On 27 September 2022, State Senator Rosemary Bayer and fellow Senate Democrats presented Senate Bill 1182, the Michigan Personal Data Privacy Act, to the Michigan Senate.
The bill is currently in Michigan's Senate Energy and Technology Committee.
In this article we'll provide more information on the act, what it aims to do, whom it applies to, what it requires, and what potential penalties will be for non-compliance.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. The Purpose of the Michigan Personal Data Privacy Act
- 2. To Whom Does the Michigan Personal Data Privacy Act Apply?
- 2.1. Exemptions: Who and What Does the Act Not Apply to?
- 3. Requirements of the Michigan Personal Data Privacy Act
- 3.1. Conduct a Data Protection Impact Assessment
- 3.2. Facilitate and Honor Consumer Rights
- 3.3. Opting in Possibly Required Before Processing Any Personal Data
- 4. Penalties for Non-Compliance
- 5. Status of the Act and Summary
The Purpose of the Michigan Personal Data Privacy Act
The act's preamble makes the legislation's objectives clear. These goals are the following:
The Michigan Personal Data Privacy Act aims to establish the privacy rights of consumers who will fall under its scope. This will help offer increased protection to Michigan residents.
The act requires certain persons to provide specific notices to consumers regarding the processing and sale of personal data. These will be notices on how and why their personal information is processed, whether it's sold, and to whom.
Requirements like these help keep consumers informed and in the loop of how their personal data is truly being used when it's shared with companies. It also helps keep companies accountable and transparent for not violating requirements or treating personal data recklessly.
Another purpose of the act is to prohibit certain actions and practices concerning the processing and sale of personal data. Standards and procedures will be established and must be followed by companies who wish to process or sell personal data. This helps reign in what could otherwise be a very abusive aspect of data collection, with companies treating personal data as another way to make money while exploiting the privacy of consumers.
The act also aims to provide for the duties and powers of certain state government officers and entities, giving them more power and rights, as well as responsibilities, in regard to monitoring actions and activities of companies, while protecting consumers in their jurisdictions.
Another purpose of the act is to create certain funds and remedies that will be available in the event of violation of the act. This helps incentivize businesses to follow the act.
These goals are common goals amongst acts, laws and regulations that aim to protect personal data.
To Whom Does the Michigan Personal Data Privacy Act Apply?
The act covers for-profit entities that either do business in Michigan, or they target Michigan residents with the goods or services being produced, and one of the following must also apply:
- Has and controls personal data on at least 100,000 consumers during a calendar year, or
- Has personal data of more than 25,000 customers, and the sale of personal data accounts for 50% or more of their gross revenue of one calendar year.
Exemptions: Who and What Does the Act Not Apply to?
Entities specifically exempt from the act include:
- State agencies
- Political subdivisions of the state
- A financial institution or data subject to title V of the Gramm-Leach-Bliley Act
- A covered entity governed by the security, privacy, and breach notification regulations of the Health Insurance Portability and Accountability Act of 1996
- An institution of higher education
- Entities subject to or regulated under the insurance code of 1956
- Dental care corporations subject to or regulated under the insurance code of 1956
The following types of data are also exempt from the act:
- Protected health data under the Health Insurance Portability and Accountability act of 1996
- Medical records as defined in section 3 of the Medical Records Access Act, 2004
- Patient identifying information
- Any personal data collection, maintenance, disclosure, sale, communication, or usage that is permitted and governed by the Fair Credit Reporting Act
- Processing or preservation of data for specific employment-related purposes
Requirements of the Michigan Personal Data Privacy Act
At the time of writing, the full requirements are not set out, nor are the existing requirements fully detailed and defined. However, there seems to be a requirement to have consumers opt in to data processing before any processing can take place, and that data protection impact assessments may need to be conducted when sensitive personal data is being processed for certain purposes.
Conduct a Data Protection Impact Assessment
If your business deals with sensitive personal information, the Michigan Personal Data Privacy Act may require you to conduct a data protection impact assessment. As defined by the act, among many other things, "sensitive personal data" means your social security number, your license number, biometric data, political views and other kinds of identity that are "sensitive" in nature.
