Subscribe To Our Newsletter

This field is for validation purposes and should be left unchanged.

Tennessee Privacy Laws

Tennessee data privacy laws protect consumers’ personal information by regulating how certain businesses collect, process, store, and disclose sensitive data. These laws are designed to help reduce the risk of identity theft, fraud, unauthorized data use, and certain forms of targeted advertising. If a data breach or cyberattack exposes Tennessee residents’ personal information, affected consumers may have legal options depending on the facts, including claims for financial losses, identity theft-related expenses, or other damages available under applicable law.

A green book titled 'PRIVACY ACT' with a pen and a gavel resting on a wooden surface

Tennessee Data Privacy Laws: An Overview

Tennessee residents’ data is protected by a number of state privacy laws, including the Tennessee Information Protection Act (TIPA), the Data Breach Notification Act, and other industry-specific laws, such as the Insurance Data Security Law. These laws generally give consumers in Tennessee the right to control whether their data is collected and processed by corporations. Additionally, they regulate what companies must do in the event of a data breach that affects consumers.

The Tennessee Information Protection Act (TIPA)

The Tennessee Information Protection Act (TIPA), which took effect on July 1, 2025, is a comprehensive data privacy law that protects Tennessee residents acting in an individual or household context. Under TIPA, consumers have the right to access, edit, or delete their personal data collected by a company, as well as to opt out of the sale of their data for targeted advertising or profiling purposes.

TIPA defines “personal information” as information that identifies, relates to, or describes a particular consumer. This may include names, aliases, online identifiers, email addresses, Social Security numbers, driver’s license numbers, or other similar identifiers. It can also include signatures, addresses, phone numbers, education and employment history, and financial or medical information. It does not include publicly available or aggregate consumer information.

Sensitive data under TIPA receives additional protections and is defined as personal information revealing race, ethnicity, religion, health diagnoses, sexual orientation, citizenship, genetic and biometric data, precise geolocation data, or data from a known child under 13.

The Tennessee Data Breach Notification Act

Under Tennessee’s Data Breach Notification Act, after discovering a data breach, companies must notify any Tennessee resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person in the breach. The disclosure must be made within 45 days of the discovery of the security breach.
If the data breach affected over one thousand people, the affected company must also notify all relevant consumer reporting agencies and credit bureaus without unreasonable delay.

Federal Data Privacy Laws Affecting Tennessee Residents

Though there is no wide-reaching, comprehensive federal data privacy law, several key federal laws still influence data protection in specific industries in Tennessee. These laws include:

  • The Gramm-Leach-Bliley Act (GLBA): The GLBA is a 1999 federal law that requires financial institutions to protect consumers’ sensitive financial data securely and to clearly explain their information-sharing practices.
  • The Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a federal law passed in the United States designed to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
  • Children’s Online Privacy Protection Act (COPPA): Under COPPA, websites, apps, and online services directed at children must clearly post privacy policies and obtain verifiable parental consent before collecting or using any child under 13’s data.

What Businesses Must Comply with Tennessee Privacy Laws?

The Tennessee Information Protection Act (TIPA) applies to businesses in the state that control or process the personal information of at least 175,000 consumers per year, or of at least 25,000 consumers if they derive over 50% of their revenue from the sale of personal data. Businesses must also earn more than $25 million in annual revenue to qualify under the law. Some entities are exempt, such as political subdivisions, financial institutions, and universities.

Your 5 Core Privacy Rights as a Tennessee Resident

Under Tennessee data privacy laws, consumers have several rights regarding the collection, processing, and sale of their personal data. These include:

  • The Right to Access and Confirm: Tennessee consumers have the right to learn whether a company is collecting and processing their data.
  • The Right to Correct and Delete: Tennessee consumers have the right to fix inaccuracies or demand the permanent removal of their personal information.
  • The Right to Data Portability: Tennessee consumers have the right to obtain a digital, usable copy of their data.
  • The Right to Opt-Out of Data Sales and Profiling: Tennessee consumers have the right to opt out of the sale of their personal data for targeted advertising and profiling.

TIPA also mandates that data controllers limit their collection of personal information to what is adequate, relevant, and reasonably necessary. They must maintain data security practices and refrain from processing sensitive data without consumers’ consent.

Experienced a BREACH?
CAU logo
Subscribe To Our Newsletter

New cases and investigations, settlement deadlines, and news straight to your inbox.

This field is for validation purposes and should be left unchanged.

Major Recent Tennessee Data Breaches

Change Healthcare Data Breach (2024)

In February 2024, UnitedHealth Group Inc. disclosed that one of its units, Change Healthcare, had been targeted by the Russia-linked BlackCat/ALPHV ransomware group in a cyberattack. The breach reportedly affected the personal or health information of approximately 190 million people nationwide and disrupted healthcare payment and claims systems, including services used by Tennessee providers and patients.

Mid-South Pulmonary and Sleep Specialists Data Breach (2025)

In late 2025, Mid-South Pulmonary and Sleep Specialists, based in Memphis, allegedly suffered a ransomware attack by the Anubis group. The breach compromised sensitive personal data, including patient names, addresses, dates of birth, Social Security numbers, health insurance details, and medical diagnoses.

In Tennessee, victims of data breaches may have multiple options for taking legal action and recovering compensation for their losses, depending on the nature of their claim. You may be eligible to file an individual lawsuit, join or start a class action lawsuit, or file a demand in a mass arbitration action. Tennessee consumers can also report suspected violations of TIPA to the Tennessee Attorney General’s Division of Consumer Affairs.

Compensation Available for Data Privacy Breaches

Tennessee residents affected by a data breach may have legal options for seeking compensation, depending on the facts of the incident and the losses they suffered. Potential compensation may include:

  • Reimbursement for proven financial losses from identity theft or fraud
  • Costs related to identity theft protection or credit monitoring
  • Other damages available under applicable law

If you or a loved one was affected by a Tennessee data breach, contact Class Action U to be connected with an experienced data breach lawyer to learn more about your legal options for seeking justice and compensation.

Speak to a Data Privacy Lawyer in Tennessee

Tennessee’s data privacy laws, from the Tennessee Information Protection Act to the Tennessee Data Breach Notification Act, protect consumers’ personal information from theft and unauthorized use. If you believe a corporation has mishandled your data in Tennessee or ignored your TIPA request, contact Class Action U today to see if you qualify for a legal claim.

Were you recently affected by a data breach? 
Subscribe To Our Newsletter

New cases and investigations, settlement deadlines, and news straight to your inbox.

This field is for validation purposes and should be left unchanged.