The Michigan Personal Data Privacy Act is a dead bill that moved through the Michigan Senate in 2023 and aimed to create privacy rights for consumers and obligations for businesses concerning the sale and processing of personal data.
Even though this law did not pass, I summarized what this bill looked like and how it would have impacted businesses if it had become a law.
UPDATE: The MPDPA did not pass into law and Michigan currently still does not have a consumer data privacy law in effect.
- What Is the Michigan Personal Data Privacy Act?
- What Does the Michigan Personal Data Privacy Act Cover?
- Requirements of the Michigan Personal Data Privacy Act
- How Would Businesses Be Impacted by the PDPA?
- How Would Consumers Be Impacted by the PDPA?
- Who Would Need To Comply With the Michigan Data Privacy Act?
- How Would the PDPA Be Enforced?
- Fines and Penalties Under the Michigan Data Privacy Act
- Summary
What Is the Michigan Personal Data Privacy Act?
The Michigan Personal Data Privacy Act was a bill that hoped to establish privacy rights for Michigan consumers and presented requirements that entities would need to follow regarding the processing and sale of personal data.
Democratic Senator Rosemary Bayer initially introduced Senate Bill 1182 in September of 2022 — later titled the Michigan Personal Data Privacy Act.
It was then referred to the Senate Committee on Energy and Technology, and it eventually died on the table.
What Does the Michigan Personal Data Privacy Act Cover?
According to the text of the bill, if the Michigan Personal Data Privacy Act has become a law, it would have covered consumers, as defined for you in the screenshot below:
The privacy requirements it outlined would have applies to any person — meaning an individual, partnership, corporation, limited liability company, association, government entity, or other legal entity — who conducts business in Michigan or produces products or services targeted to Michigan residents and met either of the following:
- Controls or processes personal data of at least 100,000 consumers
- Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross annual revenue from the sale of personal data
Requirements of the Michigan Personal Data Privacy Act
The Michigan Personal Data Privacy Act outlined the following requirements for businesses:
- Posting a clear and accessible privacy policy for consumers
- Providing opt-in consent options for processing all personal data
- Performing data protection impact assessments to process sensitive personal data
- Contractual obligations regarding third-party data processors
- Registration requirements for data brokers
Privacy Notices for Consumers
Under the Michigan PDPA, businesses would have been required to post a comprehensive privacy policy that explains all of the following information to consumers, as outlined in Section 7(3) of the bill:
- The purpose for processing personal data
- How a consumer can exercise their rights, and how to appeal a controller’s decision concerning consumer requests
- Categories of personal data that the controller shares with third-parties
- Categories of third parties with whom the controller shares personal data
- That a controller or processor may use personal data to conduct internal research to develop, improve, or repair products, services, or technology if the controller or processor consulting that research obtains consent from the consumer and maintains the same security measures as otherwise required
It also required businesses to establish and describe one or more secure and reliable ways for consumers to submit a request to exercise their rights.
Opt-In Consent for Processing All Personal Data
If it had passed into law, the Michigan Data Privacy Act would have provided opt-in consent rights to consumers for the processing of any personal data.
Specifically, Section 7(1)(a) of the Michigan PDPA stated that:
“A controller shall not… process personal data or sensitive personal data concerning a consumer without obtaining the consumer’s consent…”
The screenshot below shows how the Michigan PDPA defines consent:
The bill then said that businesses would have needed to limit the collection of personal data to what is adequate, relevant, and reasonably necessary for processing the information as communicated to the consumer.
Data Protection Impact Assessments
If he PDPA had become a law, entities that collect and process particular types of data would have been required to perform a data protection impact assessment, as described under Section 11(2) of the bill.
Entities that collected and processed personal data as defined in the 5 following ways as outlined in the text of the bill would have been required to complete data protection impact assessments:
The data protection impact assessment would have needed to identify and weigh the benefits versus the associated risks to the consumer’s rights related to the processing of sensitive data, as mitigated by the safeguards employed by the controller to reduce those risks.
It would have expanded upon the already in place Michigan Data Breach Notification Law, which currently states that entities must notify consumers without unreasonable delay about any data breaches or leaks of first and last names in combination with:
- Social security numbers
- Driver’s license or state identification numbers
- Financial account or payment card numbers in combination with any codes or passwords permitting access into the account
Contractual Obligations
If this had become a law, businesses would have been required to create contracts with any third-party processors of data that ensures all of the following:
- Ensure that each person processing data is subject to a duty of confidentiality with respect to the data
- Delete or return all data to the controller as requested, at the controller’s discretion, unless retention is required by law
- Make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in the act
- Require processor to delete or return all personal data to you as the data controller as requested at the end of the provision of services, following your instructions
- Processor must be obliged to “engage any subprocessor pursuant to a written contract in accordance with subsection (3) that requires the subprocessor to meet the obligations of the processor with respect to the personal data” according to Section 11(2)(e)
Registry for Data Brokers
Another interesting potential requirement of the Michigan PDPA would have impacted data brokers, as this bill would have required any brokers to register with the Attorney General’s office or face possible fines of up to $100 per day.
