Michigan Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Michigan takes a different approach to biometric privacy than states like Illinois and Texas. Rather than enacting a dedicated biometric information privacy act, Michigan protects biometric data through its existing Identity Theft Protection Act and Consumer Protection Act. For residents wondering whether their fingerprints, facial scans, or voiceprints have legal protection, the answer is yes, but with important limitations.

This guide breaks down how Michigan law currently treats biometric data, what businesses must do when biometric information is compromised, and how pending legislation could bring Michigan closer to the comprehensive biometric protections found in other states.

For broader context on Michigan privacy protections, see the parent guide to [Michigan Data Privacy Laws](/us-laws/data-privacy-laws/michigan-data-privacy-laws).

What Counts as Biometric Data Under Michigan Law

Michigan law references biometric data in two key statutes, each with a slightly different scope.

Identity Theft Protection Act (MCL 445.63)

The Identity Theft Protection Act, enacted as Act 452 of 2004, defines "personal identifying information" as a name, number, or other information used to identify a specific person or provide access to financial accounts. The statute explicitly lists biometrics as a category of personal identifying information alongside driver's license numbers, Social Security numbers, and financial account credentials.

This classification matters because it ties biometric data directly to Michigan's breach notification framework. Any unauthorized access to unencrypted biometric data stored in a database triggers the same notification obligations that apply to Social Security numbers or bank account information.

Michigan Consumer Protection Act (MCL 445.903)

The Michigan Consumer Protection Act (MCPA), Act 331 of 1976, does not specifically define biometric data. However, the MCPA prohibits unfair, unconscionable, or deceptive trade practices. The Michigan Attorney General has the authority to pursue enforcement actions under the MCPA against businesses that collect or handle biometric data in ways that mislead consumers or violate reasonable privacy expectations.

Types of Biometric Identifiers

Under current Michigan law and pending legislation, biometric data includes:

• Fingerprints and palm prints
• Voiceprints
• Retina and iris scans
• Facial geometry measurements
• Other unique biological patterns used for identification

Photographs, video recordings, and audio recordings are generally excluded from the biometric data definition unless they are specifically processed to extract biometric identifiers for identification purposes.

Breach Notification Requirements for Biometric Data

Because biometrics fall within Michigan's definition of personal identifying information, the breach notification rules in MCL 445.72 apply when biometric data is compromised.

Who Must Comply

Any person or agency that owns or licenses data containing personal information of Michigan residents must comply. This includes private businesses, government agencies, nonprofits, and any entity that maintains a database with biometric records.

When Notification Is Required

An entity must notify affected Michigan residents after discovering a security breach that results in the unauthorized access and acquisition of unencrypted and unredacted personal information, including biometric data. Notification is not required if the entity determines that the breach is unlikely to cause substantial loss, injury, or identity theft.

Notification Timeline

Under current law, notification must be provided "without unreasonable delay." Delays are permitted only when necessary to determine the scope of the breach or when law enforcement requests a postponement for an ongoing criminal investigation.

How to Notify

Michigan law allows several notification methods depending on the number of affected individuals and the cost of notification:

• Written notice sent by postal mail
• Electronic notice if the affected individual previously consented to electronic communications
• Telephone notice through a live representative, with written follow-up
• Substitute notice for breaches affecting more than 500,000 residents or costing more than $250,000, which includes email notification, conspicuous website posting, and notification to major statewide media

Third-Party Obligations

Entities that maintain personal information on behalf of another organization must notify the data owner of any breach. The data owner then bears the responsibility for notifying affected individuals.

Penalties for Biometric Data Violations

Michigan enforces biometric data protections primarily through its breach notification penalty framework and the Consumer Protection Act.

Breach Notification Penalties

Under MCL 445.72, knowingly failing to provide required breach notification carries civil fines of up to $250 per failure to notify. The total liability for a single breach event is capped at $750,000.

Filing a false breach notification with intent to defraud is a misdemeanor. First offenses carry up to 93 days of imprisonment or a $250 fine. Penalties increase for repeat violations, reaching up to $750 for a third offense.

Consumer Protection Act Enforcement

The Michigan Attorney General can bring enforcement actions under the Consumer Protection Act against entities that engage in unfair or deceptive practices involving biometric data. Remedies can include injunctive relief, restitution, and civil penalties.

No Private Right of Action for Data Breaches

Unlike Illinois, where individuals can sue companies directly for biometric privacy violations under BIPA, Michigan does not currently provide a private right of action specifically for biometric data breaches. Enforcement authority rests with the Michigan Attorney General and county prosecuting attorneys.

How Michigan Compares to Other States

Michigan's biometric protections are moderate compared to other states. Understanding the differences helps businesses operating across state lines assess their compliance obligations.

Illinois has the strongest biometric privacy law in the country through the Biometric Information Privacy Act (BIPA), which requires written consent before collection, mandates retention and destruction policies, and provides a private right of action with statutory damages of $1,000 to $5,000 per violation.

Texas requires consent before capturing biometric identifiers under the Capture or Use of Biometric Identifier Act (CUBI), but only the Texas Attorney General can enforce it.

