Privacy Laws in Michigan: What You Need to Know

Michigan is one of several states working to establish comprehensive consumer privacy legislation. While the state doesn't yet have a broad privacy law on the books like California's CCPA or Virginia's VCDPA, Michigan residents are protected by a patchwork of existing laws — and a major new privacy bill is making its way through the legislature. Here's what Michigan residents need to know about their privacy rights today and what's coming.

Current Privacy Protections in Michigan

Michigan Identity Theft Protection Act (Act 452 of 2004)

Michigan's primary data protection law is the Identity Theft Protection Act, which governs how businesses and government agencies must handle data breaches. Key requirements include:

• Breach notification: Organizations must notify affected individuals "without unreasonable delay" when a security breach compromises personal information
• Personal information covered: The law protects Social Security numbers, driver's license numbers, financial account numbers, and other sensitive identifiers
• Security requirements: Entities that handle personal information must implement and maintain reasonable security procedures to prevent unauthorized access or use

Michigan Social Security Number Privacy Act

This law restricts how businesses and government agencies can use and display Social Security numbers, prohibiting them from:

• Publicly displaying SSNs
• Printing SSNs on mailings unless required by law
• Requiring SSNs to access websites unless a secure connection is used
• Using SSNs as primary account identifiers

Michigan Consumer Protection Act

While not a dedicated privacy law, the Michigan Consumer Protection Act prohibits unfair, unconscionable, or deceptive business practices, which can include certain misuses of personal data and deceptive privacy practices.

The Proposed Michigan Personal Data Privacy Act (SB 359)

The Michigan Senate has passed SB 359, the Personal Data Privacy Act, which would create the state's first comprehensive consumer privacy framework. If enacted, it would grant Michigan residents significant new rights over their personal data.

Consumer Rights Under SB 359

The proposed law would give Michigan residents the right to:

• Access the personal data a company has collected about them
• Delete their personal data held by businesses
• Correct inaccurate personal data
• Data portability — obtain a copy of their data in a usable format
• Opt out of the sale of personal data, targeted advertising, and automated profiling

Business Obligations

Under SB 359, businesses would be required to:

• Obtain consumer consent before processing personal data and provide clear privacy notices
• Respond to consumer data requests within 45 days
• Implement and maintain reasonable security measures, including appointing a responsible coordinator and conducting regular risk assessments
• Conduct data protection impact assessments for high-risk processing activities

Data Broker Registration

A significant provision of SB 359 would require data brokers to register annually with the Michigan Attorney General. This registration requirement would increase transparency about which companies are buying and selling Michigan residents' personal information.

How Michigan Compares to Other States

Michigan's proposed privacy law shares similarities with existing legislation in other states:

• California (CCPA/CPRA): The most comprehensive state privacy law, with a private right of action for certain data breaches and a dedicated enforcement agency (CPPA). Michigan's proposal is less expansive.
• Virginia (VCDPA): Similar in structure to Michigan's SB 359, with comparable consumer rights but AG-only enforcement
• Illinois (BIPA): Illinois has one of the strongest biometric privacy laws in the country with a private right of action. Michigan does not currently have comparable biometric privacy protections.
• Colorado and Connecticut: Both have comprehensive privacy laws with similar consumer rights frameworks that Michigan's bill mirrors

What Michigan Residents Can Do Now

While waiting for comprehensive legislation, Michigan residents can take proactive steps to protect their privacy:

Exercise Your Federal Rights

• Fair Credit Reporting Act: Request and review your free annual credit reports from all three bureaus
• CAN-SPAM Act: Opt out of commercial emails and report spam
• Do Not Call Registry: Register your phone number at DoNotCall.gov to reduce telemarketing calls
• HIPAA: Request copies of your medical records and control how your health information is shared

Opt Out of Data Brokers

Michigan residents have the ability to opt out of most data broker sites individually, regardless of state law. Major brokers like Spokeo, BeenVerified, Whitepages, and others allow you to submit removal requests directly.

Take Advantage of Company-Specific Privacy Tools

Many large companies offer privacy controls to all users regardless of location, including Google's Privacy Checkup, Apple's App Tracking Transparency, and Facebook's Privacy Settings and Off-Facebook Activity controls.

Protecting Your Privacy in Michigan

Whether or not SB 359 becomes law, data brokers are actively collecting and selling Michigan residents' personal information right now. Waiting for legislation means your data remains exposed in the meantime.

PrivacyOn provides Michigan residents with immediate protection by monitoring and removing personal information from over 100 data broker sites. With 24/7 monitoring, dark web alerts, and family plans for up to 5 people, PrivacyOn gives you the privacy protection you deserve — no matter what the legislature decides. Our service starts at just $8.33 per month and covers the data broker landscape far more efficiently than submitting individual opt-out requests to each site yourself.