The Michigan Personal Data Privacy Act, a bill currently moving through the Michigan Senate that aims to create privacy rights for consumers and obligations for businesses concerning the sale and processing of personal data.
If passed, it would become the first Michigan data privacy law and the sixth US state to initiate data privacy legislation.
While it’s still a little early to predict if this will become law, it’s gaining bipartisan support, so below, we’ve outlined everything businesses need to know about the Michigan PDPA.
- What Is the Michigan Personal Data Privacy Act?
- What Does the Michigan Personal Data Privacy Act Cover?
- Requirements of the Michigan Personal Data Privacy Act
- Michigan's Law vs. Other States’ Data Privacy Laws: Similarities and Differences
- How Will Businesses Be Impacted by the PDPA?
- How Will Consumers Be Impacted by the PDPA?
- Who Must Comply With the Michigan Data Privacy Act?
- How Can Businesses Get Ready?
- How Will the PDPA Be Enforced?
- Fines and Penalties Under the Michigan Data Privacy Act
- Current Status of the Michigan Personal Data Privacy Act
- Summary
What Is the Michigan Personal Data Privacy Act?
The Michigan Personal Data Privacy Act is a bill that hopes to establish privacy rights for Michigan consumers and presents requirements that entities must follow regarding the processing and sale of personal data.
Democratic Senator Rosemary Bayer initially introduced Senate Bill 1182 in September of 2022 — later titled the Michigan Personal Data Privacy Act.
It was then referred to the Senate Committee on Energy and Technology, where it remains.
We’re keeping an eye on its progress and will update this guide as things develop.
What Does the Michigan Personal Data Privacy Act Cover?
According to the current text of the bill, if the Michigan Personal Data Privacy Act becomes a law, it would cover consumers, as defined for you in the screenshot below:
The privacy requirements it outlines would apply to any person — meaning an individual, partnership, corporation, limited liability company, association, government entity, or other legal entity — who conducts business in Michigan or produces products or services targeted to Michigan residents and meets either of the following:
- Controls or processes personal data of at least 100,000 consumers
- Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross annual revenue from the sale of personal data
Who are controllers and processors?
- A controller is a person — as defined above — that, alone or jointly with others, determines the purpose and means of processing personal data.
- A processor refers to a person that processes personal data on behalf of a controller.
Requirements of the Michigan Personal Data Privacy Act
The Michigan Personal Data Privacy Act outlines the following requirements for businesses:
- Posting a clear and accessible privacy policy for consumers
- Providing opt-in consent options for processing all personal data
- Performing data protection impact assessments to process sensitive personal data
- Contractual obligations regarding third-party data processors
- Registration requirements for data brokers
In the following sections, we discuss these requirements in greater detail.
Privacy Notices for Consumers
Under the Michigan PDPA, businesses would be required to post a comprehensive privacy policy that explains all of the following information to consumers, as outlined in Section 7(3) of the bill:
- The purpose for processing personal data
- How a consumer can exercise their rights, and how to appeal a controller’s decision concerning consumer requests
- Categories of personal data that the controller shares with third-parties
- Categories of third parties with whom the controller shares personal data
- That a controller or processor may use personal data to conduct internal research to develop, improve, or repair products, services, or technology if the controller or processor consulting that research obtains consent from the consumer and maintains the same security measures as otherwise required
Based on the bill’s current version, you must also establish and describe one or more secure and reliable ways for consumers to submit a request to exercise their rights within your PDPA-compliant privacy notice.
Responses to consumer requests must be free of charge, separating it from other state laws like the Michigan Medical Records Access Act, which allows groups to charge a small fee whenever a consumer requests a copy of their medical records.
Opt-In Consent for Processing All Personal Data
If passed into law, the Michigan Data Privacy Act would provide opt-in consent rights to consumers for the processing of any personal data.
Specifically, Section 7(1)(a) of the Michigan PDPA states that:
“A controller shall not… process personal data or sensitive personal data concerning a consumer without obtaining the consumer’s consent…”
While the bill doesn’t provide much clarification on this front, it appears that consumers would gain opt-in rights. However, it’s still unclear if a data controller would need to obtain consent of consumers before processing any type of personal data or if consent is only needed for particular types of data or for specific purposes.
