Michigan Data Privacy Laws: Consumer Rights & Protections (2026)

Michigan has no comprehensive consumer data privacy law. The Identity Theft Protection Act (MCL 445.61 to 445.79c) requires breach notification, the Social Security Number Privacy Act (MCL 445.81 to 445.85) restricts SSN use, and the Insurance Data Security Act (MCL 500.550 to 500.565) applies to insurance licensees.

Michigan protects personal information through a patchwork of targeted statutes rather than a single comprehensive privacy law. The Identity Theft Protection Act governs data breach notification. The Social Security Number Privacy Act limits how businesses handle SSNs. The Insurance Data Security Act imposes cybersecurity mandates on every insurance licensee in the state. Several additional sector-specific laws cover student records, employee internet accounts, and library borrowing records.

The legislative landscape is moving. Senate Bill 359 would create Michigan's first comprehensive consumer data privacy framework with access, correction, deletion, and opt-out rights, but the bill remained in the Senate Committee of the Whole as of June 2025 and has not passed either chamber. Senate Bills 360 through 364, which would modernize the breach-notification law and require AG notification for large breaches, passed the Senate in August 2025 and sit in the House Committee on Government Operations.

Layered over all state law are several federal statutes, including HIPAA, GLBA, COPPA, FCRA, and the newly effective TAKE IT DOWN Act, that together provide baseline privacy protections for Michigan residents regardless of what the state legislature does next.

This guide covers every major Michigan data privacy law currently in effect, the pending legislation moving through the legislature, your rights as a Michigan consumer, and what businesses operating in Michigan must do to comply.

Michigan Identity Theft Protection Act

The Identity Theft Protection Act, enacted as Act 452 of 2004 and codified at MCL 445.61 through 445.79c, is Michigan's primary data breach notification law. It sets the baseline for how businesses and government agencies must handle security breaches involving personal information.

What Triggers a Breach Notification

Under MCL 445.72, any person or agency that owns or licenses data in a database must notify affected Michigan residents when a security breach occurs. Notification is required when a resident's unencrypted and unredacted personal information was accessed and acquired by an unauthorized person, or when encrypted personal information was accessed by someone with unauthorized access to the encryption key.

The law defines a "security breach" as the unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained as part of a database regarding multiple individuals.

What Counts as Personal Information

The ITPA defines "personal information" under MCL 445.63 as a person's first name or first initial and last name linked to one or more of the following:

• Social Security number
• Driver license number or state personal identification card number
• Demand deposit or other financial account number, combined with a security code, access code, or password that permits access to the account

The definition currently covers computerized personal information. Proposed amendments in SB 360-364 would expand this to personal information in any medium and would add passport numbers and individually identifiable health-care records as protected categories.

Notice Requirements

Businesses and agencies must provide breach notification "without unreasonable delay." The law does not set a specific number of days; the standard is the care an ordinarily prudent person would exercise under similar circumstances. After notifying affected individuals, entities must also notify each nationwide consumer reporting agency of the breach without unreasonable delay, including the number of notices sent.

One exception applies. If a person or agency determines that the breach has not caused and is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more Michigan residents, notification is not required.

Penalties for Noncompliance

A person or agency that knowingly fails to provide required breach notification faces civil fines of up to $250 per failure to notify. Total civil-fine liability from a single security breach is capped at $750,000. These fines are enforced by the Michigan Attorney General.

Data Destruction Requirements

MCL 445.72a requires any person or agency that maintains a database containing personal information to destroy that data when it is removed from the database and is not being retained elsewhere for a lawful purpose. "Destroy" means shredding, erasing, or otherwise modifying the data so it cannot be read, deciphered, or reconstructed through generally available means. A knowing violation is a misdemeanor punishable by a fine of up to $250 per violation. Entities that comply with equivalent federal data-disposal requirements are considered in compliance with this provision.

Proposed ITPA Amendments: SB 360-364

The Michigan Senate introduced Senate Bills 360 through 364 in 2025 to modernize the Identity Theft Protection Act. The Senate passed all five bills on August 26, 2025, and they were referred to the House Committee on Government Operations, where they remain pending as of May 2026.

The bills would require private and state entities with access to Michigan residents' personal information to maintain written security procedures, including assignment of a security coordinator. For breaches affecting more than 100 Michigan residents, entities would be required to notify the Attorney General in addition to affected individuals. The expanded personal-information definition would add passport numbers and health-care records. SB 361 through 364 are all tie-barred to SB 360, meaning all five bills must pass together.

Social Security Number Privacy Act

The Social Security Number Privacy Act, enacted as Act 454 of 2004 and codified at MCL 445.81 through 445.85, specifically protects SSN privacy in Michigan.

