On Sept. 27, Michigan Sen. Rosemary Bayer and eight fellow Democrat cosponsors introduced Senate Bill 1182, which would create the Michigan Personal Data Privacy Act. The Michigan Legislature remains in session through the end of the year.
The Act would apply to a person to which both of the following apply:
- Conducts business in Michigan or produces products or services that are targeted to Michigan residents.
- During a calendar year, either of the following applies:
- The person controls or processes personal data of at least 100,000 consumers.
- The person controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.
The Act would afford consumers the right to:
- Confirm the processing of the consumer’s personal data and to access the personal data;
- Correct inaccuracies in the personal data;
- Delete personal data provided by or obtained about the consumer;
- Obtain a copy of the personal data that the consumer previously provided to the controller; and
- Opt out of the processing of the personal data for any of the following purposes:
- Targeted advertising;
- The sale of personal data;
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
OPT IN REQUIRED FOR PROCESSING ALL PERSONAL DATA
As noted above, the Act would give consumers the right to opt out of the processing of personal data if the processing is for certain purposes. Interestingly, however, Section 7(1)(a) states: “A controller shall do all of the following . . . Not process personal data or sensitive personal data concerning a consumer without obtaining the consumer’s consent.” The legislation provides no guidance on the process to obtain consent or make any other reference to opt in being the default for processing all personal data.
Among other things, the Act would not apply to:
- A financial institution or data subject to the Gramm-Leach-Bliley Act
- A covered entity governed by the Health Insurance Portability and Accountability Act
- The collection, maintenance, disclosure, sale, communication, or use of any personal data to the extent it is authorized and regulated under the Fair Credit Reporting Act
- Data processed or maintained for certain employment-related purposes
DATA PROTECTION IMPACT ASSESSMENT
The Act would require a controller to perform a “data protection impact assessment” if personal data or sensitive personal data is processed for certain purposes. “Sensitive personal data” includes, among many other things, a social security number, driver’s license number and other forms of identification. The assessment must be made available to the Attorney General upon request but would be confidential and exempt from public inspection.
In the event of a violation, the Attorney General could seek a fine of not more than $7,500 for each violation if the violation is not cured within 30 days of notice. If the violation involves the failure of a data broker to properly register with the Attorney General, the fine could be $100 per day.
The legislation includes a private right of action for actual damages, injunctive relief, and any other relief a court deems appropriate.
This legislation is similar to the privacy laws passed in California, Virginia, Colorado, Utah, and Connecticut. However, if the Section 7(1)(a) opt-in mandate for the processing of all personal data is intentional (as opposed to requiring opt in only for sensitive personal data), the Act would represent a significant deviation. For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit https://mauricewutscher.com/data-privacy-and-security/.