Michigan Personal Data Privacy Act: First Look & Summary

By: Ali Talip Pınarbaşı, CIPP/E, & LLM Ali Talip Pınarbaşı, CIPP/E, & LLM | Updated on: May 8, 2023

Build Your Free Privacy Policy
Michigan-Personal-Data-Privacy-Act-01

The Michigan Personal Data Privacy Act, a bill currently moving through the Michigan Senate that aims to create privacy rights for consumers and obligations for businesses concerning the sale and processing of personal data.

If passed, it would become the first Michigan data privacy law and the sixth US state to initiate data privacy legislation.

While it’s still a little early to predict if this will become law, it’s gaining bipartisan support, so below, we’ve outlined everything businesses need to know about the Michigan PDPA. 

Table of Contents
  1. What Is the Michigan Personal Data Privacy Act?
  2. What Does the Michigan Personal Data Privacy Act Cover?
  3. Requirements of the Michigan Personal Data Privacy Act
  4. Michigan's Law vs. Other States’ Data Privacy Laws: Similarities and Differences
  5. How Will Businesses Be Impacted by the PDPA?
  6. How Will Consumers Be Impacted by the PDPA?
  7. Who Must Comply With the Michigan Data Privacy Act?
  8. How Can Businesses Get Ready?
  9. How Will the PDPA Be Enforced?
  10. Fines and Penalties Under the Michigan Data Privacy Act
  11. Current Status of the Michigan Personal Data Privacy Act
  12. Summary

What Is the Michigan Personal Data Privacy Act?

The Michigan Personal Data Privacy Act is a bill that hopes to establish privacy rights for Michigan consumers and presents requirements that entities must follow regarding the processing and sale of personal data. 

Democratic Senator Rosemary Bayer initially introduced Senate Bill 1182 in September of 2022 — later titled the Michigan Personal Data Privacy Act

It was then referred to the Senate Committee on Energy and Technology, where it remains. 

We’re keeping an eye on its progress and will update this guide as things develop. 

What Does the Michigan Personal Data Privacy Act Cover?

According to the current text of the bill, if the Michigan Personal Data Privacy Act becomes a law, it would cover consumers, as defined for you in the screenshot below:

Michigan-Personal-Data-Privacy-Act-consumers-defined

 

The privacy requirements it outlines would apply to any person — meaning an individual, partnership, corporation, limited liability company, association, government entity, or other legal entity — who conducts business in Michigan or produces products or services targeted to Michigan residents and meets either of the following:

  • Controls or processes personal data of at least 100,000 consumers
  • Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross annual revenue from the sale of personal data

Who are controllers and processors?

  • A controller is a person — as defined above — that, alone or jointly with others, determines the purpose and means of processing personal data.
  • A processor refers to a person that processes personal data on behalf of a controller. 

Requirements of the Michigan Personal Data Privacy Act

The Michigan Personal Data Privacy Act outlines the following requirements for businesses:

  • Posting a clear and accessible privacy policy for consumers
  • Providing opt-in consent options for processing all personal data
  • Performing data protection impact assessments to process sensitive personal data
  • Contractual obligations regarding third-party data processors  
  • Registration requirements for data brokers

In the following sections, we discuss these requirements in greater detail. 

Privacy Notices for Consumers

Under the Michigan PDPA, businesses would be required to post a comprehensive privacy policy that explains all of the following information to consumers, as outlined in Section 7(3) of the bill:

  • The purpose for processing personal data
  • How a consumer can exercise their rights, and how to appeal a controller’s decision concerning consumer requests
  • Categories of personal data that the controller shares with third-parties
  • Categories of third parties with whom the controller shares personal data
  • That a controller or processor may use personal data to conduct internal research to develop, improve, or repair products, services, or technology if the controller or processor consulting that research obtains consent from the consumer and maintains the same security measures as otherwise required

Based on the bill’s current version, you must also establish and describe one or more secure and reliable ways for consumers to submit a request to exercise their rights within your PDPA-compliant privacy notice.

Responses to consumer requests must be free of charge, separating it from other state laws like the Michigan Medical Records Access Act, which allows groups to charge a small fee whenever a consumer requests a copy of their medical records. 

Opt-In Consent for Processing All Personal Data

If passed into law, the Michigan Data Privacy Act would provide opt-in consent rights to consumers for the processing of any personal data.

