MI Senate Finance, Insurance, and Consumer Protection Cmte 2025-26: Personal data privacy act, Identity theft protection act

All bills of interest are reintroduced from the 2023-24 session.

Written at the time, and still relevant to the Personal Data Privacy Act debate, Mackinac Center for Public Policy's longform exploration of the issue.

Clipped here for length.

https://www.mackinac.org/blog/2024/michigans-data-privacy-proposal-is-filled-with-problems

Michigan’s data privacy proposal is filled with problems

Federal privacy bill would eliminate need for state action

By Dr. Ted Bolema    |    May 22, 2024 

It is important for people who engage online to have confidence that their personal data will be handled with care. When personal and financial data is misused or hacked, consumers can suffer significant harms. Criminals can use personal data to commit fraud, such as identify theft. Private data can be sold to advertisers or other parties without users’ consent. Data breaches can also limit free expression if they enable governments or online platforms to monitor and censor people’s activities and speech on the internet.

In response to growing concerns about data privacy, many states, including Michigan, are considering or have enacted new data privacy laws. Several Michigan lawmakers introduced the Personal Data Privacy Act in November 2023. Lawmakers in other states have passed similar bills with bipartisan support.

While these state privacy laws address legitimate concerns about consumers’ data, they raise several serious issues. When each state has its own privacy law, that creates a patchwork of inconsistent and sometimes conflicting standards, which is problematic for companies operating across state lines. They must incur significant legal expenses to comply with these laws, which do little to help consumers but may expose companies to expensive class action lawsuits. Some of the laws undermine people’s data privacy rights by giving governments easier access to some personal data without first obtaining a warrant.

The proposed Michigan Personal Data Privacy Act, unfortunately, suffers from all these concerns.

<clip>

Recent state-level data privacy laws

As people become more dependent on the internet for purchases, other financial transactions, and sharing personal data with medical professionals, the importance of data privacy has increased. Websites, apps and social media companies collect and store increasing amounts of personal data about users, which they use to provide better services. But some apps, websites and platforms may be overly aggressive in collecting data or may not safeguard it as much as consumers expect.

The current wave of legislative activity started with the California Consumer Privacy Act of 2018, which was amended in 2020 when California voters approved Proposition 24. Fifteen other states have enacted new data privacy laws since 2018.

These state data privacy laws fall into two broad categories: comprehensive and targeted. Comprehensive laws cover all varieties of private data and apply broadly to nearly all companies, although exemptions for some small businesses are common. Targeted laws address specific types of data privacy concerns. Some targeted data privacy laws limit the collection and retention of biometric data, such as fingerprints or retinal measurements. Others create protections specifically for children or apply only to certain industries. The proposed Michigan data privacy law and the proposed federal law are both comprehensive.

Legislative responses to data privacy concerns are not new. Anyone who has visited a doctor’s office is familiar with the Health Insurance Portability and Accountability Act of 1996, or HIPAA, which governs how medical professionals handle personal health care data. In 2012 Michigan passed the Internet Privacy Protection Act, which prohibits employees or job applicants from having to give employers access to their personal social media, email, or other internet accounts. The law also applies to educational institutions. Michigan also has the Identify Theft Protection Act, passed in 2004, that requires companies to notify their customers of data breaches without unreasonable delay.

The more recent state data privacy laws create various requirements of companies and other entities using online personal data. They must tell consumers what personal data is collected and give them a certain level of control over their own data, such as the right to tell companies not to sell it. These proposals tend to attract bipartisan support, as their protections are usually perceived as being politically popular.

Problems with state privacy laws

While state data privacy laws intend to address consumers' legitimate concerns about keeping their private data protected, they raise several serious concerns.

A patchwork of requirements

Each state privacy law is unique. Having 16 new data privacy laws since 2018 makes it difficult to understand consumers’ rights. It also creates huge compliance costs for companies as they try to keep up with new legal requirements. Even more states are considering new data privacy bills in their current legislative sessions, which would increase these problems.

Costly risk assessments mandates

Most comprehensive state privacy laws, including Michigan’s proposed Personal Data Privacy Act, create specific risk assessment requirements that are often costly to produce. These risk assessments do little to protect consumers, however.

If the goal is to protect consumers’ privacy, laws should encourage companies to comply with the best practices established by the National Institute of Standards and Technology, writes Logan Kolas of the Buckeye Institute. Companies could then meet their legal obligations to protect consumer data by demonstrating adherence to the latest industry standards for the use of private data. This is preferable to making them carry out costly risk assessments.

Frivolous lawsuits

When states mandate risk assessments and create overly specific compliance requirements, they expose businesses to frivolous lawsuits. Some state privacy statutes, and the proposed Michigan law, create a private right of action by which individuals may sue without having to prove they were injured by the use of their private data. These laws invite class action lawsuits that may win millions of dollars for plaintiffs’ attorneys but only nominal awards for individuals.

