Michigan Data Privacy Laws: Consumer Rights & Protections (2026)

Michigan takes data privacy seriously, but the state's approach differs from states like California, Texas, or Colorado that have enacted sweeping consumer data privacy statutes. Instead of a single comprehensive law, Michigan protects personal information through several targeted statutes covering data breach notification, Social Security number privacy, student records, employee internet accounts, and consumer protection.

That landscape may change soon. The Michigan Senate passed the Personal Data Privacy Act (SB 359) in 2025, which would create the state's first comprehensive consumer privacy framework. Until that bill becomes law, Michigan residents rely on existing state statutes and federal protections like HIPAA and FERPA.

This guide covers every major Michigan data privacy law currently in effect, the proposed legislation moving through the legislature, your rights as a Michigan consumer, and what businesses operating in Michigan must do to comply.

Michigan Identity Theft Protection Act (ITPA)

The Identity Theft Protection Act, enacted as Act 452 of 2004 and codified at MCL 445.61 through 445.79c, is Michigan's primary data breach notification law. It establishes requirements for how businesses and government agencies must handle security breaches involving personal information.

What Triggers a Breach Notification

Under MCL 445.72, any person or agency that owns or licenses data included in a database must notify affected Michigan residents when a security breach occurs. Notification is required when a resident's unencrypted and unredacted personal information was accessed and acquired by an unauthorized person, or when encrypted personal information was accessed by someone with unauthorized access to the encryption key.

The law defines a "security breach" as the unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained as part of a database regarding multiple individuals.

What Counts as Personal Information

The ITPA defines "personal information" under MCL 445.63 as a person's first name or first initial and last name linked to one or more of the following data elements:

• Social Security number
• Driver license number or state personal identification card number
• Demand deposit or other financial account number, combined with a security code, access code, or password that permits access to the account

The definition specifically covers "computerized personal information," though proposed amendments in SB 360-364 would expand this to include personal information in any medium.

Notice Requirements

Businesses and agencies must provide breach notification "without unreasonable delay." The law does not set a specific number of days, but requires entities to act with the care an ordinarily prudent person would exercise under similar circumstances.

After notifying affected individuals, entities must also notify each nationwide consumer reporting agency of the security breach without unreasonable delay, including the number of notices sent and their timing.

There is one important exception. If a person or agency determines that the security breach has not caused and is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more Michigan residents, notification is not required.

Penalties for Noncompliance

A person or agency that knowingly fails to provide required breach notification faces civil fines of up to $250 per failure to notify. The total liability for civil fines from a single security breach is capped at $750,000.

These fines are enforced by the Michigan Attorney General.

Data Destruction Requirements

MCL 445.72a requires any person or agency that maintains a database containing personal information to destroy that data when it is removed from the database and is not being retained elsewhere for a lawful purpose.

"Destroy" means shredding, erasing, or otherwise modifying the data so it cannot be read, deciphered, or reconstructed through generally available means. A knowing violation of this requirement is a misdemeanor punishable by a fine of up to $250 per violation.

Entities that comply with equivalent federal data disposal requirements are considered in compliance with this state provision.

Proposed Amendments: SB 360-364

The Michigan Senate introduced Senate Bills 360 through 364 during the 2025-2026 legislative session to modernize the Identity Theft Protection Act. These bills would make several significant changes.

Expanded Definition of Personal Information

The bills would broaden what counts as "data" from only computerized personal information to personal information contained in any medium. They would also add new categories of protected personal information, including:

• Passport numbers or other unique identification numbers issued on government documents used to verify identity
• Individually identifiable information contained in medical history, medical treatment, or diagnosis records created by a health care professional

Enhanced Security Requirements

Under the proposed amendments, private and state entities that have access to Michigan residents' personal information would be required to maintain security procedures for protecting that information. This includes assigning a security coordinator and implementing appropriate safeguards.

Attorney General Notification

If a breach affects more than 100 Michigan residents, the entity would be required to notify the Attorney General in addition to the affected individuals.

Current Status

Senate Bills 360-364 passed the Michigan Senate in August 2025 and have been referred to the House for consideration. They are tie-barred to SB 360, meaning all five bills must pass together.

Social Security Number Privacy Act

The Social Security Number Privacy Act, enacted as Act 454 of 2004 and codified at MCL 445.81 through 445.85, specifically protects the privacy of Social Security numbers in Michigan.

Prohibited Actions

Under this law, no person may intentionally do any of the following:

• Publicly display all or more than four sequential digits of a Social Security number
• Use all or more than four sequential digits of a Social Security number as a primary account number for an individual
• Visibly print all or more than four sequential digits of a Social Security number on any identification badge, card, membership card, permit, or license

Required Privacy Policies

Since January 1, 2006, any person who obtains one or more Social Security numbers in the ordinary course of business must create a written privacy policy. That policy must:

• Ensure the confidentiality of Social Security numbers
• Prohibit unlawful disclosure of Social Security numbers
• Limit access to documents containing Social Security numbers
• Describe proper disposal methods for documents containing Social Security numbers

Public Records Exemption

All or more than four sequential digits of a Social Security number contained in a public record are exempt from disclosure under Michigan's Freedom of Information Act.