Specifically, Section 7(1)(a) of the Michigan PDPA states that:

“A controller shall not… process personal data or sensitive personal data concerning a consumer without obtaining the consumer’s consent…” 

While the bill doesn’t provide much clarification on this front, it appears that consumers would gain opt-in rights. However, it’s still unclear if a data controller would need to obtain consent of consumers before processing any type of personal data or if consent is only needed for particular types of data or for specific purposes. 

Therefore, businesses should keep up to date with any guidance that may be provided on the scope of consent requirements.

The screenshot below shows how the Michigan PDPA defines consent:

Michigan-Personal-Data-Privacy-Act-consent-definition

 

This means consent could include a:

  • Written statement
  • Statement written by electronic means
  • Any other unambiguous, affirmative action

The bill then says that you must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for processing the information as communicated to the consumer. 

If you determine after the fact that you’ll process the data for different reasons than initially stated, you must disclose this to the consumer.

You must also allow them the choice to opt out of having their data used for new purposes. 

Data Protection Impact Assessments

While consent appears necessary for processing any personal data under the PDPA, entities that collect and process particular types of data would be required to perform a data protection impact assessment, as described under Section 11(2) of the bill.

If you collect and process personal data as defined in these 5 following ways as outlined in the current text of the bill, you must complete a data protection impact assessment:

Michigan-Personal-Data-Privacy-Act-collect-and-process-personal-data


The required data protection impact assessment must identify and weigh the benefits versus the associated risks to the consumer’s rights related to the processing of sensitive data, as mitigated by the safeguards employed by the controller to reduce those risks.

Businesses must factor the following details into the assessment:

  • The use of de-identified data
  • The expectations of the consumers
  • The context of processing
  • The relationship between the controller and the consumer

This would expand upon the already in place Michigan Data Breach Notification Law, which currently states that entities must notify consumers without unreasonable delay about any data breaches or leaks of first and last names in combination with:

  • Social security numbers
  • Driver’s license or state identification numbers
  • Financial account or payment card numbers in combination with any codes or passwords permitting access into the account

Contractual Obligations 

Under this potential law, you’d also be required to create contracts with any third-party processor of data that ensures all of the following: 

  • Ensure that each person processing data is subject to a duty of confidentiality with respect to the data
  • Delete or return all data to the controller as requested, at the controller’s discretion, unless retention is required by law
  • Make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in the act
  • Require processor to delete or return all personal data to you as the data controller as requested at the end of the provision of services, following your instructions
  • Processor must be obliged to “engage any subprocessor pursuant to a written contract in accordance with subsection (3) that requires the subprocessor to meet the obligations of the processor with respect to the personal data” according to Section 11(2)(e)

Additionally, you must also stipulate one of the following data privacy assessments in your contracts:

  • The processor must allow and cooperate with reasonable assessments by the data controller to support obligations under this act 
  • You must arrange for a qualified, independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures per this act

Registry for Data Brokers 

Another interesting potential requirement of the Michigan PDPA impacts data brokers, as this bill would require any brokers to register with the Attorney General’s office or face possible fines of up to $100 per day.

The screenshot below shows how the bill currently defines data broker:

 

Michigan-Personal-Data-Privacy-Act-data-broker-definition

Michigan’s Law vs. Other States’ Data Privacy Laws: Similarities and Differences

Michigan’s Personal Data Privacy Act is similar to several other US state laws currently in or entering into force, but it has some subtle differences. 

It also mirrors some proposed data privacy bills in House committees in Ohio and Pennsylvania. 

In the following sections, we’ve provided tables comparing the potential Michigan data privacy law to the other laws and bills. 

Michigan’s Personal Data Privacy Act Compared to Other US State Laws

The proposed Michigan data privacy laws and rights are similar in scope to several other US state laws, some of which are already in force, while others are going into effect later in 2023. 

The table below compares the proposed Michigan data privacy bill to the other US state laws.

State Law

Legal Threshold

Consumer Rights

Business Obligations

Michigan Personal Data Privacy Act (PDPA)

Legal Text

For-profit entities conducting business in Michigan or targeting Michigan consumers and:

  • Controls or processes personal data of 100,000 consumers during a calendar year
  • Or, controls and processes the personal data of 25,000 consumers and derives 50% or more gross annual revenue from the sale of personal data

Consumers have the right to:

  • Access personal data
  • Request to correct personal data
  • Request to delete personal data
  • Opt-out of the processing of personal data for targeted advertising or profiling
  • Opt-out of the sale of personal data
  • Opt-in to the processing of all personal data
  • Obtain portable copies of personal data

Businesses must:

  • Provide a compliant privacy notice to consumers
  • Follow contractual obligations with third-party data processors
  • Perform data protection impact assessments if processing sensitive personal data
  • Data brokers must register with the Office of the Attorney General

