TENNESSEE INFORMATION PROTECTION ACT (TIPA) PRIVACY NOTICE
Effective Date: [DATE]
Last Updated: [DATE]
NOTICE TO TENNESSEE RESIDENTS
This Privacy Notice is provided pursuant to the Tennessee Information Protection Act, codified at Tennessee Code Annotated Section 47-18-3201 et seq. (TIPA), which became effective July 1, 2025.
1. SCOPE AND APPLICABILITY
1.1 Who This Notice Applies To
This Notice applies to "consumers" as defined by Tenn. Code Ann. Section 47-18-3202, meaning natural persons who are Tennessee residents acting only in an individual or household context. This Notice does not apply to persons acting in a commercial or employment context.
1.2 Applicability Thresholds
Pursuant to Tenn. Code Ann. Section 47-18-3203, this Notice applies because [COMPANY NAME]:
Has annual revenues exceeding $25 million AND meets one of the following during a calendar year:
☐ Controls or processes personal information of at least 175,000 Tennessee consumers
☐ Controls or processes personal information of at least 25,000 Tennessee consumers AND earns more than 50% of gross revenue from the sale of personal information
Note: Tennessee has unique dual requirements: revenue threshold PLUS consumer data volume.
1.3 Exemptions
The following are exempt from TIPA pursuant to Tenn. Code Ann. Section 47-18-3203:
- State agencies and political subdivisions
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Covered entities and business associates under HIPAA
- Nonprofit organizations
- Higher education institutions
- Insurance companies licensed under state law
- Data regulated by federal privacy laws
2. DEFINITIONS
Pursuant to Tenn. Code Ann. Section 47-18-3202:
"Personal Information" means any information that is linked or reasonably linkable to an identified or identifiable natural person, excluding de-identified data and publicly available information.
"Sensitive Data" means personal information revealing:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data for identification purposes
- Personal information collected from a known child
- Precise geolocation data
"Sale of Personal Information" means the exchange of personal information for monetary consideration by the controller to a third party.
"Targeted Advertising" means displaying advertisements based on personal information obtained from consumer activities across nonaffiliated websites or online applications.
"Profiling" means any form of automated processing to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual.
3. CATEGORIES OF PERSONAL INFORMATION PROCESSED
Pursuant to Tenn. Code Ann. Section 47-18-3205, we process the following categories of personal information:
3.1 General Personal Information
| Category | Examples | Collected | Purpose |
|---|---|---|---|
| Identifiers | Name, email, phone number, account IDs | ☐ Yes ☐ No | [PURPOSE] |
| Contact Information | Postal address, email, phone | ☐ Yes ☐ No | [PURPOSE] |
| Demographic Information | Age, gender, language preferences | ☐ Yes ☐ No | [PURPOSE] |
| Commercial Information | Purchase history, transaction records | ☐ Yes ☐ No | [PURPOSE] |
| Internet Activity | Browsing history, search history | ☐ Yes ☐ No | [PURPOSE] |
| Geolocation Data | General location (non-precise) | ☐ Yes ☐ No | [PURPOSE] |
| Employment Information | Job title, employer | ☐ Yes ☐ No | [PURPOSE] |
| Inferences | Preferences, characteristics | ☐ Yes ☐ No | [PURPOSE] |
3.2 Sensitive Data
Pursuant to Tenn. Code Ann. Section 47-18-3205, we collect the following sensitive data ONLY with your opt-in consent:
| Sensitive Category | Collected | Consent Obtained | Purpose |
|---|---|---|---|
| Racial or ethnic origin | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Religious beliefs | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Mental or physical health diagnosis | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Sexual orientation | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Citizenship or immigration status | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Genetic data | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Biometric data for identification | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Known child's personal information | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
| Precise geolocation data | ☐ Yes ☐ No | ☐ Yes | [PURPOSE] |
4. PURPOSES OF PROCESSING
Pursuant to Tenn. Code Ann. Section 47-18-3205, we process personal information for the following purposes:
4.1 Primary Purposes
☐ Providing products and services you request
