🧮
Number of Data Subjects

The factor "Number of Data Subjects" refers to a quantitative threshold used in various data protection laws to determine the applicability of the legislation to businesses or entities. This factor typically specifies a minimum number of consumers or data subjects whose personal data is controlled or processed by an entity, which, when met or exceeded, brings the entity within the scope of the law's requirements.

California Consumer Privacy Act (CCPA)

Provision: Section 1798.140(d)(1)(B)

Key points:

  • Applies to businesses that annually buy, sell, or share personal information of 100,000 or more consumers or households
  • Threshold combines consumers and households
  • Considers annual data processing activities

Virginia Consumer Data Protection Act (CDPA)

Provision: Section 2(1) and 2(2)

Key points:

  • Two separate thresholds:
    1. Controlling or processing personal data of at least 100,000 consumers
    2. Controlling or processing personal data of at least 25,000 consumers and deriving more than 25% of gross revenue from the sale of personal data
  • Excludes personal data processed solely for payment transactions
  • Based on the preceding calendar year's activities

Delaware Personal Data Privacy Act (PDPA)

Provision: Paragraph 12D-103(a)(1)

Key points:

  • Applies to entities controlling or processing personal data of at least 35,000 consumers
  • Excludes personal data processed solely for payment transactions
  • Based on the preceding calendar year's activities

Montana Consumer Data Privacy Act (MCDPA)

Provision: Section 3(1)(1) and 3(1)(2)

Key points:

  • Two separate thresholds:
    1. Controlling or processing personal data of at least 50,000 consumers
    2. Controlling or processing personal data of at least 25,000 consumers and deriving more than 25% of gross revenue from the sale of personal data
  • Excludes personal data processed solely for payment transactions

Tennessee Information Protection Act (TIPA)

Provision: Section 47-18-3202(2)(A) and (2)(B)

Key points:

  • Two separate thresholds:
    1. Controlling or processing personal information of at least 25,000 consumers and deriving more than 50% of gross revenue from the sale of personal information
    2. Controlling or processing personal information of at least 175,000 consumers during a calendar year
  • Highest consumer threshold among the analyzed laws (175,000)
  • Unique revenue percentage threshold (50%) for the lower consumer count