Tennessee Information Protection Act - Profiling Provisions
Effective date
Penalty
Up to $7,500 per violation. Treble damages for willful or knowing violations (penalties tripled). 60-day cure period (longer than most states). Reasonable at…
Obligations mapped
10 obligations
Overview
Grants Tennessee consumers the right to opt out of profiling for decisions with legal or significant effects. First state to provide a NIST affirmative defense: controllers and processors that create, maintain, and comply with a written privacy program that reasonably conforms to the NIST Privacy Framework may assert an affirmative defense. This materially reduces compliance risk for NIST-aligned organizations. Applies to businesses with annual revenue exceeding $25 million that also meet consumer data volume thresholds (175,000 consumers, or 25,000 consumers with 50%+ revenue from data sales). Among the highest applicability thresholds of any state privacy law.
This is a privacy law with automated decision-making provisions.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Deployers and users of covered AI systems and tools
- Organizations operating in Tennessee
This regulation applies to companies that use or deploy AI tools and systems built by other vendors. If your company uses AI-powered products in the areas listed below, this regulation may apply to you.
s 47-18-3304(a)(2)(E) · s 47-18-3307(a)(4) and related sections
AI categories covered
- Consumer-facing AI
- Automated decision-making
Specific AI use cases:
- Customer profiling and segmentation
What this requires you to do
10 obligations identified from statutory analysis.
s 47-18-3307(a)(4)
s 47-18-3305(a)(5)
s 47-18-3306(b)
s 47-18-3305(a)(1)-(2)
s 47-18-3309
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
Up to $7,500 per violation. Treble damages for willful or knowing violations (penalties tripled). 60-day cure period (longer than most states). Reasonable attorney's fees and investigative costs. AG-only enforcement. No private right of action. NIST Privacy Framework affirmative defense available.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Related regulations
Tennessee AI regulation guide lists every tracked rule for this jurisdiction with timelines and obligation tallies.
This rule references NIST AI RMF practices. See the federal NIST AI RMF entry for context and source links.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.