On December 12, 2024, Senate Bill No. 0659 to establish the personal data privacy act received passage from the Michigan State Senate, following its favorable reporting from the Committee on Finance, Insurance, and Consumer Protection. This follows the bill's introduction to the Senate on November 9, 2023.

What is the scope of the bill?

The bill applies to a person who performs business in Michigan or produces products or services that are targeted to residents of Michigan that, during a calendar year:

• controlled or processed personal data of at least 100,0000 consumers; or
• controlled or processed personal data of at least 25,000 consumers and derived revenue from the sale of personal data.

However, the bill does not apply to certain entities, including State agencies, institutions of higher education, or entities governed by the Health Insurance Portability and Accountability Act (HIPAA). Likewise, the bill does not apply to certain data including protected health information under HIPAA and data collected in compliance with the Family Educational Rights and Privacy Act, and Title V of the Gramm-Leach-Bliley Act.

Data is also exempt from the bill if processed or maintained for purposes including:

• in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data was collected and used within the context of that role; and
• as the emergency contact information of an individual for emergency contact purposes.

What data subject rights are provided under the bill?

Consumers have the right to:

• be informed;
• access;
• rectification;
• erasure;
• portability; and
• opt out of processing for the purposes of:
  • targeted advertising;
  • the sale of personal data; and
  • profiling in furtherance of decisions that produce legal or similarly significant effects.

Consumers may invoke their consumer rights at any time by submitting a request to a controller specifying the consumer rights that the consumer wishes to invoke. Parents or legal guardians can invoke consumer rights on behalf of the child regarding processing personal data belonging to the known child.

Controllers must respond to a consumer without undue delay and within 45 days after receipt of the request. The response period may be extended once by 45 additional days when reasonably necessary.

What are controller obligations under the bill?

Controllers are prohibited from processing personal data concerning a consumer without obtaining the consumer's consent. Consumers may opt out using a platform, technology, or mechanism indicating to the controller their intent to opt out of the processing or sale. The platform, technology, or mechanism must do all of the following:

• not unfairly disadvantage another controller;
• not make an opt-out preference the default setting;
• require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of the processing of the consumer's personal data;
• be consumer-friendly and easy to use by the average consumer;
• be consistent with other similar platforms, technologies, or mechanisms required by federal or state law or regulation; and
• enable the controller to accurately determine whether the consumer is a Michigan resident and whether the consumer has made a legitimate request to opt out of a sale of the consumer's personal data or targeted advertising.

In addition, controllers must:

• provide a consumer with a privacy notice;
• conduct and document a Data Protection Impact Assessment (DPIA) on personal data it collected and processed;
• require data processors to assist them in meeting their obligations, with a contract setting forth instructions for processing and duration of processing, among other things; and
• not use a geofence to establish a virtual boundary that is within 1,750 feet of any mental health facility or reproductive or sexual health facility.

Enforcement

Notably, the bill provides for the creation of a data broker registry under the Michigan Attorney General (AG), beginning February 1, 2026, and on each February 1 thereafter if a person meets the definition of a data broker.

The Michigan AG is responsible for enforcing the provisions of the bill, setting out a fine of not more than $7,500 for each violation of the bill's provisions.

You can read the bill here and track its progress here.