California Privacy Rights Act (CPRA) an amendment to the California Consumer Privacy Act (CCPA)

Legal Text

For-profit entities doing business in California that meet one of the following:

  • Earned $25 million in gross annual revenue as of January 1 of the preceding calendar year
  • Sells, buys, and shared personal information of 100,000 California consumers
  • Derives 50% of gross annual revenue from sharing or selling personal information

Consumers have the right to:

  • Access personal information
  • Correct personal information
  • Delete personal information
  • Opt-out of sharing and selling of personal information
  • Opt-out of automated decision making and profiling
  • Limit the use of sensitive personal information
  • Pursue private action against businesses when data breaches occur, including email account information and non encrypted and non redacted data leaks
  • Opt-in consent from minors under 16 to share or sell personal data

Businesses must:

  • Update privacy policies to reflect new consumer rights
  • Implement reasonable security procedures and practices to protect personal information
  • Follow contractual obligations with contractors, third parties, and service providers
  • Follow new data storage limitations and practice data minimization

Colorado Privacy Act (CPA)

Legal Text

Data controllers who conduct business in Colorado or target Colorado residents and meet one of the following:

  • Processes or controls the personal data of more than 100,000 consumers annually
  • Derives revenue or receives discounts from the sale of personal data and controls or processes data of at least 25,000 consumers

Consumers have the right to:

  • Access personal data
  • Current personal data
  • Delete personal data
  • Opt out of processing of personal data for targeted advertising
  • Opt out of the sale of personal data
  • Opt out of the processing of personal data for profiling in furtherance of decisions that produce legal or similar effects for the consumer
  • Receive a portable copy of their personal data
  • Data subject requests must be accepted, tracked, verified, and honored

Businesses must:

  • Update privacy policies to include personal data processing activities under the CPA
  • Implement reasonable security measures to protect consumer data
  • Implement a universal opt-out mechanism to meet the technical requirements of the law
  • Appoint a data protection officer

Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)

Legal Text

Any for-profit entity conducting business in Connecticut or targeting Connecticut residents that, in the preceding calendar year, meets one of the following:

  • Processed or controlled the personal data of 100,000 or more consumers
  • Processed or controlled the personal data of 25,000 consumers and earned more than 25% total annual revenue through the sale of personal data

This law excludes personal data collected and processed solely for the purpose of completing a payment transaction.

Consumers have the right to:

  • Request information about if their personal data is being processed
  • Request to correct their personal data
  • Opt-out of data processing for targeted advertising
  • Obtain a portable copy of their personal data

Businesses must:

  • Provide a compliant privacy notice for consumers
  • Implement security measures for consumer data
  • Create contracts between controllers and processors following certain provisions
  • Determine a way for consumers to make a request regarding their personal data
  • Recognize consumers’ universal opt-out preference signals (As of 2025)

Utah Consumer Privacy Act (UCPA)

Legal Text

Processors or controllers who conduct business in Utah or target Utah consumers who meet one of the following:

  • Have an annual revenue of at least $25 million
  • Processes or controls the personal data of at least 100,000 consumers
  • If your business gets more than 50% of its revenue from selling personal data, the number drops to 25,000 consumers

Consumers have the right to:

  • Ask and get confirmation if a controller processes personal data
  • Request to access their personal data
  • Request to delete personal data
  • Opt-out of the processing of personal data for targeted advertising
  • Opt-out of the selling of personal data
  • Opt-out of the processing of sensitive personal information

Businesses must:

  • Post a privacy notice explaining consumer rights under the UCPA
  • Implement security measures to protect consumer personal data
  • Create specific contracts between controllers and processors

Virginia Consumer Data Protection Act (CDPA)

Legal Text

For-profit entities conducting business in Virginia or targeting Virginia residents who meet one of the following:

  • Controls pr processes personal data of at least 100,000 consumers
  • Controls and processes the personal data of 25,000 consumers and derives 50% or more gross annual revenue from the sale of personal data

Consumers have the right to:

  • Access their personal data
  • Correct their personal data
  • Request to delete their personal data
  • Obtain a copy of their personal data
  • Opt-out of the processing of personal data
  • Opt-out of processing of personal data for targeted advertising
  • Opt-out of the sale of personal data
  • Non-discrimination for exercising rights
  • Submit a complaint about rights violations

Businesses must:

  • Post a clear, meaningful, and reasonably accessible privacy policy
  • Obtain explicit consent from consumers to process personal data
  • Implement reasonable security measures to protect consumer personal data

If this law goes into effect, it would be one of the first US laws to require opt-in consent for the processing of all personal data, which is similar to the strict European Union (EU) privacy legislation, the General Data Protection Regulation (GDPR). 

