FBT Gibbons
What law(s) specifically govern personal data / information?
Tennessee Information Protection Act (TIPA) is Tennesee’s comprehensive data privacy law that became effective July 1, 2025
Identity Theft Deterrence Act of 1999 (the ID Law)
Personal Privacy Protection Act (§39-13-612 of Part 6 of Chapter 13 of Title 39 of the Tenn. Code.) (PPPA)
Criminal Invasion of Privacy (§39-13-601 et seq. of Part 6 of Chapter 13 of Title 39 of the Tenn. Code)
§47-18-3001 et seq. of Part 30 of Chapter 18 of Title 47 of the Tenn. Code
Insurance Data Security Law (§56-2-1001 et seq. of Part 10 Chapter 2 of Title 56 of the Tenn. Code) (IDSL)
Consumer Telemarketing Protection Act (§47-18-1501 et seq. of Part 15 of Chapter 18 of Title 47 of the Tenn. Code) (CTPA)
§47-18-2901 of Part 29 of Chapter 18 of Title 47 of the Tenn. Code
§47-18-2107 of the Tennessee Code (Data Breach Notification Law)
Ensuring Likeness, Voice, and Image Security (ELVIS) Act
What are the key data protection principles in this jurisdiction?:
The TIPA provides a comprehensive consumer privacy law with key principals focusing on transparency, data minimisation, and consumer rights over their personal data.
Under the ID Law, it is unlawful to obtain, possess, or use a person's personal ID documents (including credit card numbers, driver's license and passport numbers, and licensure numbers, for example), for unlawful economic benefit.
Under PPPA, state agencies that collect information about donors or volunteers to non-profit organizations are prohibited from releasing that information to any third party. PPPA also protects personal information to the extent that it relates to a person’s involvement in a charitable or political organization.
Under Tennessee’s Criminal Invasion of Privacy statute, businesses and individuals are prohibited from invading someone’s privacy by wiretap, unauthorized photography, electronic tracking of vehicles, or spying.
Under §47-18-3001 et seq. of Part 30 of Chapter 18 of Title 47 of the Tenn. Code, businesses and individuals are prohibited from using “protected health information” to offer legal services to the subject of that information without the person’s authorization.
Under the IDSL, insurance carriers are required to take steps to protect consumers’ financial information, including their medical and personal information. Specifically, insurance carriers are required to:
- identify internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, or destruction of consumers' private information;
- develop, implement, and maintain an information security program based on its individual risk assessment with a designated employee in charge of the information security program; and
- investigate any cybersecurity breach and notify the Insurance Commissioner of the Department of Commerce and Insurance of a cybersecurity event if the carrier is a domiciled insurer or if more than 250 Tennessee residents are impacted.
Under the CTPA, businesses and individuals are prohibited from using automatic dialing devices to telemarket to Tennessee residents. Certain characters are required to be included in every advertising email, and if an email consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services or extension of credit, the subject line of each message must include 'ADV:' as the first four characters. If these messages contain information that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, that may only be viewed, purchased, rented, leased, or held in possession by an individual 18 years of age or older, the subject line of each message must include 'ADV: ADLT' as the first eight characters.
Under §47-18-2901 of Part 29 of Chapter 18 of Title 47 of the Tenn. Code, state, county and municipal agencies are required to create safeguards and procedures to secure personal information about Tennessee residents stored on laptops used by their employees.
Under the Tennessee Data Breach Notification Law, businesses are required to notify affected Tennessee residents of a breach involving their personal data. If notification must be made to over 1,000 Tennessee residents at one time, the impacted business must notify all consumer reporting agencies and credit bureaus.
Under the ELVIS Act, use of AI or deepfake technology to replicate or synthesize a person’s voice or likeness without their explicit consent is prohibited
What is the supervisory authority / regulator in charge of data protection?
Tennessee Attorney General.
Is there a requirement to register with a supervisory authority / regulator?
No.
Is there a requirement to notify the supervisory authority / regulator?
No notification required.
Is it possible to register with / notify the supervisory authority / regulator online?
Not applicable.
What are the key data subject rights under the data protection laws of this jurisdiction?
Under the TIPA, individuals have the following rights:
- Right of access – the right to confirm whether a data controller is processing their personal data and to access such personal data
- Right of data portability – the right to obtain personal data in a portable and readily usable format that allows the consumer to transmit the data to another entity without hindrance
- Right of deletion – the right to delete their personal data
- Right to opt out – the right to opt out of processing personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer
- Non-discrimination – the right not to be discriminated against for exercising their rights
Is there a requirement to appoint a data protection officer (or equivalent)?
No.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
No.
Does this jurisdiction have any specific data breach notification requirements?
Yes. Obligations in the event of a data breach include a requirement to notify the affected Tennessee residents if the breached data is unencrypted. For notification to be required, the breach must “materially compromise the security, confidentiality, or integrity” of the business’ systems. In the event notification is required, businesses must notify affected Tennessee residents “in the most expedient time possible” but notification can be delayed for purposes of a law enforcement investigation.
What restrictions apply to the international transfer of personal data / information?
None.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No.
What rules specifically deal with marketing?
See the key principles of the CTPA above.
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
None.
What rules specifically deal with cookies?
None.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The Tennessee Attorney General has the power to bring enforcement actions for violations of TIPA. There is no private right of action. The AG must give a 30 days’ written notice of the violation before taking action. If the violation is cured within 30 days, no further action will be taken. If the business fails to cure the violation within 30 days, the AG may seek injunctive relief, civil penalties up to USD $7,500 per violation, and court costs and attorney fees.
A violation of the ID Law is subject to the Tennessee Consumer Protection Act of 1977 which allows for a plaintiff to recover triple damages and attorneys' fees if the plaintiff can prove actual damages stemming from the violation.
A knowing violation of the PPPA is a Class B misdemeanour and can result in six months in jail and/or a fine of up to USD $500.
Violations of Tennessee’s criminal invasion of privacy statute is a felony which can result in imprisonment and loss of voting rights.
A wilful violation of §47-18-3001 et seq. of Part 30 of Chapter 18 of Title 47 of the Tenn. Code may result in a Class A misdemeanour or a Class C felony, punishable by fines and imprisonment.
A violation of the CTPA can result in a Class A misdemeanour charge, which carries fines, or civil penalties of up to USD $1,000 per call made in violation of the law.
A violation of the CTPA can result in damages of USD $10 per email or USD $5,000 per day. Electronic service providers who solely transmit emails are not held liable.
A violation of §47-18-2901 of Part 29 of Chapter 18 of Title 47 of the Tenn. Code can result in a private right of action and claim of damages if the Tennessee resident can prove that the state’s failure to safeguard the information resulted in the Tennessee resident being a victim of identity theft.
Individuals have a private right of action for violations of the ELVIS Act to pursue injunctive relief and damages.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Businesses that collect personal data of Tennessee residents (even without being located there) should understand the legal requirements under Tennessee law to ensure compliance.
What upcoming data protection developments should multinational organisations be aware of?
None at this time