The screenshot below shows how the bill defined data broker:
Michigan’s Personal Data Privacy Act Compared to Other Proposed Bills
Two other states, Ohio and Pennsylvania, also currently have data privacy bills similar to the Michigan PDPA that sit in House committees.
Let’s discuss each in greater detail.
Ohio Personal Privacy Act
In Ohio, the Ohio Personal Privacy Act, or House Bill 376, was sponsored by 10 Republican lawmakers and currently sits in the Rules and Reference Committee.
This law would apply to any for-profit entity doing business in Ohio or targeting consumers in Ohio that meet one of the following:
- Have an annual revenue of over $25 million generated in Ohio
- Control or processes the personal data of 100,000 or more consumers in a calendar year
- Derives 50% of revenue from selling personal data and processes or controls personal data of 25,000 or more consumers
If passed, it would grant consumers the rights to:
- Access personal data
- Request to delete personal data
- Opt-out of the processing or disseminating of personal data
- Request a portable copy of their personal data
- Opt-out of the sale of personal data
Pennsylvania House Bills
In Pennsylvania, there are currently three house bills concerning data privacy legislation similar to Michigan’s bill, two titled the Consumer Data Privacy Act — House Bills 2202 and 1126 — and one called the Consumer Data Protection Act, or House Bill 2257.
The table below compares all three current Pennsylvania bills.
How Would Businesses Be Impacted by the PDPA?
The Michigan Personal Data Privacy Act, if enacted as law, would have impacted businesses by obligating them to do all of the following:
- Post a compliant privacy notice for consumers
- Establish, track, and honor consumers’ opt-out and opt-in consent choices
- Perform data protection impact assessments
- Follow contractual obligations regarding third-party data processors
How Would Consumers Be Impacted by the PDPA?
Consumers would have gained different data privacy rights under the Michigan PDPA, including the following:
- Privacy notice rights
- Opt-out rights
- Opt-in rights
Who Would Need To Comply With the Michigan Data Privacy Act?
The Michigan Personal Data Privacy Act would have applied to any person that conducts business in Michigan or who produces products or services targeted to Michigan residents.
Below, the screenshot shows how the bill legally defined person:
You would have also needed to meet either of the following thresholds:
- Controls or processes personal data of at least 100,000 consumers
- Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross annual revenue from the sale of personal data
This means, like many other pieces of data privacy legislation around the globe, this act would have had an extraterritorial scope and apply to businesses outside the Michigan territory.
Who Is Exempt From the Michigan Personal Data Privacy Act?
All of the following institutions were exempt from the Michigan Personal Data Privacy Act:
- Financial institutions subject to the Gramm-Leach-Bliley Act
- Entities covered and governed by the Health Insurance Portability and Accountability Act (HIPAA)
- Authorized and regulated data that falls under the Fair Credit Reporting Act
As for consumers, anyone in Michigan in an employment or commercial context would not have been covered by the Michigan PDPA.
How Would the PDPA Be Enforced?
The Michigan Attorney General’s office would have enforced the PDPA and give entities a written 30-day notice period to cure or correct any violations.
However, unlike the CCPA/CPRA, the Michigan PDPA didn’t give users the right to private action.
Fines and Penalties Under the Michigan Data Privacy Act
The penalties for the PDPA included fines of not more than $7,500 per any violation not cured within 30 days of notice.
If the violation involved the failure of a data broker to properly register with the Attorney General, the fine could have been up to $100 per day.
Summary
The Michigan PDPA is now a failed data privacy bill, but it was similar in scope to other US state privacy laws that have passed and come into force, like the Virginia CDPA and the CPRA amendments to the CCPA.
The good news is, at Termly, we’re always up to date, so we’re tracking laws and bills the Michigan Personal Data Protection Act for you as it travels through state governments.
More about the author
Written by Ali Talip Pınarbaşı, CIPP/E, & LLM
Ali is a London-based Data Privacy Law Solicitor with a Master of Laws Degree in EU Privacy law at King's College London. He has six years of experience in advising businesses on how to comply with data protection laws. More about the author
