Michigan Personal Data Privacy Act
ON THIS PAGE
On 27 September 2022, Michigan Senator Rosemary Bayer and eight fellow Senate Democrats introduced Senate Bill 1182, which would create the Michigan Personal Data Privacy Act. The Michigan Legislature remains in session through the end of 2022. Read the latest bill text here.
Who does the Michigan Personal Data Privacy Act Apply to?
The Michigan Personal Data Privacy Act (MPDPA) would apply to any entity that conducts business in Michigan or produces products or services that could be accessed by Michigan residents, and meets one of the following criteria:
- collects or processes personal data on more than 100,000 consumers, or
- controls or processes personal data on more than 25,000 consumers while deriving 50% gross revenue from the sale of personal data during a calendar year.
Consumer Rights under the MPDPA
The Michigan Personal Data Privacy Act would regulate how businesses treat consumers' personal information and privacy. Michigan consumers would have the following rights:
- Right to disclosure. Consumers would have the right to confirm the processing and access their personal data upon request.
- Right to notice. Consumers would have the right to know what personal data is being collected about them and the purposes for which the information is being used.
- Right to deletion. Consumers would have the right to ask for the deletion of their personal data.
- Right to correction. Consumers would have the right to correct inaccuracies in their personal data.
- Right to opt-out. Consumers would have the right to opt-out of the processing of their personal data for any of the following purposes: targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects concerning the consumer.
Please note that opt-in consent is required for the processing of personal data. The Act states: “A controller shall do all of the following . . . Not process personal data or sensitive personal data concerning a consumer without obtaining the consumer’s consent.” Thus, opt-in consent would be the default consent for processing all personal data. However, no guidance is provided yet on the process to obtain consent.
Exceptions for Organization under the MPDPA
The following organizations are exempted from the MPDPA:
- Financial institutions, such as those subject to the Gramm-Leach-Bliley Act (GLBA).
- Healthcare institutions, that treat personal data by adhering to other laws, such as the Health Insurance Portability and Accountability Act (HIPAA).
- Entities that collect, maintain, disclose, sell, communicate, or use any personal data to the extent it is authorized and regulated under the Fair Credit Reporting Act.
- Entities that process or maintain data for certain employment-related purposes.
MPDPA compliance
MPDPA compliance is the process of ensuring that your business meets the MPDPA law requirements regarding the collection, analysis, and selling of Michigan consumers' personal information. To get MPDPA compliance you have to create your business Privacy Policy and treat the MPDPA consumers' personal information according to the law.
Use CookieScript Consent Management Platform to create a Privacy Policy for your business, and to be MPDPA and other privacy laws compliant. We regularly update the latest privacy regulations, so you do not miss changes or new privacy laws coming into force.
Enforcement
The MPDPA would protect Michigan consumers' privacy. Infringement of the MPDPA law would be subject to enforcement by the Michigan attorney general's office which can seek civil penalties of $7500 for each intentional law violation. The entities would have a 30-day right to cure, and a private right of action with 30 days of notice.
If a business collects data from many Michigan residents, the penalty could reach millions of dollars.
Conclusion
The Act would be similar to the privacy laws passed in California, Virginia, Colorado, and Utah. Consumers would have similar rights, while entities would have comparable legal requirements and penalties in the case of breaching the law.
However, it would be one crucial difference. If the Section 7(1)(a) opt-in mandate for the processing of all personal data would be passed unchanged, as opposed to requiring to opt-in only for sensitive personal data, the Act would represent a much stricter attitude toward the collection and management of personal data.
CookieScript Consent Management Platform can help you create both the Privacy Policy and the Cookie Policy that would ensure MPDPA compliance requirements. CookieScript CMP allows you to track the full history of user consents and grant consent withdrawals at any time, making it compliant with MPDPA, CCPA (California), GDPR (EU), and other privacy laws.
Frequently Asked Questions
What is the Michigan Personal Data Privacy Act?
On 27 September 2022, Michigan Senators introduced Senate Bill 1182, which would create the Michigan Personal Data Privacy Act. The Act would apply to any entity that conducts business in Michigan, and meets one of the following criteria: collects or processes personal data on more than 100,000 consumers, or controls or processes personal data on more than 25,000 consumers while deriving 50% gross revenue from the sale of personal data.
Does Michigan have a Privacy Act?
Michigan does not have a general privacy law in effect yet. However, in September 2022, Michigan Senators introduced Senate Bill 1182, which would create the Michigan Personal Data Privacy Act, similar to the privacy laws passed in California, Virginia, Colorado, and Utah. Read CookieScript privacy laws to follow updates and be MPDPA compliant.
Who would the Michigan Personal Data Privacy Act apply to?
The MPDPA law, when passed, would apply to any for-profit business if it collects data about Michigan residents, and meets one of the following criteria: collects or processes personal data on more than 100,000 consumers, or controls or processes personal data on more than 25,000 consumers while deriving 50% gross revenue from the sale of personal data. Read CookieScript privacy laws to follow updates on the MPDPA.
What would be Michigan Consumer Rights under the Michigan Personal Data Privacy Act?
According to Senate Bill 1182, Michigan consumers would have these main rights under the MPDPA regarding their personal data: the right to disclosure, right to notice, right to deletion, and right to opt-out. Use CookieScript to be MPDPA and other privacy laws compliant.