This concern is grounded in experience from the 1991 Telephone Consumer Protection Act. This federal law was supposed to limit the number of automated marketing calls made to cellphone numbers. While it may have limited some robocalls to cellphones, it led to a wave of class action lawsuits. The average attorneys' fee in these lawsuits was $2.4 million per case, while the individual consumers in the class received an average of just $4.12.

Dangerous government exemptions

State data privacy laws typically exempt government entities, because they are subject to the Freedom of Information Act and other public transparency laws. Theoretically, people or companies could request private data kept by governments through these public transparency tools, which would defeat the purpose of data protection laws. Further, allowing people to demand that governments delete the personal data they store might interfere with police investigations, government regulatory activities and other government functions.

This problem is further complicated by the existence of government entities that directly compete with private businesses. Examples include government-run cable and internet systems, electric utilities, trash collection departments and universities. Allowing these entities broad exemptions from data privacy laws gives them an unfair advantage over the private businesses they compete with, harming consumers by reducing market competition.

Giving governments access to private data

Some state data privacy laws, including the proposed Michigan law, allow government agencies to collect personal data from companies without a warrant. This is permitted to ensure compliance with mandated risk assessments and other provisions in the statute. Ironically, these laws may undermine the very data privacy rights they claim to protect by giving governments easier access to personal data. This problem might be addressed by explicitly prohibiting government agencies from collecting consumer and personal data from companies without a warrant.

<clip>

Michigan lawmakers should wait before moving forward with the current data privacy proposal in Lansing. If Congress passes the American Privacy Rights Act, there will be no reason for the state to pass a similar law, especially given these concerns.

Fisher-Phillips offers perspective on SB 359 and 360 from the world of international workplace law.

Health-related text bolded by me. Clipped for length.

https://www.fisherphillips.com/en/news-insights/what-businesses-need-to-know-about-pending-consumer-privacy-and-identity-theft-legislation.html

Eyes on Michigan: What Businesses Need to Know About Pending Consumer Privacy and Identity Theft Legislation

Insights    |     9.09.25

Michigan lawmakers are considering sweeping updates to the state’s identity theft protection law while also debating whether Michigan will become one of nearly half the states that have passed a consumer privacy law. Fisher Phillips is closely monitoring both SB 359 and SB 360 to prepare businesses for changes that may be on the horizon on both fronts. This Insight explores the current state of Michigan law, the proposed changes being debated, and some steps your business can take to prepare for new potential obligations.

Overview of Senate Bill 359: The Personal Data Privacy Act

The Personal Data Privacy Act, introduced in June 2025, would create Michigan’s first comprehensive consumer privacy framework. We outline the key provisions below.

Applicability Thresholds

Entities covered would be those that conduct business in Michigan or produce products or services that are targeted to residents of Michigan and, during the calendar year, either control or process personal data from over 100,000 consumers or control or process personal data of 25,000 or more consumers and derive any revenue from the sale of personal data. There are also a number of exemptions.

Consumer Rights

If enacted, the law would grant residents new rights to access, correct, delete, and obtain copies of their data. It would also create new rights related to opting out of processing for targeted advertising, the sale of personal data, and profiling.

Notice Requirements

If enacted, the law would require entities subject to the law to provide a notice to consumers explaining the categories of data they collect, the third parties with whom they sell or chare the data, the purpose for collecting the data, and a description of their rights and how to exercise them.

Data Protection Impact Assessment

Controllers would need to conduct and document a data protection impact assessment (DIPA) for certain processing activities involving personal data including:

Processing of personal data for targeted advertising
Sale of personal data
Processing of personal data for the purposes of profiling if the profiling has certain risks
Processing of sensitive data
Any processing activities that involve personal data that present a heightened risk of harm to consumers
The Michigan Attorney General would be able to request a copy of the DIPA, but it would remain confidential and exempt from public requests under FOIA. This is a unique twist that is different than other consumer privacy laws.

Data Broker Registry

The bill proposes that, beginning on February 1, 2026, and every year after that, data brokers register with the attorney general. The list of registered data brokers would be publicly assessable on the Attorney General’s website.

If a data broker does not register, there is a proposed fine of $100 per day until registration occurs or an amount equal to the registration fees that were due and not paid.

Geofencing

Michigan proposes to join a minority of states that prohibit geofencing within 1,750 of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, or collecting data from or sending any notification to a consumer regarding the consumer’s health data.

Enforcement

There is no private right of action under the proposed bill. Instead, the Attorney General would be solely responsible for enforcement. Before bringing any action, the AG would need to provide notice.