Michigan’s Personal Data Privacy Act Compared to Other Proposed Bills

Two other states, Ohio and Pennsylvania, also currently have data privacy bills similar to the Michigan PDPA that sit in House committees.

Let’s discuss each in greater detail.

Ohio Personal Privacy Act 

In Ohio, the Ohio Personal Privacy Act, or House Bill 376, was sponsored by 10 Republican lawmakers and currently sits in the Rules and Reference Committee.

This law would apply to any for-profit entity doing business in Ohio or targeting consumers in Ohio that meet one of the following:

  • Have an annual revenue of over $25 million generated in Ohio
  • Control or processes the personal data of 100,000 or more consumers in a calendar year
  • Derives 50% of revenue from selling personal data and processes or controls personal data of 25,000 or more consumers

If passed, it would grant consumers the rights to:

  • Access personal data
  • Request to delete personal data
  • Opt-out of the processing or disseminating of personal data
  • Request a portable copy of their personal data
  • Opt-out of the sale of personal data  

Pennsylvania House Bills

In Pennsylvania, there are currently three house bills concerning data privacy legislation similar to Michigan’s bill, two titled the Consumer Data Privacy Act — House Bills 2202 and 1126 — and one called the Consumer Data Protection Act, or House Bill 2257.

The table below compares all three current Pennsylvania bills.

House Bill Legal Threshold Consumer Rights
Consumer Data Privacy Act (House Bill 2202) Any for-profit entity performing business in Pennsylvania that meets any of the following:
  • Earns a gross annual revenue exceeding $20 million
  • Annually buys, receives, sells, or shares for commercial purposes the personal information of 100,000 or more consumers (alone or in combination)
  • Derives 50% of annual revenue from selling consumer personal information
Consumers have the right to:
  • Access personal data
  • Request to correct personal data
  • Request to delete personal data
  • Opt-out of the processing of personal data for targeted advertising
  • Opt-out of processing of personal data for profiling
  • Opt-out of the sale of personal data
  • Obtain a portable copy of their personal data
Consumer Data Privacy Act (House Bill 1126) For-profit entities that conduct business in Pennsylvania and meet one of the following:
  • Earns an annual gross revenue exceeding $10 million
  • Buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers (alone or in combination)
  • Derives 50% or more gross annual revenue from selling consumer personal information
Consumers have the right to:
  • Access personal data
  • Request to delete personal data
  • Opt-out of the sale of personal data
  • Private right of action if non encrypted or non redacted personal information is breached or leaked
Consumer Data Protection Act (House Bill 2257) For-profit entities conducting business in Pennsylvania that meet one of the following:
  • Controls or processors personal data of at least 100,000 consumers during a calendar year
  • Controls or processes personal data of at least 25,000 consumers and derives more than 50% of gross annual revenue from selling personal data 
Consumers have the right to:
  • Access personal data
  • Correct personal data
  • Delete personal data
  • Opt-out of the processing of personal data for targeted advertising
  • Opt-out of the processing of personal data for profiling
  • Opt-out of the sale of personal data
  • Obtain a portable copy of their personal data

How Will Businesses Be Impacted by the PDPA?

The Michigan Personal Data Privacy Act, if enacted as Law, will impact businesses by obligating them to do all of the following:

  • Post a compliant privacy notice for consumers
  • Establish, track, and honor consumers’ opt-out and opt-in consent choices
  • Perform data protection impact assessments 
  • Follow contractual obligations regarding third-party data processors

How Will Consumers Be Impacted by the PDPA?

Consumers would gain many different data privacy rights under the Michigan PDPA, including all of the following:

  • Privacy notice rights
  • Opt-out rights
  • Opt-in rights

Let’s talk about each of these potential consumer rights in greater detail.

Consumer Privacy Notice Rights Under the Michigan PDPA

The current version of the Michigan PDPA would give consumers the rights to:

  • Confirm the processing of personal data and access to personal data through a compliant privacy notice
  • Correct inaccuracies in their personal data
  • Delete personal data provided by or obtained about the consumer
  • Obtain a copy of the personal data that the consumer previously provided to the controller

All data controllers under the law must provide consumers with a reasonably accessible, clear, and meaningful privacy notice, as outlined in Section 7(3) of the bill.