Therefore, businesses should keep up to date with any guidance that may be provided on the scope of consent requirements.
The screenshot below shows how the Michigan PDPA defines consent:
This means consent could include a:
- Written statement
- Statement written by electronic means
- Any other unambiguous, affirmative action
The bill then says that you must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for processing the information as communicated to the consumer.
If you determine after the fact that you’ll process the data for different reasons than initially stated, you must disclose this to the consumer.
You must also allow them the choice to opt out of having their data used for new purposes.
Data Protection Impact Assessments
While consent appears necessary for processing any personal data under the PDPA, entities that collect and process particular types of data would be required to perform a data protection impact assessment, as described under Section 11(2) of the bill.
If you collect and process personal data as defined in these 5 following ways as outlined in the current text of the bill, you must complete a data protection impact assessment:
The required data protection impact assessment must identify and weigh the benefits versus the associated risks to the consumer’s rights related to the processing of sensitive data, as mitigated by the safeguards employed by the controller to reduce those risks.
Businesses must factor the following details into the assessment:
- The use of de-identified data
- The expectations of the consumers
- The context of processing
- The relationship between the controller and the consumer
This would expand upon the already in place Michigan Data Breach Notification Law, which currently states that entities must notify consumers without unreasonable delay about any data breaches or leaks of first and last names in combination with:
- Social security numbers
- Driver’s license or state identification numbers
- Financial account or payment card numbers in combination with any codes or passwords permitting access into the account
Contractual Obligations
Under this potential law, you’d also be required to create contracts with any third-party processor of data that ensures all of the following:
- Ensure that each person processing data is subject to a duty of confidentiality with respect to the data
- Delete or return all data to the controller as requested, at the controller’s discretion, unless retention is required by law
- Make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in the act
- Require processor to delete or return all personal data to you as the data controller as requested at the end of the provision of services, following your instructions
- Processor must be obliged to “engage any subprocessor pursuant to a written contract in accordance with subsection (3) that requires the subprocessor to meet the obligations of the processor with respect to the personal data” according to Section 11(2)(e)
Additionally, you must also stipulate one of the following data privacy assessments in your contracts:
- The processor must allow and cooperate with reasonable assessments by the data controller to support obligations under this act
- You must arrange for a qualified, independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures per this act
Registry for Data Brokers
Another interesting potential requirement of the Michigan PDPA impacts data brokers, as this bill would require any brokers to register with the Attorney General’s office or face possible fines of up to $100 per day.
The screenshot below shows how the bill currently defines data broker:
Michigan’s Law vs. Other States’ Data Privacy Laws: Similarities and Differences
Michigan’s Personal Data Privacy Act is similar to several other US state laws currently in or entering into force, but it has some subtle differences.
It also mirrors some proposed data privacy bills in House committees in Ohio and Pennsylvania.
In the following sections, we’ve provided tables comparing the potential Michigan data privacy law to the other laws and bills.
Michigan’s Personal Data Privacy Act Compared to Other US State Laws
The proposed Michigan data privacy laws and rights are similar in scope to several other US state laws, some of which are already in force, while others are going into effect later in 2023.
The table below compares the proposed Michigan data privacy bill to the other US state laws.
