Tennessee employers can generally read employee emails sent or received on company-provided systems, provided they have a legitimate business purpose and comply with federal laws like the Electronic Communications Privacy Act (ECPA). State law lacks specific workplace monitoring statutes, deferring to federal guidance, but prohibits demands for personal account passwords under the Employee Online Privacy Act. The Tennessee Information Protection Act (TIPA), effective July 2025, excludes employment data from consumer privacy rules while mandating reasonable data security practices.​
Email Monitoring Rules
Employers may monitor work emails, internet use, and phone calls on company devices or networks with employee consent or for business needs, as Tennessee relies on ECPA allowing interception in the ordinary course of business. No state law requires notice for monitoring company email, but transparency via policies is recommended to avoid disputes; personal emails accessed inadvertently must remain private. Video surveillance is permitted in common areas with employee notification, but not in restrooms or break rooms.​
Data Privacy Protections
TIPA applies to consumer data collected after July 1, 2025, requiring privacy notices, consent for sensitive processing, and data minimization, but exempts employment-related information like HR records. Businesses must maintain reasonable administrative, technical, and physical safeguards for all data, with an affirmative defense if aligned with the NIST Privacy Framework. No private right of action exists; enforcement by the Attorney General includes up to $7,500 per violation after a 60-day cure period.​
Cybersecurity Requirements
Tennessee’s data breach notification law mandates alerting affected individuals within 45 days of discovering unencrypted personal information breaches, including employee data, and notifying the Attorney General for 500+ residents. Employers should limit employee access to sensitive data via “least privilege” principles to prevent internal breaches. Compliance with federal HIPAA or FCRA overrides state rules for regulated data.
