On 1 July 2025, the Tennessee Information Protection Act enters into force. The Act applies to business entities active in the state that, annually, either control or process personal information of at least 100'000 consumers or control or process personal information of at least 25'000 consumers and derive more than 50% of gross revenue from the sale of personal information. The Act sets out consumer data rights, including access to personal information, data correction, data deletion, and obtaining a copy of the consumer's personal information. In addition, the Act includes obligations for data controllers, including abiding by principles of adequacy, relevance, and reasonable necessity in processing data, following laws prohibiting unfair discrimination against consumers, and obtaining consumer consent before processing sensitive personal data.
Original source