Tennessee's TIPA introduced a NIST-CSF-based safe harbor — businesses that document compliance with a recognized privacy framework get an affirmative defence against TIPA enforcement actions.
Last reviewed 2026-06-19 · Risk rating rationale: $25M revenue + 175,000-resident threshold limits coverage to larger businesses, but the safe harbor structure makes documentation discipline more important than for other states.
Find out in 10 seconds whether your site meets Tennessee's requirements
Scantra runs a free, no-account, 9-check audit of your homepage covering privacy policy, contact info, CCPA-style opt-out, security headers, accessibility, and SEO basics. Most Tennessee sites we scan fail at least three.
No credit card · Email required so we can send you the full results.
Key Tennessee laws affecting websites
The statutes most likely to apply to a commercial website serving Tennessee residents. Click a citation to read the official text where available.
TIPA
— Tennessee Information Protection Act· Effective 2025
Applies to: Entities with $25M+ annual revenue that (a) control or process data of 175,000+ Tennessee consumers, or (b) derive 50%+ revenue from data sale AND process data of 25,000+ Tennessee consumers.
What your website must do
Privacy notice + standard rights enumeration
Document compliance with a recognized privacy framework (NIST Privacy Framework, ISO 27701, etc.) to qualify for safe harbor
Data protection assessments for sensitive data and high-risk profiling
What your site has to disclose, ask consent for, and allow consumers to do with their personal information.
TIPA's safe harbor only protects businesses that have documented an active privacy program matching a recognized framework. Documentation discipline is the key differentiator.
Practical requirements for your website
Maintain a written privacy program aligned with NIST Privacy Framework or ISO 27701
Conduct and document data protection assessments
Respond to rights requests within 45 days
Cookies and tracking
Federal law applies
When you need consent, opt-outs, or universal-signal honor for cookies and analytics scripts.
No cookie banner mandate.
Practical requirements for your website
Privacy choices link in footer for targeted ads
Accessibility (ADA + state)
Federal law applies
WCAG conformance expectations and how the state's accessibility cases tend to be litigated.
Federal ADA Title III applies.
Practical requirements for your website
WCAG 2.1 AA conformance
Cybersecurity and breach response
Federal law applies
What 'reasonable security' looks like under state law and how fast you have to notify after a breach.
Federal FTC Act applies.
Practical requirements for your website
Material connection disclosures
Email and SMS marketing
Federal law applies
How federal CAN-SPAM and TCPA interact with state-level marketing rules in this jurisdiction.
Federal CAN-SPAM applies.
Practical requirements for your website
Standard CAN-SPAM compliance
AI regulation
Federal law applies
Which AI uses the state has chosen to regulate, who's covered, and what the website has to disclose.
TIPA addresses profiling for significant decisions; no separate AI law.
Practical requirements for your website
Profiling opt-out + DPA documentation
Frequently asked questions about Tennessee website compliance
What does the TIPA NIST safe harbor actually protect against?
It's an affirmative defence in an enforcement action — if you can show your privacy program was aligned with NIST Privacy Framework (or equivalent) at the time of the alleged violation, the Tennessee AG must consider that in deciding whether to bring an action or assess penalties. It does NOT immunize you from class actions or other claims.
Ready to check your own site against Tennessee's requirements?
The same free 9-rule scan, no signup needed. Two of the findings include drafted fixes you can copy/paste; full results (and ongoing monitoring) come with a free account.
Important: Scantra is a software tool and a non-profit publisher, not a law firm. The summaries on this page are written for general business orientation and reflect the editors' reading of the statutes as of 2026-06-19. They are not legal advice and should not be the only source you rely on for compliance decisions. For your specific situation, consult a licensed attorney in Tennessee.