NEW: 2024 Gartner Market Guide for Consent and Preference Management
Access now
Back to main menu

Michigan Personal Data Privacy Act (SB 659): What you need to know

Posted: October 9, 2024

The Michigan Personal Data Privacy Act (SB 659) introduced to the Michigan Senate and has been under consideration since last year. This comprehensive state privacy bill could make Michigan one of more than 20 US states to pass similar legislation.

Michigan’s SB 659 follows the with all “Virginia-style” drafting as most other states. But the bill includes some relatively unusual provisions, including a private right of action. Here’s a look at how the law applies, what consumer rights it provides, and what it requires of businesses.

 

Application

SB 659 applies to businesses that operate in Michigan or offer products or services targeted at Michigan residents, provided they meet one or more of the following thresholds:

  • Controls or processes personal data of at least 100,000 consumers.
  • Controls or processes personal data of at least 25,000 consumers and derives any amount of revenue from the sale of personal data.

Exemptions under this law include:

  • State agencies and political subdivisions.
  • Financial institutions regulated under the Gramm-Leach-Bliley Act (GLBA).
  • Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA).
  • Institutions of higher education.
  • Nonprofits operating for insurance-related crime prevention.
  • Data processed for specific purposes, such as public health or research, under stringent conditions.

Additionally, the law provides exemptions for certain types of data, including:

  • Protected health information under HIPAA.
  • Data processed in compliance with the Children’s Online Privacy Protection Act (COPPA).
  • Personal data regulated by the Family Educational Rights and Privacy Act (FERPA) and other specific federal statutes.

 

Definitions

Key definitions outlined in SB 659 include:

  • Personal data: Information linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data and publicly available information.
  • Processing: Any operation or set of operations performed on personal data, including collection, use, storage, and disclosure.
  • Controller: A person or entity that determines the purposes and means of processing personal data.
  • Processor: A person or entity that processes personal data on behalf of a controller.
  • Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to the processing of personal data.

The bill also defines “sensitive data,” including:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, or citizenship/immigration status.
  • Biometric or genetic data used for identification purposes.
  • Personal data collected from children under 13 years of age.
  • Precise geolocation data, Social Security numbers, and financial account details.

 

Selling personal data and targeted advertising

The sale of personal data is defined as the exchange of personal data for monetary or other valuable consideration to a third party. Exceptions to the definition of a “sale” include:

  • Disclosures to processors acting on behalf of the controller.
  • Transfers to affiliates or as part of corporate transactions like mergers or acquisitions.
  • Situations where the consumer has made the data public through a mass media channel.

Targeted advertising is also regulated, focusing on advertisements selected based on personal data collected from a consumer’s activities across non-affiliated websites or apps. However, first-party ads and contextual ads are excluded from this definition.

 

Consumer rights

Under SB 659, Michigan consumers are granted several rights regarding their personal data, including the right to:

  • Access: Confirm whether a controller is processing their personal data and access that data.
  • Correction: Request corrections to inaccuracies in their personal data.
  • Deletion: Request the deletion of their personal data, subject to certain limitations.
  • Portability: Obtain a copy of their personal data in a portable and usable format.
  • Opt-out: Opt out of the sale of their personal data, targeted advertising, and profiling for significant decisions.

Businesses must comply with these requests within 45 days, with a possible 45-day extension. Controllers must provide a clear and accessible means for consumers to exercise these rights.

 

Obligations on controllers

SB 659 imposes several obligations on businesses, including:

  • Limiting data collection to what is necessary for specified purposes.
  • Implementing appropriate security measures to protect personal data.
  • Providing clear and accessible privacy notices that disclose data practices and consumer rights.
  • Ensuring that any changes to data practices are communicated to consumers, allowing them to opt out of new practices.

 

Data protection assessments

Controllers are required to conduct Data Protection Assessments (DPAs) for processing activities that present a heightened risk of harm to consumers, such as targeted advertising, the sale of personal data, or processing sensitive data. These assessments must weigh the benefits of processing against the potential risks to consumers and consider the use of safeguards to mitigate those risks.

The Michigan Attorney General can request access to these assessments during investigations, although the assessments remain confidential and are protected from public disclosure.

 

Obligations on processors

Processors are required to:

  • Adhere to the instructions of controllers and assist them in complying with the law.
  • Implement security measures to protect personal data.
  • Enter into binding contracts with controllers that outline the nature, purpose, and duration of data processing, as well as the rights and obligations of both parties.

Processors must also ensure that any subprocessors they engage meet the same obligations.

 

Enforcement and private right of action

The Michigan Attorney General has the authority to enforce SB 659.

Before initiating an enforcement action, the Attorney General must provide a business with a 30-day notice to “cure” any alleged violations. If the violation is not cured, the Attorney General may seek civil penalties of up to $7,500 per violation.

Consumers also have a private right of action under this law, allowing them to seek actual damages and injunctive relief for violations of their rights. However, before initiating a lawsuit, consumers must provide notice to the controller or processor, giving them 30 days to cure the violation.

If SB 659 is enacted as introduced, Michigan would have the only comprehensive state privacy law with a private of action outside California. However, such provisions are controversial, and often face opposition from industry.

How to measure the ROI of privacy programs

Access guide
Data-privacy-metrics-How-to-measure-the-ROI-of-privacy-programs

You might also like to read:

US privacy update the 18 'comprehensive law' states

2024 mid-year US privacy update: Checking in with the 18 ‘comprehensive law’ states

2024 mid-year US privacy update: Checking in with the 18 ‘comprehensive law’ states

Get the privacy breakdown of the 18 US 'comprehensive law' states! All the information you need to know for mid-2024.

Read more
The benefits of using consent management tools

The benefits of using consent management tools

The benefits of using consent management tools

Using consent management tools is one of the most effective ways to ensure that your customers’ data is collected, stored and used responsibly. With these tools, you can empower your customers to manage their own data preferences and maintain control over how it’s used.

Read more