Gov. Lee Signs Tennessee Privacy Law

The Tennessee privacy law will take effect July 1, 2025, and will be enforced solely by the state attorney general. It applies to companies with more than $25 million annual revenue, which control or process personal data of at least 25,000 consumers and gets more than half its gross revenue from selling that data. It also applies if the company controls or processes personal data of at least 175,000 consumers in one year.

The tech industry supported the latest state privacy law. “As states across the country continue to consider approaches to protect consumer data privacy, we commend Tennessee policymakers for enacting balanced and meaningful protections for consumers that will continue to allow innovation to thrive,” said CCIA State Policy Director Khara Boender.

But Consumer Reports raised concerns and asked the legislature to amend it next year. The Tennessee law “creates far too many opportunities for tech companies to avoid offering consumers the protections that it claims to provide,” said CR policy analyst Matt Schwartz. The legislature should rework the law’s sale and target ad definitions, pseudonymous data exemption and enforcement framework, plus add support for a universal opt-out mechanism, he said. “Without amendments to these key areas, this new law will not meaningfully move consumer privacy forward.”

Tennessee “is yet another example of why Congress needs to act to pass a national privacy standard that preempts the growing, complex patchwork of state laws on data privacy,” a NetChoice spokesperson said. “The more laws that are on the books, the harder it will be for especially small businesses to enter the marketplace.”

Indiana became the seventh state with a privacy law last week (see 2305030040), after Iowa became the sixth in March (see 2303290052). Those measures and Tennessee's are considered to fall on the business-friendly end of the state privacy law spectrum. The other five states with privacy laws, either already effective or coming into effect over the next three years, are California, Colorado, Connecticut, Utah and Virginia. Montana and Florida legislatures passed bills this year, but they still need gubernatorial approval.

The Tennessee law includes “a unique safe harbor,” blogged Cynthia Larose and other Mintz attorneys: “It offers an affirmative defense to businesses who create, maintain and comply with a written privacy program that ‘reasonably conforms’ to the National Institute of Standards and Technology … privacy framework or ‘other documented policies, standards, and procedures designed to safeguard consumer privacy.’” But the Tennessee measure otherwise is much like business-friendly Virginia and Indiana laws, they said.

Businesses covered by the Tennessee law will “have some time to ensure compliance requirements are implemented and will likely already have many of the requirements in place,” blogged privacy attorneys Brianne Powers and Jeremy Berkowitz of Paul Hastings. “Businesses that must meet all of the individual state privacy laws should continue to refine their processes for updating privacy policies, handling data subject requests, and updating data processing agreements.”

“Those who have previously assessed their organization’s compliance with California, Virginia” or the EU’s general data protection regulation will find that the new state laws don’t “significantly add to the mix of obligations,” blogged Sheppard Mullin lawyers Liisa Thomas and Kathryn Smith. “Nevertheless, tracking the differences in applicability, notice/choice/rights obligations, contractual clauses, to say nothing of their varying approaches to sensitive data, sales, and financial incentives can be headache inducing.”