Penalties

A person who violates the Social Security Number Privacy Act with knowledge that their conduct violates the law is guilty of a misdemeanor punishable by imprisonment for up to 93 days, a fine of up to $1,000, or both.

Michigan Consumer Protection Act

The Michigan Consumer Protection Act (MCPA), Act 331 of 1976, codified at MCL 445.901 through 445.922, serves as a general enforcement tool for data privacy violations in Michigan. While not specifically a privacy law, its broad prohibition against unfair, unconscionable, or deceptive trade practices gives the Attorney General authority to pursue companies that mishandle personal data.

Privacy-Related Provisions

MCL 445.903 includes specific privacy protections. The law prohibits requiring a consumer to disclose their Social Security number as a condition of selling or leasing goods or providing services, except in certain specified circumstances.

The Attorney General has used the MCPA to bring enforcement actions against companies for deceptive data practices, including a 2025 lawsuit against Roku for allegedly collecting children's personal information without required parental consent in violation of both the federal Children's Online Privacy Protection Act (COPPA) and the MCPA.

Enforcement and Remedies

The Attorney General can seek injunctive relief, civil fines, and restitution under the MCPA. Consumers may also bring private lawsuits to recover actual damages or $250, whichever is greater, plus reasonable attorney fees.

The Proposed Personal Data Privacy Act (SB 359)

The most significant pending data privacy legislation in Michigan is Senate Bill 359, the Personal Data Privacy Act. If enacted, it would establish Michigan's first comprehensive consumer privacy framework, similar to laws already in effect in California, Colorado, Connecticut, and Texas.

Who It Would Cover

SB 359 would apply to entities that conduct business in Michigan or produce products or services targeted to Michigan residents, and that during a calendar year either:

• Control or process personal data of 100,000 or more consumers, or
• Control or process personal data of 25,000 or more consumers and derive any revenue from the sale of personal data

Consumer Rights

The bill would grant Michigan residents the following rights over their personal data:

• Right to confirm whether a business is processing their personal data
• Right to access their personal data held by a business
• Right to correct inaccuracies in their personal data
• Right to delete their personal data
• Right to obtain a portable copy of their data
• Right to opt out of processing for targeted advertising
• Right to opt out of the sale of personal data
• Right to opt out of profiling that produces legal or similarly significant effects

The proposal would also require businesses to honor opt-out preference signals, such as Global Privacy Control, when sent with a consumer's consent.

Consent Requirements

A key feature of SB 359 is its consent framework. Collectors would need to obtain consent from consumers before processing their personal data and provide a privacy notice explaining the purpose of that processing.

Data Broker Registry

The bill would create a public registry for data brokers, defined as entities that knowingly collect and sell or license personal data about consumers with whom they have no direct relationship. Data brokers would be required to register annually with the Attorney General beginning February 1, 2026.

Enforcement

SB 359 would be enforced exclusively by the Michigan Attorney General. There would be no private right of action, meaning individual consumers could not sue businesses directly under this law.

Legislative Status

SB 359 passed the Michigan Senate and has been referred to the House of Representatives for consideration. It is a reintroduction of Senate Bill 659 from the 2023-2024 session, which also passed the Senate but did not advance through the House before the session ended.

Internet Privacy Protection Act

Michigan's Internet Privacy Protection Act, enacted as Act 478 of 2012, protects employees and job applicants from being required to share their personal social media and internet account credentials.

What Employers Cannot Do

The law prohibits employers from requesting or requiring an employee or job applicant to:

• Grant access to their personal internet accounts
• Allow observation of their personal internet accounts
• Disclose login information that allows access to personal internet accounts

What Employers Can Do

The law preserves several employer rights. Employers may:

• Monitor, review, or access electronic data stored on devices paid for by the employer
• Monitor data traveling through or stored on the employer's network
• Restrict or prohibit employee access to certain websites while using employer-provided devices or networks
• View publicly available information about an employee or applicant
• Conduct investigations based on specific information about activity on an employee's personal internet account related to compliance with laws or work-related misconduct
• Investigate unauthorized transfers of proprietary, confidential, or financial data to a personal account

Scope

The act does not create a duty for employers to search or monitor personal internet account activity. It applies specifically to the employer-employee and employer-applicant relationship.

Student Data Privacy Protections

Michigan has enacted specific protections for student data that supplement federal requirements under the Family Educational Rights and Privacy Act (FERPA).

Student Online Personal Protection Act

The Student Online Personal Protection Act, Act 368 of 2016, regulates operators of websites, online services, and applications used for K-12 school purposes. It covers personally identifiable student information including educational records, contact information, discipline records, test results, special education data, and grades.

Protection of Pupil Privacy Act

MCL 380.1136 prohibits school districts, intermediate school districts, public school academies, educational management organizations, and authorizing bodies from selling or providing personally identifiable information from pupil education records to for-profit business entities.