Consumer Opt-out Rights Under the Michigan PDPA

Under the PDPA, consumers would also have the following opt-out rights:

  • Opt out of the processing of personal data or targeted advertising
  • Opt out of the sale of personal data
  • Opt out of the processing of decisions that produce legal or similarly significant effects concerning the consumer 

That last bullet point refers explicitly to decisions made by a controller that results in the provision or denial of:

  • Financial and lending services
  • Housing
  • Insurance
  • Education
  • Enrollment
  • Criminal justice
  • Employment opportunities
  • Health care services
  • Access to basic necessities, including but not limited to food and water

Consumer Opt-in Rights Under the Michigan PDPA

As we briefly touched upon earlier in the article, consumers also get opt-in rights under the Michigan PDPA for the processing of any personal data. 

Under this bill, consumer opt-in consent could include a written or electronic statement or any other unambiguous affirmative action.

Who Must Comply With the Michigan Data Privacy Act?

The Michigan Personal Data Privacy Act applies to any person that conducts business in Michigan or who produces products or services targeted to Michigan residents. 

Below, the screenshot shows how the bill legally defines person:

 

Michigan-Personal-Data-Privacy-Act-person-definition


You must also meet either of the following thresholds:

  • Controls or processes personal data of at least 100,000 consumers
  • Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross annual revenue from the sale of personal data

This means, like many other pieces of data privacy legislation around the globe, this act would have an extraterritorial scope and apply to businesses outside the Michigan territory.  

Who Is Exempt From the Michigan Personal Data Privacy Act?

All of the following institutions are exempt from the current version of the Michigan Personal Data Privacy Act: 

  • Financial institutions subject to the Gramm-Leach-Bliley Act
  • Entities covered and governed by the Health Insurance Portability and Accountability Act (HIPAA)
  • Authorized and regulated data that falls under the Fair Credit Reporting Act

As for consumers, anyone in Michigan in an employment or commercial context is not covered by the Michigan PDPA. 

How Can Businesses Get Ready?

To comply with the Michigan PDPA, businesses would have to do all of the following:

  • Post a compliant privacy notice
  • Provide opt-in consent options for the processing of all personal data
  • Provide opt-out consent options for the processing and sale of personal data, targeted advertising, or decisions that produce legal effects regarding the consumer
  • Follow contractual obligations with third-party data processors
  • Perform compliant Data Protection Impact Assessments if collecting and processing sensitive personal data
  • Data brokers must register with the Attorney General’s office

How Will the PDPA Be Enforced?

The Michigan Attorney General’s office will enforce the PDPA and give entities a written 30-day notice period to cure or correct any violations.

If you correct the violations within the grace period, civil action will not be taken against the entity as long as they provide the Attorney General with a written statement saying:

  • You’ve cured all violations
  • No further violations will occur

However, unlike the CCPA/CPRA, the Michigan PDPA doesn’t give users the right to private action.  

Fines and Penalties Under the Michigan Data Privacy Act

The current penalties for the PDPA include fines of not more than $7,500 per any violation not cured within 30 days of notice.  

If the violation involves the failure of a data broker to properly register with the Attorney General, the fine could be up to $100 per day. 

Current Status of the Michigan Personal Data Privacy Act

Currently, the Michigan Personal Data Act is sitting in the Senate Energy and Technology Committee, but it’s still too early to tell if this bill will become law. 

That said, it might be worth preparing for these changes, as the PDPA is one of three proposed state bills that mirror the recent CPRA amendments to the CCPA

As we’ve already mentioned, Ohio and Pennsylvania also proposed similar legislation resembling the data privacy laws already passed in Connecticut, Colorado, Utah, and Virginia.

Summary

At this time, the Michigan PDPA is still just a bill, but it’s similar in scope to other US state privacy laws that have already passed and come into force, like the Virginia CDPA and the CPRA amendments to the CCPA.

Most notably, the PDPA requires businesses to:

  • Post a compliant privacy notice 
  • Honor consumer opt-in and opt-out consent options for processing, selling, and making legal choices regarding personal data
  • Perform data protection impact assessments
  • Follow contractual obligations regarding third-party processors

The good news is, at Termly, we’re always up to date, so we’re tracking the Michigan Personal Data Protection Act for you as it travels through the Senate. 

Check back later for real-time updates about how the Michigan Personal Data Protection Act might impact your business.  

Ali Talip Pınarbaşı, CIPP/E, & LLM
More about the author

Written by Ali Talip Pınarbaşı, CIPP/E, & LLM

Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author

Related Articles

Explore more resources