RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJuly 17, 2026

Tennessee TIPA AI Compliance 2026: The NIST Framework Safe Harbor

Tennessee's Information Protection Act took effect July 1, 2025 with a structural quirk no other state privacy law shares: an affirmative defense for controllers that adopt a written privacy program conforming to the NIST Privacy Framework. For AI companies already building internal governance around NIST's AI Risk Management Framework, TIPA offers a direct path to reduce liability rather than just avoid it.

NIST Safe Harbor
Affirmative defense for controllers conforming to the NIST Privacy Framework
$25M + 175k
Revenue floor and consumer threshold — one of the narrower scopes among state privacy laws
No Sunset
60-day cure period currently has no fixed expiration date

Does TIPA Apply to Your AI Product?

TIPA only applies to businesses that exceed $25 million in annual revenue as a threshold gate. On top of that revenue floor, the business must also, during a calendar year, control or process the personal data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data, or control or process the data of at least 175,000 consumers.

That combination — a revenue floor plus a 175,000-consumer alternate threshold — makes TIPA one of the least likely state privacy laws to sweep in an early-stage AI startup. A growth-stage AI SaaS company that has already tripped Montana's 50,000-consumer bar or New Jersey's 25,000-consumer alternate trigger may still fall outside TIPA's scope entirely until it clears both the revenue and consumer thresholds.

The NIST Privacy Framework Affirmative Defense

TIPA's standout feature is a statutory affirmative defense: a controller or processor that creates, maintains, and complies with a written privacy program reasonably conforming to the NIST Privacy Framework — or another recognized framework such as ISO/IEC 27701 — has a defense against a claimed TIPA violation.

This is structurally different from every other state privacy law's approach. Most states treat a written privacy program as a factor in mitigating a penalty, not as a defense to liability itself. For AI companies that are already building NIST AI Risk Management Framework documentation for enterprise procurement or federal contracting purposes, extending that same program to cover NIST Privacy Framework categories — identify, govern, control, communicate, protect — can do double duty: satisfying enterprise buyers and building a TIPA-specific legal defense at the same time.

Identify

Inventory personal data processing activities across your AI product, including training data, inference logs, and any biometric or sensitive categories.

Govern

Document roles, policies, and risk-tolerance decisions for how personal data feeds AI features — who approves new data uses, and how.

Control

Implement technical and organizational controls for data minimization, retention limits, and access restriction across AI pipelines.

Communicate

Maintain a privacy notice and internal documentation that clearly explains data flows to consumers, auditors, and enterprise customers alike.

Protect

Layer in security safeguards — encryption, access logging, breach response — consistent with the broader NIST Cybersecurity Framework that Privacy Framework work is often paired with.

Consumer Rights and AI Profiling

Profiling opt-out

Consumers can opt out of profiling in furtherance of decisions that produce legal or similarly significant effects — credit, employment, housing, healthcare, insurance, and education outcomes.

Targeted advertising opt-out

Consumers can opt out of personal data being used for targeted advertising.

Sale of data opt-out

Consumers can opt out of the sale of their personal data to third parties, including data-licensing arrangements with AI model developers.

Data Protection Assessments

Processing that presents a heightened risk of harm — including certain profiling — requires a documented data protection assessment before the processing begins.

TIPA Compliance Checklist for AI Companies

1. Scope Determination
  • Confirm your business exceeds the $25 million annual revenue gate before assuming TIPA applies
  • Check both the 25,000-consumer/50%-revenue trigger and the standalone 175,000-consumer trigger
  • Reassess scope annually as revenue and Tennessee user counts change
2. Build Toward the NIST Safe Harbor
  • Map existing NIST AI Risk Management Framework work to the NIST Privacy Framework's five functions
  • Document the privacy program in writing — an undocumented practice does not qualify for the affirmative defense
  • Assign an owner responsible for keeping the program current as AI features and data flows change
3. Consumer Rights Infrastructure
  • Build opt-out flows for profiling, targeted advertising, and data sale
  • Document which AI-driven decisions fall into the legal-or-significant-effect category
  • Complete data protection assessments before deploying higher-risk profiling
4. Enforcement Readiness
  • Retain records supporting your scope and threshold determinations
  • Keep the written NIST-conforming privacy program readily producible in case of an AG inquiry
  • Track the 60-day cure period's status — it currently has no sunset date, but that could change legislatively

See where your AI product is exposed

RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.

Scan Your Product for Free →

Frequently Asked Questions

Is the NIST affirmative defense automatic once you adopt the framework?

No. The defense requires that the written privacy program 'reasonably conforms' to the NIST Privacy Framework and is actually maintained and complied with — a stale document adopted once and never updated is unlikely to satisfy the standard. Courts and the Tennessee Attorney General would look at whether the program is a living practice, not just a policy binder.

Can a business use ISO/IEC 27701 instead of the NIST Privacy Framework?

Yes. TIPA's affirmative defense extends to other recognized privacy frameworks in addition to the NIST Privacy Framework, including ISO/IEC 27701. Businesses that have already built compliance programs around ISO frameworks for other purposes, such as SOC 2 or ISO 27001 certification, may be able to extend that work to qualify.

How does TIPA's scope compare to Montana's or New Jersey's?

TIPA is narrower. Montana's primary threshold is 50,000 consumers with no revenue floor, and New Jersey's is 100,000 consumers or a lightweight 25,000-consumer alternate trigger, also with no revenue floor. TIPA requires clearing $25 million in annual revenue in addition to a 175,000-consumer threshold (or the 25,000-consumer/50%-revenue combination), which exempts a meaningfully larger band of smaller AI companies.

Related Guides