenue and consumer count thresholds to be met, not either-or. This is shared only with Utah UCPA and Florida FDBR among current state privacy laws.

**Higher consumer count threshold.** TIPA's 175,000 threshold is higher than the 100,000 used by most state privacy laws, narrowing the scope further.

**Privacy program safe harbor.** TIPA grants an affirmative defense to businesses that maintain a written privacy program conforming to NIST or another recognized framework. No other US state privacy law has this provision.

Compared to **California CCPA/CPRA**, TIPA is dramatically narrower in scope. CCPA uses OR logic and a 100,000 consumer threshold; TIPA uses AND logic and a 175,000 consumer threshold. CCPA also has a private right of action and a dedicated enforcement agency, neither of which TIPA has.

Compared to **Utah UCPA**, TIPA is structurally similar (AND logic, $25M revenue threshold) but has a higher consumer count threshold (175,000 vs 100,000) and adds the privacy program safe harbor.

Compared to **Texas TDPSA**, the contrast is stark: Texas has no revenue threshold and applies to far more SMBs; Tennessee requires $25M revenue and applies to relatively few.

---

## How to Comply with TIPA

If TIPA applies to your business — meaning you have $25M+ in revenue AND 175,000+ Tennessee consumers — the following steps establish baseline compliance.

1. **Confirm scope.** Verify that you meet both the $25 million revenue threshold and the 175,000 Tennessee consumer threshold. If you do not meet both, TIPA does not apply.
2. **Adopt the NIST Privacy Framework or another recognized standard.** This is the single highest-leverage step you can take for TIPA compliance because of the affirmative defense it provides. Document your privacy program against the framework.
3. **Update your privacy notice** with categories, purposes, third-party sharing, rights, and appeals process.
4. **Add opt-out mechanisms** for targeted advertising, sale of personal data, and profiling.
5. **Build a consumer rights request workflow** with the 45-day response deadline tracked.
6. **Build a denial appeals process** with timely written response.
7. **Implement opt-in consent for sensitive data**.
8. **Conduct data protection assessments** for high-risk processing activities. Document and retain.
9. **Document reasonable security practices** appropriate to data volume.

---

## TIPA Enforcement and Penalties

The Tennessee Attorney General has exclusive enforcement authority for TIPA. There is no private right of action — Tennessee consumers cannot sue businesses directly. The AG may seek civil penalties of up to **$7,500 per violation**, plus reasonable expenses incurred in investigation. The court may treble damages for willful violations.

TIPA includes a 60-day cure period before formal enforcement. The AG must provide written notice of the alleged violation, and the business has 60 days to fix the issue and provide a written statement to the AG. If cured within 60 days, the AG may not bring an action for that specific violation.

The privacy program safe harbor provides an additional layer of protection beyond the cure period. Businesses that maintain a written privacy program conforming to NIST or a similar framework have an affirmative defense in enforcement actions, even after a violation has occurred.

---

## Frequently Asked Questions

### When does Tennessee's privacy law take effect?

Tennessee's Information Protection Act (TIPA) took effect July 1, 2025. It requires $25M+ revenue AND 175,000+ Tennessee consumers, making it one of the more business-friendly state privacy laws.

### Does TIPA apply to small businesses?

Generally no. TIPA requires both $25 million or more in annual revenue AND 175,000 or more Tennessee consumers. Small and mid-size businesses below either threshold are not in scope. The AND logic combined with high thresholds means TIPA applies to a relatively small number of businesses.

### What is the TIPA privacy program safe harbor?

TIPA grants an affirmative defense in enforcement actions to businesses that maintain a written privacy program reasonably conforming to the NIST Privacy Framework or another documented privacy standard. This is a unique provision among US state privacy laws — no other state offers this kind of formal legal protection for adopting recognized privacy frameworks.

### What is the difference between TIPA and other state privacy laws?

TIPA uses AND logic (both revenue and consumer count required), has a higher consumer count threshold (175,000 vs the standard 100,000), and includes the privacy program safe harbor. Most other state privacy laws use OR logic with lower thresholds and do not offer the safe harbor.

### What are the penalties for TIPA violations?

The Tennessee AG can seek civil penalties of up to $7,500 per violation, with treble damages possible for willful violations. There is no private right of action. A 60-day cure period applies before enforcement, and the privacy program safe harbor provides additional protection.

### Should I adopt the NIST Privacy Framework for TIPA compliance?

If TIPA applies to your business, yes — the affirmative defense provided by the safe harbor is substantial. Even if TIPA does not apply, the NIST Privacy Framework provides a structured, well-recognized approach to privacy management that supports compliance with multiple state privacy laws.

---

**Check if TIPA applies to your business →** [Take the free 5-minute quiz](https://app.getpurview.com/quiz)

*This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.*

---

<FAQSchema questions={[
  {
    question: "When does Tennessee's privacy law take effect?",
    answer: "Tennessee's Information Protection Act (TIPA) took effect July 1, 2025. It requires $25M+ revenue AND 175,000+ Tennessee consumers, making it one of the more business-friendly laws."
  },
  {
    question: "Does TIPA apply to small businesses?",
    answer: "Generally no. TIPA requires both $25 million in revenue AND 175,000 Tennessee consumers. Small and mid-size businesses below either threshold are not in scope."
  },
  {
    question: "What is the TIPA privacy program safe harbor?",
    answer: "TIPA grants an affirmative defense in enforcement actions to businesses that maintain a written privacy program reasonably conforming to the NIST Privacy Framework or another documented privacy standard. This is unique among US state privacy laws."
  },
  {
    question: "What is the difference between TIPA and other state privacy laws?",
    answer: "TIPA uses AND logic, has a 175,000 consumer threshold (vs the standard 100,000), and includes a privacy program safe harbor. Most other state privacy laws use OR logic with lower thresholds."
  },
  {
    question: "What are the penalties for TIPA violations?",
    answer: "The Tennessee AG can seek civil penalties of up to $7,500 per violation, with treble damages for willful violations. A 60-day cure period applies before enforcement."
  },
  {
    question: "Should I adopt the NIST Privacy Framework for TIPA compliance?",
    answer: "If TIPA applies to your business, yes — the affirmative defense from the safe harbor is substantial. The NIST framework also supports compliance with multiple other state privacy laws."
  }
]} />