Press "Enter" to skip to content

‘Personal Data Privacy Act’ Introduced in Michigan; Consent Required for Processing Personal Data

michigan data privacy lawOn Sept. 27, Michigan Sen. Rosemary Bayer and eight fellow Democrat cosponsors introduced Senate Bill 1182, which would create the Michigan Personal Data Privacy Act.  The Michigan Legislature remains in session through the end of the year.

APPLICABILITY

The Act would apply to a person to which both of the following apply:

  1. Conducts business in Michigan or produces products or services that are targeted to Michigan residents.
  2. During a calendar year, either of the following applies:
    1. The person controls or processes personal data of at least 100,000 consumers.
    2. The person controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.
CONSUMER RIGHTS

The Act would afford consumers the right to:

  1. Confirm the processing of the consumer’s personal data and to access the personal data;
  2. Correct inaccuracies in the personal data;
  3. Delete personal data provided by or obtained about the consumer;
  4. Obtain a copy of the personal data that the consumer previously provided to the controller; and
  5. Opt out of the processing of the personal data for any of the following purposes:
    1. Targeted advertising;
    2. The sale of personal data;
    3. Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
OPT IN REQUIRED FOR PROCESSING ALL PERSONAL DATA

As noted above, the Act would give consumers the right to opt out of the processing of personal data if the processing is for certain purposes. Interestingly, however, Section 7(1)(a) states: “A controller shall do all of the following . . . Not process personal data or sensitive personal data concerning a consumer without obtaining the consumer’s consent.”  The legislation provides no guidance on the process to obtain consent or make any other reference to opt in being the default for processing all personal data.

EXEMPTIONS

Among other things, the Act would not apply to:

  • A financial institution or data subject to the Gramm-Leach-Bliley Act
  • A covered entity governed by the Health Insurance Portability and Accountability Act
  • The collection, maintenance, disclosure, sale, communication, or use of any personal data to the extent it is authorized and regulated under the Fair Credit Reporting Act
  • Data processed or maintained for certain employment-related purposes
DATA PROTECTION IMPACT ASSESSMENT

The Act would require a controller to perform a “data protection impact assessment” if personal data or sensitive personal data is processed for certain purposes. “Sensitive personal data” includes, among many other things, a social security number, driver’s license number and other forms of identification. The assessment must be made available to the Attorney General upon request but would be confidential and exempt from public inspection.

ENFORCEMENT

In the event of a violation, the Attorney General could seek a fine of not more than $7,500 for each violation if the violation is not cured within 30 days of notice. If the violation involves the failure of a data broker to properly register with the Attorney General, the fine could be $100 per day.

The legislation includes a private right of action for actual damages, injunctive relief, and any other relief a court deems appropriate.

IMPRESSION

This legislation is similar to the privacy laws passed in California, Virginia, Colorado, Utah, and Connecticut. However, if the Section 7(1)(a) opt-in mandate for the processing of all personal data is intentional (as opposed to requiring opt in only for sensitive personal data), the Act would represent a significant deviation. For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit https://mauricewutscher.com/data-privacy-and-security/.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.