Prohibited Actions

No person may intentionally:

• Publicly display all or more than four sequential digits of a Social Security number
• Use all or more than four sequential digits of an SSN as a primary account number for an individual
• Visibly print all or more than four sequential digits of an SSN on any identification badge, card, membership card, permit, or license

Required Privacy Policies

Since January 1, 2006, any person who obtains one or more Social Security numbers in the ordinary course of business must create a written privacy policy that ensures SSN confidentiality, prohibits unlawful disclosure, limits access to SSN-containing documents, and describes proper disposal methods.

Public Records Exemption

All or more than four sequential digits of an SSN contained in a public record are exempt from disclosure under Michigan's Freedom of Information Act (MCL 15.231 et seq.). Michigan FOIA Section 13(1)(a), codified at MCL 15.243, provides a broader privacy exemption for any information of a personal nature where public disclosure would constitute a clearly unwarranted invasion of privacy.

Penalties

A person who violates the SSN Privacy Act with knowledge that their conduct violates the law is guilty of a misdemeanor punishable by imprisonment for up to 93 days, a fine of up to $1,000, or both.

Michigan Insurance Data Security Act

Michigan enacted the Insurance Data Security Act, codified at MCL 500.550 through 500.565 as Chapter 5A of the Insurance Code of 1956 (Act 218), on December 28, 2018. The law took effect January 20, 2021. It is modeled on the 2017 NAIC Insurance Data Security Model Law and applies to every insurance licensee in Michigan.

Who It Covers

The act applies to all persons licensed under the Michigan Insurance Code, including insurers, producers, adjusters, third-party administrators, and any other licensed insurance entity doing business in Michigan.

Information Security Program Requirements

Each licensee must develop, implement, and maintain a comprehensive written information security program (WISP) based on the licensee's own risk assessment. The WISP must:

• Identify reasonably foreseeable internal and external threats to nonpublic information
• Assess the likelihood and potential damage from those threats
• Assess the sufficiency of existing safeguards
• Establish and maintain safeguards to control identified risks

Licensees must also conduct annual certification of compliance with the Department of Insurance and Financial Services (DIFS).

Cybersecurity Event Reporting

When a licensee determines that a cybersecurity event involving nonpublic information has occurred, the licensee must notify the DIFS Director as promptly as possible, but no later than 10 business days after the determination. This 10-day deadline is stricter than the general breach-notification standard under the ITPA, which uses "without unreasonable delay."

Licensees must also notify affected individuals and, in certain circumstances, other regulators in states where affected individuals reside.

Exemptions

Licensees with fewer than 25 employees, less than $5 million in gross annual revenue, and less than $10 million in year-end total assets are exempt from the WISP requirement, though they remain subject to basic cybersecurity obligations.

Michigan Consumer Protection Act

The Michigan Consumer Protection Act (MCPA), Act 331 of 1976, codified at MCL 445.901 through 445.922, serves as a general enforcement tool for data privacy violations. While not a standalone privacy statute, its broad prohibition against unfair, unconscionable, or deceptive trade practices gives the Attorney General authority to pursue companies that mishandle personal data.

MCL 445.903 includes specific privacy protections. The law prohibits requiring a consumer to disclose their SSN as a condition of selling or leasing goods or providing services, except in specified circumstances. The Attorney General has used the MCPA alongside federal statutes in enforcement actions against technology companies.

Consumers may bring private lawsuits under the MCPA to recover actual damages or $250, whichever is greater, plus reasonable attorney fees. The Attorney General may seek injunctive relief, civil fines, and restitution.

The Proposed Personal Data Privacy Act (SB 359)

The most significant pending data privacy legislation in Michigan is Senate Bill 359, introduced June 5, 2025, and referred to the Senate Committee on Finance, Insurance, and Consumer Protection. The committee reported it favorably on June 11, 2025, and referred it to the Committee of the Whole, where it remained as of June 2025. The bill has not passed either chamber.

SB 359 is a reintroduction of Senate Bill 659 from the 2023-2024 session, which passed the Senate but did not advance through the House. Both chambers would need to pass the bill and the Governor would need to sign it before it becomes law.

Who It Would Cover

SB 359 would apply to entities that conduct business in Michigan or produce products or services targeted to Michigan residents, and that during a calendar year either control or process personal data of 100,000 or more consumers, or control or process personal data of 25,000 or more consumers and derive any revenue from the sale of personal data.

Consumer Rights Under SB 359

If enacted, the bill would grant Michigan residents the following rights over their personal data:

• Right to confirm whether a business is processing their personal data
• Right to access their personal data held by a business
• Right to correct inaccuracies in their personal data
• Right to delete their personal data
• Right to obtain a portable copy of their data
• Right to opt out of processing for targeted advertising
• Right to opt out of the sale of personal data
• Right to opt out of profiling that produces legal or similarly significant effects

The bill would also require businesses to honor opt-out preference signals, such as Global Privacy Control, when sent with a consumer's consent.