The civil fines are not to exceed $7,500 per violation, unless related to data brokers not registering with the AG. Additionally, if a person does not cooperate with the Attorney General’s investigation, the office could issue a maximum fine of $5,000.

Overview of Senate Bill 360: Identity Theft Act

Before examining the potential changes on tap, here’s an overview of the current Michigan Identify Theft Act.

Businesses that own or license data must notify Michigan residents if their unencrypted “personal information” is accessed and acquired by an unauthorized person, or if their encrypted data is accessed and acquired along with the encryption key – unless the business determines that the security breach is not likely to cause substantial loss, injury, or result in identity theft.
Such notice must be provided “without unreasonably delay.”
There is no requirement to notify the Attorney General. However, if 1,000 or more Michigan residents are affected, the business must notify the Consumer Reporting Agencies (Experian, Equifax, and TransUnion).
“Personal information” means the first name or first initial and last name linked to one or more of the following data elements: Social Security number, driver license number or state personal identification card number, and demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the individual's financial accounts.
Businesses that are subject to the GLBA or HIPAA, and comply with the notification requirements under those statutes, are considered to be in compliance with Michigan’s law.
Penalties for failing to notify can reach $250 per violation, capped at $750,000 per breach.
Notice Requirements

SB 360 proposes to add a notification requirement to the Attorney General if 100 or more Michigan residents are affected by a security breach. This notice would need to be provided no later than 45 days after the determination of the breach.

The bill also proposes to add the same notice timeframe of 45 days for notifying individuals.

The threshold for notifying the Consumer Reporting Agencies would remain the same.

Additionally, if the security breach results in a resident’s Social Security number or taxpayer identification number being accessed or acquired, or is reasonably believed to have been accessed or acquired, the business would need to offer appropriate identity theft prevention services and, if applicable, identity theft mitigation services that must be provided at no charge to the resident for not less than 24 months.

Personal Information Definition Changes

The proposed law would add additional elements to the definition of “personal information,” including:

passport number
other unique identification number issued on a governmental document that is used to verify the identity of an individual
any individually identifiable information contained in the individual’s current or historical record of medical history, medical treatment, or diagnosis created by a health care professional
a health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify an individual
a username or email address, in combination with a password or security question and answer, that would permit access to an online account that is reasonably likely to contain or is used to obtain personal identifying information
any genetic information or biometric information that is used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina, or iris image
The proposed addition to the definition of personal information is a growing trend among states. Right now, about half of states require notice to individuals if their health information was impacted by a data breach.

Cybersecurity

The bill adds a new section related to cybersecurity – a new trend that has not yet spread to most other states with data breach laws. Entities that handle personal information would be required to implement and maintain reasonable security procedures to prevent unlawful use or disclosure. These procedures must include appointing a responsible coordinator, identifying internal and external risks, implementing safeguards tailored to those risks, and regularly assessing their effectiveness.

Additionally, service providers would be required to be contractually obligated to follow recognized cybersecurity standards, such as the NIST Cybersecurity Framework 2.0. Security protocols would need to be adaptable to changing circumstances that could affect data protection.

Fines

The bill would add additional potential fines and penalties.

The failure to notify would remain the same: $250 per person.
However, the bill adds a $2,000 fine for failure to maintain reasonable security procedures and $2,000 for failing to investigate a breach.
Finally, the aggregate liability per breach would remain the same and not exceed $750,000.
What’s Next?

The bill to amend the existing data breach law (SB 360) seems to have more momentum than the bill to revise the consumer privacy law (SB 359). SB 360 was reported favorably without amendment by both the Committee on Finance, Insurance, and Consumer Protection and the Committee of the Whole, and it’s now been referred to the House Committee on Government Operations.

However, the Michigan Chamber of Commerce has come out against both bills. It argues that they would hurt small business, create an additional patchwork of regulations, and lead to confusion for businesses trying to comply.

Both bills must be voted on and passed by the end of the legislative session in December of this year. [Actually December 2026 - AN]  If either bill is passed, it will be presented to Governor Gretchen Whitmer for her signature in order to become law. The Governor has not expressed a position on either bill.

What Should Businesses Do?

We recommend that businesses continue to monitor the progress of Michigan Senate Bills 359 and 360. The best way to track this legislation is to subscribe to Fisher Phillips’ Insight System to get the most up-to-date information direct to your inbox. Also:

Consider any necessary changes to your identity theft protection and cyber security practices, particularly focusing on the expanded scope of the definition of personal information and timelines for notification under the proposed bill.
Conduct regular risk assessments and test your Incident Response Plan.
Evaluate your current Privacy Policy to determine any changes that may be required if your business needs to comply with Senate Bill 359.