The sale of personal data criterion is a significant factor used in determining the applicability of data protection laws. This factor extends the scope of data protection regulations to entities that monetize personal information, ensuring that businesses engaging in the sale of personal data are subject to the relevant legal obligations.

Provision Examples:

CCPA Sec.1798.140 (ad)(1) (California, USA):

"(ad) (1) ‘Sell,’ ‘selling,’ ‘sale,’ or ‘sold,’ means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration."

FDPA Sec.501.703(1) (Florida, USA):

"(1) This part applies only to a person who: (b) Processes or engages in the sale of personal data."

Oregon CDPA Sec.2(1)(b) (Oregon, USA):

"(1) Sections 1 to 9 of this 2023 Act apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes: (b) The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data."

TIPA 47-18-3202 (2)(A) (Tennessee, USA):

"This part applies to persons that conduct business in this state producing products or services that target residents of this state and that: (2)(A) Control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information."

Description

The sale of personal data criterion is incorporated into data protection laws to ensure that entities engaging in the monetization of personal information are held to stringent privacy standards. This factor is particularly relevant in jurisdictions where the commercial use of personal data is widespread, such as the United States.

In California’s CCPA, the definition of “sale” is broad, encompassing not only traditional sales but also any transfer of personal information to third parties for monetary or valuable consideration. This expansive definition ensures that businesses cannot evade the law by simply recharacterizing their transactions.

Florida’s FDPA similarly applies to entities that process or engage in the sale of personal data, indicating that the mere act of selling personal data is sufficient to bring a business within the scope of the law.

In Oregon, the CDPA sets a threshold where the law applies to businesses that derive a significant portion of their revenue—25% or more—from selling personal data. This provision is designed to target businesses for whom the sale of personal data is a substantial part of their business model, ensuring that such entities are subject to regulatory oversight.

Tennessee’s TIPA takes a slightly different approach by setting both a consumer threshold (25,000 consumers) and a revenue threshold (more than 50% of gross revenue from the sale of personal information). This dual criterion is aimed at ensuring that only businesses with a significant presence in the market and reliance on data sales are regulated, avoiding the imposition of onerous obligations on smaller businesses.

The commonality across these provisions is the emphasis on capturing entities that profit from personal data, thereby ensuring that they comply with the necessary data protection obligations. The differences in thresholds and definitions reflect each jurisdiction’s approach to balancing regulation with business interests.

Implications

The inclusion of the sale of personal data as a criterion for the applicability of data protection laws has significant implications for businesses. Entities that engage in the sale of personal data must be aware that this activity will likely subject them to the full scope of data protection regulations in jurisdictions like California, Florida, Oregon, and Tennessee.

For example, a company operating in California that sells consumer data to third parties must comply with the CCPA’s comprehensive privacy obligations, including providing consumers with the right to opt-out of the sale of their personal information. Similarly, a business in Oregon that derives a significant portion of its revenue from selling personal data will be subject to the Oregon CDPA’s requirements.

In Tennessee, businesses that meet the high thresholds of 25,000 consumers and 50% revenue from data sales will find themselves under the purview of TIPA, requiring them to implement robust data protection measures and comply with consumer rights provisions.

These implications highlight the need for businesses to carefully assess their data processing activities, particularly those involving the sale of personal data, to ensure compliance with relevant data protection laws.