Consent Requirements

Collectors would need to obtain consent from consumers before processing their personal data and provide a privacy notice explaining the purpose of that processing.

Data Broker Registry

The bill would create a public registry for data brokers, defined as entities that knowingly collect and sell or license personal data about consumers with whom they have no direct relationship. Data brokers would be required to register annually with the Attorney General beginning February 1, 2026 (a date that has now passed; any final enacted version would likely push this deadline forward).

Enforcement

SB 359 would be enforced exclusively by the Michigan Attorney General. There would be no private right of action.

Internet Privacy Protection Act

Michigan's Internet Privacy Protection Act, enacted as Act 478 of 2012, protects employees and job applicants from being required to share their personal social media and internet account credentials.

The law prohibits employers from requesting or requiring an employee or job applicant to grant access to, allow observation of, or disclose login information for personal internet accounts. Employers retain the right to monitor activity on employer-owned devices and networks, view publicly available information, and investigate specific credible reports of work-related misconduct involving personal accounts.

Michigan Kids Code Act (Pending)

The Michigan Senate passed Senate Bill 758, the Kids Code Act, and the bill moved to the House for consideration. If enacted, it would take effect July 1, 2026.

SB 758 is tie-barred to Senate Bill 759 and would apply to covered online service providers with more than $25 million in annual revenue or more than 50,000 Michigan users. Covered entities would be prohibited from using addictive design features such as infinite scroll, autoplay videos, or gamification to encourage excessive use by minors. The bill would also restrict collection of biometric data from minors, prohibit the use of dark patterns to manipulate children, and require age verification where the provider has actual knowledge a user is under 13. Targeted advertising to minors would be prohibited.

As of May 2026, SB 758 is pending in the Michigan House. It has not been enacted.

Student Data Privacy Protections

Michigan has enacted specific protections for student data that supplement federal requirements under FERPA.

Student Online Personal Protection Act

The Student Online Personal Protection Act, Act 368 of 2016, regulates operators of websites, online services, and applications used for K-12 school purposes. It covers personally identifiable student information including educational records, contact information, discipline records, test results, special education data, and grades.

Protection of Pupil Privacy Act

MCL 380.1136 prohibits school districts, intermediate school districts, public school academies, educational management organizations, and authorizing bodies from selling or providing personally identifiable information from pupil education records to for-profit business entities.

State FERPA Compliance

Michigan enacted Public Act 88 of 2000, which requires public bodies to exempt from disclosure any information that would prevent them from complying with FERPA. The Michigan Department of Education and the Center for Educational Performance and Information maintain strict data governance frameworks to protect student records.

Preservation of Personal Privacy Act

The Preservation of Personal Privacy Act, Act 378 of 1988, codified at MCL 445.1711 through 445.1715, protects the privacy of records related to the purchase, rental, or borrowing of books, written materials, sound recordings, and video recordings.

This law prohibits disclosure of customer identification tied to these materials, with exceptions for collecting payment on overdue accounts (after written notice), activities incident to the ordinary course of business, and marketing purposes when written notice is provided. A person who violates this act may be liable in a civil action for actual damages.

Federal Laws That Apply in Michigan

Because Michigan lacks a comprehensive state privacy law, several federal statutes provide important baseline protections for Michigan residents.

HIPAA

The Health Insurance Portability and Accountability Act protects health information held by covered entities including healthcare providers, health plans, and healthcare clearinghouses. The Michigan Department of Health and Human Services implements HIPAA at the state level. Michigan supplements HIPAA with additional state-level protections for behavioral health and substance use disorder treatment records, which require separate consent for disclosure beyond treatment, payment, and coordination of care purposes.

TAKE IT DOWN Act (Effective May 19, 2026)

The TAKE IT DOWN Act, Pub. L. 119-12, was signed into law on May 19, 2025. Its criminal prohibition on publishing nonconsensual intimate images (NCII) took effect immediately. Platform takedown obligations became effective May 19, 2026: covered online platforms must implement a system allowing individuals to request removal of NCII, and must remove reported content and known identical copies within 48 hours. The Federal Trade Commission has authority to enforce these platform obligations. Michigan AG Nessel, along with 35 other attorneys general, had sent a January 26, 2026 letter to xAI demanding it disable Grok's ability to produce nonconsensual intimate images and child sexual abuse material, citing the pending federal obligations.

COPPA

The Children's Online Privacy Protection Act restricts collection of personal information from children under 13 by websites and online services. Michigan's AG has actively invoked COPPA in enforcement, including the ongoing Roku lawsuit (discussed below).

Gramm-Leach-Bliley Act

The GLB Act requires financial institutions to explain their information-sharing practices and protect sensitive data. Michigan-based banks, credit unions, insurance companies, and other financial services providers must comply with GLB's privacy and safeguard requirements.

