Applicability of Tennessee Information Protection Act Based on Number of Data Subjects

The factor "Number of Data Subjects" is explicitly used in the Tennessee Information Protection Act (TIPA) to determine the scope of the law's applicability. This factor sets thresholds for the number of consumers whose personal information is controlled or processed, thereby impacting whether a business is subject to the TIPA regulations.

Text of Relevant Provisions

Referenced Provision(s):

"TIPA Sec.47-18-3202(2)(A) Control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information; or"

"TIPA Sec.47-18-3202(2)(B) During a calendar year, control or process personal information of at least one hundred seventy-five thousand (175,000) consumers."

Original (Language):

"TIPA Sec.47-18-3202(2)(A) Control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information; or"

"TIPA Sec.47-18-3202(2)(B) During a calendar year, control or process personal information of at least one hundred seventy-five thousand (175,000) consumers."

Analysis of Provisions

The Tennessee Information Protection Act (TIPA) uses specific thresholds to determine the applicability of its provisions based on the number of data subjects whose personal information is controlled or processed by a business.

Breakdown and Explanation:

• TIPA Sec.47-18-3202(2)(A):
  • "Control or process personal information of at least twenty-five thousand (25,000) consumers": This clause sets a threshold that requires a business to control or process personal information for at least 25,000 consumers within a given period (typically a calendar year) to be subject to the TIPA.
  • "derive more than fifty percent (50%) of gross revenue from the sale of personal information": This condition applies to businesses that rely heavily on the sale of personal information for their revenue. Both criteria must be met for this provision to apply, targeting businesses with substantial data processing activities and a significant portion of their revenue derived from data sales.
• TIPA Sec.47-18-3202(2)(B):
  • "During a calendar year, control or process personal information of at least one hundred seventy-five thousand (175,000) consumers": This provision applies to businesses that control or process the personal information of at least 175,000 consumers within a calendar year, regardless of their revenue model. This broad criterion ensures that businesses with extensive data processing activities are covered by the TIPA.

Implications

Implications for Business:

• Scope Limitation: The TIPA’s applicability thresholds exclude smaller businesses that do not meet the 25,000 or 175,000 consumer thresholds, focusing regulatory efforts on larger entities or those heavily involved in data trading.
• Targeted Compliance: Companies approaching or exceeding these thresholds must invest in compliance infrastructure to align with the TIPA requirements. This includes implementing robust data protection practices, consumer rights management, and transparent data handling procedures.
• Revenue Model Consideration: Businesses deriving substantial revenue from the sale of personal information (over 50% of gross revenue) are specifically targeted by Sec.47-18-3202(2)(A). This means that even smaller entities with a heavy reliance on data sales must comply with the TIPA if they meet the 25,000-consumer threshold.

Examples:

• Applicable: A large online retailer operating in Tennessee that processes personal information of 180,000 consumers annually is subject to the TIPA.
• Not Applicable: A small local service provider processing data for 20,000 consumers annually without significant revenue from data sales remains outside the scope of the TIPA.

These thresholds ensure that the law targets entities with significant data processing activities or business models heavily dependent on data, thereby focusing regulatory oversight where it is most needed.