☐ Processing transactions and sending related information
☐ Communicating with you about your account
☐ Responding to your inquiries and requests
☐ Maintaining and improving our services
☐ Ensuring security and preventing fraud
☐ Complying with legal obligations
4.2 Secondary Purposes
☐ Marketing and promotional communications
☐ Personalizing your experience
☐ Conducting research and analytics
☐ Targeted advertising
☐ [OTHER PURPOSES]
5. SALE OF PERSONAL INFORMATION AND TARGETED ADVERTISING
5.1 Sale of Personal Information
Pursuant to Tenn. Code Ann. Section 47-18-3204:
☐ We sell personal information to third parties
☐ We do not sell personal information to third parties
If we sell personal information, the following categories may be sold:
| Category | Third Party Recipients | Purpose |
|---|---|---|
| [CATEGORY] | [RECIPIENTS] | [PURPOSE] |
5.2 Targeted Advertising
☐ We process personal information for targeted advertising
☐ We do not process personal information for targeted advertising
5.3 Profiling
☐ We engage in profiling that produces legal or similarly significant effects
☐ We do not engage in such profiling
6. YOUR TENNESSEE PRIVACY RIGHTS
Pursuant to Tenn. Code Ann. Section 47-18-3204, Tennessee consumers have the following rights:
6.1 Right to Confirm (Section 47-18-3204(a)(1))
You have the right to confirm whether we are processing your personal information.
6.2 Right to Access (Section 47-18-3204(a)(1))
You have the right to access your personal information that we process.
6.3 Right to Correct (Section 47-18-3204(a)(2))
You have the right to correct inaccuracies in your personal information, taking into account the nature of the data and the purposes of processing.
6.4 Right to Delete (Section 47-18-3204(a)(3))
You have the right to delete personal information provided by or obtained about you.
6.5 Right to Data Portability (Section 47-18-3204(a)(4))
You have the right to obtain a copy of your personal information in a portable and, to the extent technically feasible, readily usable format.
6.6 Right to Opt Out (Section 47-18-3204(a)(5))
You have the right to opt out of:
- The sale of your personal information
- Processing for targeted advertising
- Profiling in furtherance of decisions that produce legal or similarly significant effects
Important Tennessee Note: Unlike some states (California, Colorado), TIPA does NOT explicitly require recognition of universal opt-out mechanisms such as Global Privacy Control.
7. EXERCISING YOUR RIGHTS
7.1 How to Submit a Request
Methods to Submit Requests:
☐ Online Portal: [URL]
☐ Email: [PRIVACY EMAIL]
☐ Phone: [PHONE NUMBER]
☐ Mail: [MAILING ADDRESS]
7.2 Verification Process
We will verify your identity using commercially reasonable methods before fulfilling your request.
7.3 Authorized Agents
You may designate an authorized agent to submit requests on your behalf.
7.4 Response Timeline
Pursuant to Tenn. Code Ann. Section 47-18-3204:
- Initial Response: Within 45 days of receipt
- Extension: May extend by an additional 45 days when reasonably necessary
- Notification: We will inform you of any extension and the reason
7.5 No Fee
We provide responses free of charge. We may charge a reasonable fee or decline to act on manifestly unfounded, excessive, or repetitive requests.
8. RIGHT TO APPEAL
8.1 Appeal Process
Pursuant to Tenn. Code Ann. Section 47-18-3204, if we decline your request, you have the right to appeal.
To Submit an Appeal:
☐ Email: [APPEAL EMAIL]
☐ Online Form: [URL]
☐ Mail: [ADDRESS]
8.2 Appeal Response
- We will respond to your appeal within 60 days
- If we deny your appeal, we will provide information on how to contact the Tennessee Attorney General
8.3 Contact the Attorney General
If you are not satisfied with our appeal decision, you may file a complaint with:
Office of the Tennessee Attorney General
Consumer Protection Division
P.O. Box 20207
Nashville, Tennessee 37202-0207
Phone: (615) 741-1671
Website: www.tn.gov/attorneygeneral
9. DATA PROTECTION ASSESSMENTS
Pursuant to Tenn. Code Ann. Section 47-18-3206, we conduct data protection assessments for processing activities that present a heightened risk of harm. These include:
☐ Processing for targeted advertising
☐ Sale of personal information
☐ Processing for profiling with risk of harm
☐ Processing of sensitive data
☐ Any processing presenting heightened risk of harm to consumers
Important: Data protection assessment requirements apply to all processing activities created or generated on or after July 1, 2024, and are NOT retroactive to activities before that date.
