Tennessee Jurisdiction: Revenue-Based Applicability in the Tennessee Information Protection Act (TIPA)

The Tennessee Information Protection Act (TIPA) utilizes a revenue-based applicability factor, among others, to determine which entities fall under the law's jurisdiction. This factor is particularly relevant for businesses that generate significant income from the sale of personal information or have substantial overall revenue.

Text of Relevant Provisions

TIPA Sec.47-18-3202(1):

"(1) Exceed twenty-five million dollars ($25,000,000) in revenue; and"

TIPA Sec.47-18-3202(2)(A):

"(2)(A) Control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information; or"

Analysis of Provisions

• TIPA Sec.47-18-3202(1) introduces a clear revenue threshold as a condition for the law’s applicability. Specifically, the law applies to businesses with annual revenues exceeding $25 million. This provision aims to capture large-scale businesses that might have significant impacts on consumer privacy due to their financial resources and operational scale.
• TIPA Sec.47-18-3202(2)(A) further refines the scope by focusing on companies that control or process personal information of at least 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal information. This additional criterion ensures that the law applies not just to large entities by revenue but also to businesses whose primary business model involves monetizing consumer data.
• The combination of these two factors—high revenue and substantial reliance on data sales—highlights a dual concern: large entities' potential to affect a significant number of consumers and the specific risks posed by business models centered on data commercialization.

Implications

• For Businesses: Entities operating in Tennessee with revenues above $25 million or those whose business models heavily depend on the sale of personal information must comply with TIPA’s provisions. This includes obligations related to data subject rights, transparency, and security practices.
• For Data Monetization: Businesses that derive a significant portion of their revenue from the sale of personal data are particularly targeted by this law. Such entities must assess their data practices to ensure compliance, as the law explicitly aims to regulate businesses that pose greater risks to consumer privacy through data sales.
• Operational Impact: Companies that meet either of these thresholds must implement robust data protection practices to avoid potential non-compliance, which could result in legal and financial penalties. Additionally, businesses close to these thresholds might consider adjusting their data practices to manage compliance risks better.