Michigan currently has no standalone consent requirement for biometric collection. Protection comes through breach notification rules and general consumer protection enforcement. If SB 359 passes, Michigan would join the growing number of states requiring affirmative opt-in consent before processing biometric data.

Employer Use of Biometric Data in Michigan

Michigan does not have a specific statute governing employer collection of biometric data for purposes like time clocks, building access, or identity verification. However, several legal frameworks apply.

Background Check Fingerprinting

The Public Employee Fingerprint-Based Criminal History Check Act (Act 427 of 2018) requires fingerprint-based background checks for public employees who will have access to federal information databases. The Michigan State Police Biometrics and Identification Division processes these fingerprint submissions through the state's Automated Fingerprint Identification System (AFIS).

Certain regulated industries, including security businesses under MCL 338.1068, must submit employee fingerprints to the Michigan State Police before the employee begins work.

Best Practices for Employers

Even without a dedicated biometric consent law, Michigan employers collecting biometric data should:

• Provide written notice explaining what biometric data is collected, how it will be used, and how long it will be stored
• Obtain written consent before collecting fingerprints, facial scans, or other biometric identifiers
• Establish a retention and destruction policy that permanently destroys biometric data when the employment relationship ends or the data is no longer needed
• Limit access to biometric data to authorized personnel only
• Use encryption for stored and transmitted biometric information

These practices align with the requirements proposed in SB 359 and help employers prepare for potential future legislation.

Pending Legislation: What Could Change

Two significant bills passed the Michigan Senate in 2025 and are pending in the House as of March 2026. If enacted, they would substantially strengthen biometric privacy protections.

SB 359: Personal Privacy Data Act

Senate Bill 359, introduced by Senator Rosemary Bayer on June 5, 2025, would create Michigan's first comprehensive consumer data privacy law. The bill was reported favorably by the Senate Finance, Insurance, and Consumer Protection Committee and referred to the Committee of the Whole.

Key biometric provisions in SB 359 include:

• Biometric data as sensitive data. The bill classifies biometric data as a category of sensitive data alongside precise geolocation, data about known children, and certain health information.
• Opt-in consent required. Controllers must obtain a consumer's affirmative consent before processing any sensitive data, including biometric identifiers.
• Data minimization. Collection and processing of biometric data must be limited to what is strictly necessary to provide or maintain the specific product or service requested by the consumer.
• Consumer rights. Michigan residents would gain the right to access, correct, delete, and port their personal data, plus the right to opt out of data sales and targeted advertising.
• Attorney General enforcement. SB 359 would be enforced exclusively by the Michigan Attorney General, with no private right of action.

The bill would apply to entities doing business in Michigan that process data on at least 100,000 consumers per year, or at least 25,000 consumers if they derive any revenue from selling personal data.

SB 360: Identity Theft Protection Act Amendments

Senate Bill 360, part of a five-bill package (SB 360-364), passed the Michigan Senate on August 26, 2025, and has been referred to the House Committee on Government Operations.

Key changes proposed by SB 360 include:

• Expanded personal information definition. The bill would explicitly add "any genetic information or biometric information that is used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina, or iris image" to the definition of personal information in the breach notification statute.
• 45-day notification deadline. Entities must notify affected individuals and the Attorney General within 45 days of determining a breach occurred, replacing the current "without unreasonable delay" standard.
• Attorney General notification. Breaches affecting 100 or more Michigan residents would require notification to the Attorney General.
• Mandatory security programs. Entities must implement reasonable security procedures, designate a security coordinator, and follow the NIST Cybersecurity Framework 2.0 or an equivalent industry standard.
• Enhanced enforcement. The Attorney General would gain expanded powers to issue written demands, accept assurances of discontinuance, and pursue civil fines of up to $2,000 per security procedure violation or investigation failure.

Michigan State Police and Biometric Data

The Michigan State Police (MSP) operates one of the largest biometric databases in the state through its Biometrics and Identification Division. Two systems are particularly relevant to biometric privacy.

Automated Fingerprint Identification System (AFIS)

The MSP's Automated Print Identification Section maintains fingerprint records for criminal justice purposes. Fingerprints collected during arrests, background checks, and licensing processes are stored in AFIS and can be searched against state and FBI databases.

Statewide Network of Agency Photos (SNAP)

The SNAP system allows law enforcement to conduct facial recognition searches against a database of booking photos. The MSP's SNAP Acceptable Use Policy restricts facial recognition searches to five purposes: consent of the individual, probable cause to arrest, a court order or search warrant, identification of a vulnerable or impaired person, or identification of a deceased individual.

The MSP does not use real-time facial recognition surveillance. The department has stated publicly that it does not own the technology to scan crowds or identify people from live video feeds.

More Michigan Laws

• Michigan Data Privacy Laws
• Michigan Recording Laws
• Michigan Recording Laws
• Michigan Whistleblower Laws
• Michigan Recording Laws
• Michigan Recording Laws
• Michigan Recording Laws
• Michigan Recording Laws

This article provides general legal information about Michigan biometric privacy laws. It is not legal advice. Biometric privacy law is evolving rapidly in Michigan, and the pending legislation discussed here may change before enactment. Consult a qualified Michigan attorney for guidance on your specific situation.