While there aren't specific details yet on how exactly a data protection impact assessment will need to be conducted under the Michigan Personal Data Privacy Act, we can look to the GDPR that requires such an assessment in some circumstances to see how one is conducted there.
In short, a data protection impact assessment, sometimes referred to as a Privacy Impact Assessment, helps an organization identify any potential data processing risks, such as weak spots for data breaches to occur, and helps a business find solutions to these risks before they may occur.
The assessment will consider things such as how you're collecting personal information, how you're storing it, and the level of security and data compliance in place with anyone who you share the data with.
For example, the GDPR states that a data protection impact assessment should include the following 4 things:
- A systemic description of the project being assessed including why the data is to be processed
- An assessment on how necessary and proportionate the data collection project is (does it really need to happen, and is collecting the sensitive data really worth it)
- An overall assessment of any and all potential risk factors, such as data breaches, lost data etc.
- Details of what you plan to do to safeguard against the risks assessed, such as increasing security on servers or limiting who has access to such data
Companies that do data protection impact assessments must send the completed assessment to the Attorney General upon request, but it must be kept private and cannot be viewed by the general public.
Facilitate and Honor Consumer Rights
The act would grant consumers the following rights, all of which are very standard across modern privacy laws:
- The right of access: This allows consumers to access any personal data the business has collected about them so they can confirm that it is being processed.
- The right of rectification: This gives consumers the right to have errors in personal data rectified by requesting the business correct the errors.
- The right of deletion: This right lets consumers file a request to a business to have personal information provided by the consumer or collected about the consumer deleted.
- The right of restriction: Under this right, consumers are granted the ability to opt out of having their personal data used for any sort of profiling or targeted advertising.
- The right of portability: This right lets users request and acquire a copy of the personal information the consumer has previously provided to the business, and to receive the information in a form that's easily portable and readable to other companies.
- The right to opt out of sales: This right lets users choose not to allow their collected personal information to be processed for the sale by the company that holds it.
Other privacy laws such as the GDPR and the CCPA grant similar rights to users. (For more information on GDPR user rights, see our article 8 User Rights Under the GDPR. For more information on CCPA user rights, see our article Consumer Rights Under the CCPA/CPRA.) So businesses will be able to take inspiration and guidance for complying with Michigan's law from other laws such as these.
This clause explains what rights users have and how they can exert their rights.
Opting in Possibly Required Before Processing Any Personal Data
It seems to be too early at the moment to know exactly how this potential requirement will go. While consumers are granted a right to opt out of data processing under this act, Section 7(1)(a) states that "A controller shall . . . Not process personal data or sensitive personal data concerning a consumer without obtaining the consumer's consent."
So, this seems to imply that data controllers will need to obtain consent before doing any type of processing. If this is the case, it will be a very strict threshold for consent requirement, outreaching even the notoriously strict GDPR.
Time will tell how this aspect of the act plays out, but it's something to be aware of as part of your potential compliance plan.
Penalties for Non-Compliance
If a violation occurs and is not remedied within 30 days of notice, the Attorney General may pursue a fine of up to $7,500 for each infraction. The penalty might be $100 per day if the offense involved a data broker's improper registration with the Attorney General.
Additionally, a private right of action for actual damages, injunctive relief, and any other relief a judge deems suitable are all included in the legislation.
Status of the Act and Summary
Companies operating in Michigan should be ready for the potential dawning of a new day as the state government, along with many others across the United States, continues to propose legislation that forces businesses to create policies and processes to safeguard consumer privacy rights.
The California Consumer Privacy Act (CCPA/CPRA) set the precedent, and several other states including Colorado, Connecticut, Utah, and Virginia followed suit by passing comprehensive privacy laws that will go into effect in 2023.
The Michigan Personal Data Privacy Act being considered within the Michigan state senate would force covered businesses to create policies and processes that give consumers privacy protections. These would all be comparable to those provided by the CCPA/CPRA in California and the GDPR in the EU.
However, if the act intentionally requires opt-in for the processing of all personal data (instead of just sensitive personal data), it would be a substantial departure from the states previously mentioned.
While it is still too early to ascertain whether the act will become state law, businesses operating in Michigan should be aware of the requirements the Michigan state government may place on them if the law is approved, and what potential steps they'll need to take to become compliant.