| State Law |
Legal Threshold |
Consumer Rights |
Business Obligations |
|
Michigan Personal Data Privacy Act (PDPA) |
For-profit entities conducting business in Michigan or targeting Michigan consumers and:
|
Consumers have the right to:
|
Businesses must:
|
|
California Privacy Rights Act (CPRA) an amendment to the California Consumer Privacy Act (CCPA) |
For-profit entities doing business in California that meet one of the following:
|
Consumers have the right to:
|
Businesses must:
|
|
Colorado Privacy Act (CPA) |
Data controllers who conduct business in Colorado or target Colorado residents and meet one of the following:
|
Consumers have the right to:
|
Businesses must:
|
|
Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) |
Any for-profit entity conducting business in Connecticut or targeting Connecticut residents that, in the preceding calendar year, meets one of the following:
This law excludes personal data collected and processed solely for the purpose of completing a payment transaction. |
Consumers have the right to:
|
Businesses must:
|
|
Utah Consumer Privacy Act (UCPA) |
Processors or controllers who conduct business in Utah or target Utah consumers who meet one of the following:
|
Consumers have the right to:
|
Businesses must:
|
|
Virginia Consumer Data Protection Act (CDPA) |
For-profit entities conducting business in Virginia or targeting Virginia residents who meet one of the following:
|
Consumers have the right to:
|
Businesses must:
|
If this law goes into effect, it would be one of the first US laws to require opt-in consent for the processing of all personal data, which is similar to the strict European Union (EU) privacy legislation, the General Data Protection Regulation (GDPR).
Michigan’s Personal Data Privacy Act Compared to Other Proposed Bills
Two other states, Ohio and Pennsylvania, also currently have data privacy bills similar to the Michigan PDPA that sit in House committees.
Let’s discuss each in greater detail.
Ohio Personal Privacy Act
In Ohio, the Ohio Personal Privacy Act, or House Bill 376, was sponsored by 10 Republican lawmakers and currently sits in the Rules and Reference Committee.
This law would apply to any for-profit entity doing business in Ohio or targeting consumers in Ohio that meet one of the following:
- Have an annual revenue of over $25 million generated in Ohio
- Control or processes the personal data of 100,000 or more consumers in a calendar year
- Derives 50% of revenue from selling personal data and processes or controls personal data of 25,000 or more consumers
If passed, it would grant consumers the rights to:
- Access personal data
- Request to delete personal data
- Opt-out of the processing or disseminating of personal data
- Request a portable copy of their personal data
- Opt-out of the sale of personal data
Pennsylvania House Bills
In Pennsylvania, there are currently three house bills concerning data privacy legislation similar to Michigan’s bill, two titled the Consumer Data Privacy Act — House Bills 2202 and 1126 — and one called the Consumer Data Protection Act, or House Bill 2257.
The table below compares all three current Pennsylvania bills.
| House Bill | Legal Threshold | Consumer Rights |
| Consumer Data Privacy Act (House Bill 2202) | Any for-profit entity performing business in Pennsylvania that meets any of the following:
|
Consumers have the right to:
|
| Consumer Data Privacy Act (House Bill 1126) | For-profit entities that conduct business in Pennsylvania and meet one of the following:
|
Consumers have the right to:
|
| Consumer Data Protection Act (House Bill 2257) | For-profit entities conducting business in Pennsylvania that meet one of the following:
|
Consumers have the right to:
|
How Will Businesses Be Impacted by the PDPA?
The Michigan Personal Data Privacy Act, if enacted as Law, will impact businesses by obligating them to do all of the following:
- Post a compliant privacy notice for consumers
- Establish, track, and honor consumers’ opt-out and opt-in consent choices
- Perform data protection impact assessments
- Follow contractual obligations regarding third-party data processors
How Will Consumers Be Impacted by the PDPA?
Consumers would gain many different data privacy rights under the Michigan PDPA, including all of the following:
- Privacy notice rights
- Opt-out rights
- Opt-in rights
Let’s talk about each of these potential consumer rights in greater detail.
Consumer Privacy Notice Rights Under the Michigan PDPA
The current version of the Michigan PDPA would give consumers the rights to:
- Confirm the processing of personal data and access to personal data through a compliant privacy notice
- Correct inaccuracies in their personal data
- Delete personal data provided by or obtained about the consumer
- Obtain a copy of the personal data that the consumer previously provided to the controller
All data controllers under the law must provide consumers with a reasonably accessible, clear, and meaningful privacy notice, as outlined in Section 7(3) of the bill.