State FERPA Compliance

Michigan enacted Public Act 88 of 2000, which requires public bodies to exempt from disclosure any information that, if released, would prevent them from complying with FERPA. The Michigan Department of Education and Center for Educational Performance and Information (CEPI) maintain strict data governance frameworks to protect student records.

Preservation of Personal Privacy Act

The Preservation of Personal Privacy Act, Act 378 of 1988, codified at MCL 445.1711 through 445.1715, protects the privacy of records related to the purchase, rental, or borrowing of books, written materials, sound recordings, and video recordings.

This law prohibits disclosure of customer identification tied to these materials, with exceptions for collecting payment on overdue accounts (after written notice), activities incident to the ordinary course of business, and marketing purposes when written notice is provided.

A person who violates this act may be liable in a civil action for actual damages suffered by the customer.

Federal Laws That Apply in Michigan

Because Michigan does not yet have a comprehensive state privacy law, several federal statutes provide important baseline protections for Michigan residents.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) protects health information held by covered entities including healthcare providers, health plans, and healthcare clearinghouses. The Michigan Department of Health and Human Services implements HIPAA at the state level and provides authorization forms for the disclosure of protected health information.

Michigan supplements HIPAA with additional state-level protections for behavioral health and substance use disorder treatment records, which require separate consent for disclosure beyond treatment, payment, and coordination of care purposes.

FERPA

The Family Educational Rights and Privacy Act protects student education records at institutions that receive federal funding. Michigan's Department of Education enforces FERPA compliance and has enacted additional state protections through the Student Online Personal Protection Act and Protection of Pupil Privacy Act discussed above.

Gramm-Leach-Bliley Act

The GLB Act requires financial institutions to explain their information-sharing practices and protect sensitive data. Michigan-based banks, credit unions, insurance companies, and other financial services providers must comply with GLB's privacy and safeguard requirements.

Children's Online Privacy Protection Act (COPPA)

COPPA restricts the collection of personal information from children under 13 by websites and online services. Michigan's Attorney General has actively enforced COPPA, including the 2025 lawsuit against Roku for allegedly collecting children's data without parental consent.

Recent Enforcement Actions

Michigan's Attorney General has been increasingly active in data privacy enforcement, using existing state and federal tools even without a comprehensive privacy law.

Roku Lawsuit (2025)

Attorney General Dana Nessel filed a lawsuit against Roku, Inc. in the U.S. District Court for the Eastern District of Michigan, alleging the streaming platform violated COPPA and the Michigan Consumer Protection Act by collecting children's personal information without proper notice or parental consent.

Healthcare Data Breach Responses (2025-2026)

The Attorney General has issued multiple consumer alerts regarding significant data breaches affecting Michigan residents, including incidents involving McLaren Health Care, Change Healthcare, Ascension Healthcare, AT&T, and Munson Healthcare in Traverse City.

AI and Privacy (2026)

Attorney General Nessel joined a multistate coalition demanding action from xAI over Grok's creation of nonconsensual sexual content, raising concerns about violations of state and federal laws governing nonconsensual intimate images and child sexual abuse material.

How to File a Data Privacy Complaint in Michigan

If you believe your data privacy rights have been violated in Michigan, you have several options.

Contact the Michigan Attorney General's Consumer Protection Division. You can file a complaint online through the Michigan Attorney General's website or by calling the Consumer Protection hotline.

For data breaches specifically, affected individuals should place fraud alerts with the three major credit bureaus, review credit reports for unauthorized activity, and consider placing a credit freeze on their accounts.

For HIPAA violations involving health information, file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

For violations involving student records, contact the U.S. Department of Education's Student Privacy Policy Office.

What Michigan Businesses Must Do Now

Even without a comprehensive privacy law, Michigan businesses have clear obligations under existing statutes.

Mandatory Requirements

• Breach notification: Notify affected Michigan residents without unreasonable delay after discovering a security breach involving their personal information
• SSN protection: Never publicly display Social Security numbers and maintain a written privacy policy if you collect them
• Data destruction: Destroy personal information through shredding, erasure, or modification when removing it from your databases
• Employee privacy: Never request or require employees or applicants to share personal social media or internet account credentials
• Student data: If you operate educational technology, comply with the Student Online Personal Protection Act

Preparing for Comprehensive Privacy Law

With SB 359 advancing through the legislature, Michigan businesses should begin preparing now by:

• Auditing what personal data they collect, process, and store
• Reviewing their privacy notices and consent mechanisms
• Implementing data access and deletion request workflows
• Evaluating whether they meet the data broker definition and may need to register
• Training staff on data privacy requirements
• Consulting with legal counsel about compliance timelines

More Michigan Laws

• Michigan Hit and Run Laws
• Michigan Whistleblower Laws
• Michigan Child Support Laws
• Michigan Lemon Laws
• Michigan Car Seat Laws
• Michigan Statute of Limitations
• Michigan Sexting Laws
• Michigan Recording Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Michigan for advice about your specific situation. Last reviewed: March 2026.