Law: Please note this State does not have a general privacy law in effect, you can visit our US State Law Tracker to monitor the progress of US State bills.

Regulator: The Michigan Attorney General ('AG')

Summary: Michigan has not yet enacted a privacy and data protection act. However, Senate Bill (SB) 1182 for a Personal Data Privacy Act was introduced on September 27, 2022. The bill aims to establish privacy rights for Michigan consumers and would apply to businesses that control or process the personal data of at least 100,000 consumers or businesses that control or process the personal data of at least 25,000 consumers and derive over 50% of gross annual revenue from the sale of personal data. Section 7(3) of the bill introduces a requirement for businesses to provide consumers with a comprehensive privacy policy notice. This notice should include the categories of personal data processed by the controller, the purpose of processing personal data, how a consumer can exercise their rights, and the categories of third parties with whom the controller shares personal data.

Nonetheless, Michigan has its own data breach requirements under the Identity Theft Protection Act (Act 452 of 2004) under §445.61 et seq. of the Michigan Compiled Laws. The data breach requirements specify that Michigan residents must be notified if their personal data is accessed and acquired by an unauthorized person, or if said person obtains access to the encryption key of encrypted data. The data breach requirements may be enforced by the regulator, the Michigan Attorney General (AG) or a privacy attorney, despite there being no specific requirement to inform the AG of a breach.

Other relevant privacy laws in Michigan include the Insurance Data Security Law, which came into effect on January 20, 2020, and mandates licensed insurers to develop, implement, and maintain a comprehensive information security program.

You can follow legislative developments in the US through the USA State Law Tracker.