FCRA and FACTA

The Fair Credit Reporting Act and its amendment, FACTA, regulate the collection and use of consumer report information. The FTC enforces FCRA against consumer reporting agencies and users of consumer reports operating in Michigan.

APRA (Did Not Pass)

The American Privacy Rights Act was introduced as a bicameral federal draft in 2024. It did not pass into law. As of May 2026, no successor federal comprehensive privacy bill has been enacted.

Recent Enforcement Actions

Roku Lawsuit: Non-COPPA Claims Dismissed (April 2026)

Attorney General Dana Nessel filed suit against Roku, Inc. in the U.S. District Court for the Eastern District of Michigan in April 2025, alleging the streaming platform violated COPPA and the Michigan Consumer Protection Act by collecting children's personal information without required parental consent. In April 2026, the federal court narrowed the case substantially. The court dismissed all non-COPPA claims, including VPPA and state consumer protection claims, for lack of standing, finding the Attorney General did not have a sufficient quasi-sovereign interest to support parens patriae standing on those claims. The COPPA claims survived because COPPA includes an express parens patriae provision authorizing state enforcement.

Healthcare Data Breach Alerts (2025-2026)

AG Nessel has issued multiple consumer alerts regarding major breaches affecting Michigan residents, including incidents involving McLaren Health Care, Change Healthcare, Ascension Healthcare, AT&T, and Munson Healthcare in Traverse City.

xAI Multistate Coalition (January 2026)

On January 26, 2026, AG Nessel joined 35 other attorneys general in demanding action from xAI over Grok's generation of nonconsensual intimate images and child sexual abuse material. The letter demanded xAI immediately disable that capability, remove existing content, and report illegal content to authorities.

How to File a Data Privacy Complaint in Michigan

If you believe your data privacy rights have been violated in Michigan, you have several options.

Contact the Michigan Attorney General's Consumer Protection Division. You can file a complaint online through the Michigan Attorney General's website or by calling the Consumer Protection hotline. For insurance-related data security incidents, complaints may also be directed to the Department of Insurance and Financial Services.

For data breaches, affected individuals should place fraud alerts with the three major credit bureaus, review credit reports for unauthorized activity, and consider placing a credit freeze on their accounts.

For HIPAA violations involving health information, file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

For violations involving student records, contact the U.S. Department of Education's Student Privacy Policy Office.

What Michigan Businesses Must Do Now

Even without a comprehensive privacy law, Michigan businesses have clear obligations under existing statutes.

Mandatory Requirements Under Current Law

• Breach notification: Notify affected Michigan residents without unreasonable delay after discovering a security breach involving their personal information (MCL 445.72)
• SSN protection: Never publicly display SSNs and maintain a written privacy policy if you collect them (MCL 445.81 to 445.85)
• Data destruction: Destroy personal information through shredding, erasure, or modification when removing it from databases (MCL 445.72a)
• Employee privacy: Never request or require employees or applicants to share personal social media or internet account credentials (Act 478 of 2012)
• Insurance licensees: Maintain a written information security program and notify DIFS within 10 business days of a cybersecurity event (MCL 500.550 to 500.565)
• Student data: If you operate educational technology for K-12 purposes, comply with the Student Online Personal Protection Act (Act 368 of 2016)
• TAKE IT DOWN Act platforms: If you operate a covered online platform, implement a NCII takedown-request system and remove reported content within 48 hours (effective May 19, 2026)

Preparing for Comprehensive Privacy Law

With SB 359 still pending in the Senate and SB 360-364 awaiting House action, Michigan businesses should begin preparing now by:

• Auditing what personal data they collect, process, and store
• Reviewing privacy notices and consent mechanisms
• Implementing data access and deletion request workflows
• Evaluating whether they qualify as a data broker under SB 359's definition
• Training staff on data privacy requirements
• Consulting with legal counsel about compliance timelines if SB 359 passes

More Michigan Laws

• Michigan AI Meeting Recording Laws
• Michigan Alimony Laws
• Michigan At-Will Employment Laws
• Michigan Car Accident Laws
• Michigan Car Seat Laws
• Michigan Child Custody Laws
• Michigan Child Support Laws
• Michigan Common Law Marriage Laws
• Michigan Deepfake Laws
• Michigan Divorce Laws
• Michigan Dog Bite Laws
• Michigan Emancipation Laws
• Michigan Expungement Laws
• Michigan Hit and Run Laws
• Michigan Landlord-Tenant Laws
• Michigan Lemon Laws

This article is for informational purposes only and does not constitute legal advice. It covers Michigan data privacy law as of May 2026. Data privacy laws change frequently and enforcement interpretations evolve over time. Consult a licensed attorney in Michigan for advice about your specific situation.