The revenue-based applicability factor is used to determine the scope of applicability of data protection laws within a jurisdiction by setting a threshold for the annual gross revenue of businesses that are subject to the law.

Relevant Provision(s)

• CCPA Sec.1798.140 (d)(1)(A) in USA - California: (d) “Business” means: (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds: (A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
• CCPA Sec.1798.140 (d)(1)(C) in USA - California: (d) “Business” means: (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds: (C) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.
• CDPA Sec.2(2) in USA - Connecticut: (2) controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data.
• Delaware PDPA Para.12D-103(a)(2) in USA - Delaware: (a) This chapter applies to persons that conduct business in the State or persons that produce products or services that are targeted to residents of the State and that during the preceding calendar year did any of the following: (2) Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.
• MCPDA Sec.3(1)(2) in USA - Montana: (2) control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
• Oregon CDPA Sec.2(1)(b) in USA - Oregon: (1) Sections 1 to 9 of this 2023 Act apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes: (b) The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.
• TIPA Sec.47-18-3202(1) in USA - Tennessee: (1) Exceed twenty-five million dollars ($25,000,000) in revenue; and
• TIPA Sec.47-18-3202(2)(A) in USA - Tennessee: (A) Control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information; or
• VCDPA para.59.1-576(A)(ii) in USA - Virginia: (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Analysis of Provisions

The provisions set forth in the various jurisdictions establish revenue-based applicability factors for data protection laws. For instance, the CCPA in California applies to businesses with annual gross revenues exceeding $25 million ("had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year"). Similarly, the CDPA in Connecticut applies to persons that derive more than 25% of their gross revenue from the sale of personal data ("derived more than twenty-five per cent of their gross revenue from the sale of personal data").

The rationale behind incorporating revenue-based applicability factors into data protection laws is to ensure that businesses with significant financial resources and extensive data processing activities are subject to stricter regulations. By setting a revenue threshold, lawmakers can limit the application of data protection laws to businesses that are more likely to pose a risk to consumers' personal data.

Implications

The revenue-based applicability factor has significant implications for businesses operating in the respective jurisdictions. For example:

• A business in California with an annual gross revenue of $20 million would not be subject to the CCPA, whereas a business with an annual gross revenue of $30 million would be required to comply with the law.
• A business in Connecticut that derives 20% of its gross revenue from the sale of personal data would not be subject to the CDPA, whereas a business that derives 30% of its gross revenue from the sale of personal data would be required to comply with the law.

These examples illustrate how the revenue-based applicability factor can extend or limit the application of data protection laws to businesses operating in the respective jurisdictions.