Consumer Opt-out Rights Under the Michigan PDPA
Under the PDPA, consumers would also have the following opt-out rights:
- Opt out of the processing of personal data or targeted advertising
- Opt out of the sale of personal data
- Opt out of the processing of decisions that produce legal or similarly significant effects concerning the consumer
That last bullet point refers explicitly to decisions made by a controller that results in the provision or denial of:
- Financial and lending services
- Housing
- Insurance
- Education
- Enrollment
- Criminal justice
- Employment opportunities
- Health care services
- Access to basic necessities, including but not limited to food and water
Consumer Opt-in Rights Under the Michigan PDPA
As we briefly touched upon earlier in the article, consumers also get opt-in rights under the Michigan PDPA for the processing of any personal data.
Under this bill, consumer opt-in consent could include a written or electronic statement or any other unambiguous affirmative action.
Who Must Comply With the Michigan Data Privacy Act?
The Michigan Personal Data Privacy Act applies to any person that conducts business in Michigan or who produces products or services targeted to Michigan residents.
Below, the screenshot shows how the bill legally defines person:
You must also meet either of the following thresholds:
- Controls or processes personal data of at least 100,000 consumers
- Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross annual revenue from the sale of personal data
This means, like many other pieces of data privacy legislation around the globe, this act would have an extraterritorial scope and apply to businesses outside the Michigan territory.
Who Is Exempt From the Michigan Personal Data Privacy Act?
All of the following institutions are exempt from the current version of the Michigan Personal Data Privacy Act:
- Financial institutions subject to the Gramm-Leach-Bliley Act
- Entities covered and governed by the Health Insurance Portability and Accountability Act (HIPAA)
- Authorized and regulated data that falls under the Fair Credit Reporting Act
As for consumers, anyone in Michigan in an employment or commercial context is not covered by the Michigan PDPA.
How Can Businesses Get Ready?
To comply with the Michigan PDPA, businesses would have to do all of the following:
- Post a compliant privacy notice
- Provide opt-in consent options for the processing of all personal data
- Provide opt-out consent options for the processing and sale of personal data, targeted advertising, or decisions that produce legal effects regarding the consumer
- Follow contractual obligations with third-party data processors
- Perform compliant Data Protection Impact Assessments if collecting and processing sensitive personal data
- Data brokers must register with the Attorney General’s office
How Will the PDPA Be Enforced?
The Michigan Attorney General’s office will enforce the PDPA and give entities a written 30-day notice period to cure or correct any violations.
If you correct the violations within the grace period, civil action will not be taken against the entity as long as they provide the Attorney General with a written statement saying:
- You’ve cured all violations
- No further violations will occur
However, unlike the CCPA/CPRA, the Michigan PDPA doesn’t give users the right to private action.
Fines and Penalties Under the Michigan Data Privacy Act
The current penalties for the PDPA include fines of not more than $7,500 per any violation not cured within 30 days of notice.
If the violation involves the failure of a data broker to properly register with the Attorney General, the fine could be up to $100 per day.
Current Status of the Michigan Personal Data Privacy Act
Currently, the Michigan Personal Data Act is sitting in the Senate Energy and Technology Committee, but it’s still too early to tell if this bill will become law.
That said, it might be worth preparing for these changes, as the PDPA is one of three proposed state bills that mirror the recent CPRA amendments to the CCPA.
As we’ve already mentioned, Ohio and Pennsylvania also proposed similar legislation resembling the data privacy laws already passed in Connecticut, Colorado, Utah, and Virginia.
Summary
At this time, the Michigan PDPA is still just a bill, but it’s similar in scope to other US state privacy laws that have already passed and come into force, like the Virginia CDPA and the CPRA amendments to the CCPA.
Most notably, the PDPA requires businesses to:
- Post a compliant privacy notice
- Honor consumer opt-in and opt-out consent options for processing, selling, and making legal choices regarding personal data
- Perform data protection impact assessments
- Follow contractual obligations regarding third-party processors
The good news is, at Termly, we’re always up to date, so we’re tracking the Michigan Personal Data Protection Act for you as it travels through the Senate.
Check back later for real-time updates about how the Michigan Personal Data Protection Act might impact your business.
More about the author
Written by Ali Talip Pınarbaşı, CIPP/E, & LLM
Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author
