Tennessee Jurisdiction: Sale of Personal Data Criterion in the Tennessee Information Protection Act (TIPA)

The Tennessee Information Protection Act (TIPA) incorporates the sale of personal data criterion as a significant factor in determining the law's applicability. Specifically, this criterion applies to entities that derive more than 50% of their gross revenue from selling personal information, thus targeting businesses with substantial engagement in data monetization.

Text of Relevant Provisions

TIPA 47-18-3202(2)(A):

"This part applies to persons that conduct business in this state producing products or services that target residents of this state and that: (2) (A) Control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information."

Analysis of Provisions

• Revenue Threshold and Consumer Data Volume: The provision clearly sets a dual threshold for the applicability of the TIPA. It requires that an entity both (1) controls or processes the personal information of at least 25,000 consumers and (2) derives more than 50% of its gross revenue from the sale of personal information. This combination ensures that the law primarily targets entities with significant data processing operations and a strong reliance on the monetization of personal data.
• "More than fifty percent (50%) of gross revenue": The specific mention of deriving over 50% of gross revenue from selling personal information underscores the law's focus on businesses for which data sales are a core activity. This indicates a legislative intent to regulate entities that have a substantial economic dependency on personal data sales, reflecting the higher risks associated with such business models.
• Limiting the Scope: By incorporating this high revenue threshold, TIPA limits its applicability to larger entities with a significant economic footprint in the data market. This approach ensures that small businesses or those with minimal engagement in data sales are not subject to the same regulatory burdens as larger, more data-intensive operations.

Implications

• For Businesses Engaged in Data Sales: Entities operating in Tennessee that meet the threshold of processing data for at least 25,000 consumers and generating more than 50% of their gross revenue from data sales will fall under the purview of the TIPA. These businesses must comply with the law’s requirements, which may include stricter data protection obligations.
• Revenue Dependency on Data Sales: Businesses must closely examine their revenue streams, particularly if a significant portion of their income comes from selling personal information. Meeting the 50% revenue threshold will trigger the need for compliance with TIPA, potentially requiring changes in data handling practices.
• Exemption for Smaller Entities: The high revenue threshold acts as a de facto exemption for smaller entities or those with diversified revenue sources where data sales are not the primary income stream. These businesses may not need to comply with TIPA, thus reducing their regulatory burden.