10. NIST AFFIRMATIVE DEFENSE
10.1 TIPA's Unique Safe Harbor
Pursuant to Tenn. Code Ann. Section 47-18-3208, TIPA provides a unique affirmative defense to violations if a controller or processor:
☐ Creates, maintains, and complies with a written privacy policy
☐ The privacy policy reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework
☐ Updates the policy to reasonably conform to subsequent NIST revisions within two years of publication
☐ The policy provides consumers with the substantive rights required by TIPA
10.2 Our NIST Compliance Status
[COMPANY NAME]:
☐ Maintains a privacy policy conforming to the NIST Privacy Framework
☐ Is working toward NIST Privacy Framework conformance
☐ [Describe NIST alignment status]
11. ENFORCEMENT
11.1 Cure Period
Pursuant to Tenn. Code Ann. Section 47-18-3210, the Tennessee Attorney General must provide 60 days' written notice of an alleged violation and an opportunity to cure before initiating an enforcement action.
11.2 Penalties
Violations may result in:
- Declaratory relief
- Injunctive relief
- Civil penalties up to $7,500 per violation
- Treble damages for willful or knowing violations
- Attorney's fees and investigative costs
11.3 No Private Right of Action
TIPA does not provide consumers with a private right of action. Enforcement is exclusively through the Tennessee Attorney General.
12. DATA SECURITY
Pursuant to Tenn. Code Ann. Section 47-18-3205, we establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect personal information.
Our security measures include:
☐ Encryption of data in transit and at rest
☐ Access controls and authentication measures
☐ Regular security assessments and audits
☐ Employee training on data protection
☐ Incident response procedures
☐ Vendor security assessments
Security safeguards are proportionate to the volume and nature of the data collected.
13. CONTROLLER AND PROCESSOR RELATIONSHIPS
13.1 Controller Information
[COMPANY NAME] is the controller of personal information processed under this Notice.
Controller Contact:
[ADDRESS]
[EMAIL]
[PHONE]
13.2 Processor Requirements
Pursuant to Tenn. Code Ann. Section 47-18-3207, our contracts with processors require:
- Clear instructions for processing
- Duty of confidentiality
- Appropriate security measures
- Subprocessor requirements
- Deletion or return of data upon termination
- Demonstration of compliance
14. CONTACT INFORMATION
Privacy Inquiries:
Name: [PRIVACY OFFICER NAME]
Title: [TITLE]
Email: [EMAIL]
Phone: [PHONE]
Address: [ADDRESS]
Consumer Rights Requests:
Email: [EMAIL]
Online: [URL]
Phone: [PHONE]
15. CHANGES TO THIS NOTICE
We may update this Notice to reflect changes in our practices or legal requirements. Material changes will be communicated:
☐ By posting an updated Notice on our website
☐ By email notification
☐ By notice within our application
DOCUMENT CONTROL
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial version |
Legal Review: ☐ Completed Date: _________ Reviewer: _________
Next Review Date: _____________
This Notice is provided for informational purposes and compliance with the Tennessee Information Protection Act. It does not constitute legal advice. Consult with qualified legal counsel for specific compliance questions.
About This Template
Jurisdiction-Specific
This template is drafted specifically for Tennessee, incorporating applicable state statutes, local court rules, and jurisdiction-specific compliance requirements.
How It's Made
Drafted using current statutory databases and legal standards for compliance regulatory. Each template includes proper legal citations, defined terms, and standard protective clauses.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: February 2026