Introduction
The Michigan Personal Data Privacy Act (MPDPA) is a data privacy law that protects the personal information of Michigan residents. The MPDPA is modeled after the California Consumer Privacy Act (CCPA), which is widely regarded as the most comprehensive data privacy law in the United States. The MPDPA was passed in December 2020 and took effect on July 1, 2021. The Act seeks to protect the personal data of Michigan residents from data breaches, misuse, and other forms of exploitation.
Overview of the Michigan Personal Data Privacy Act
The Act applies to businesses that collect, process or store the personal data of Michigan residents. The MPDPA requires businesses to be more transparent about their data collection practices and to give consumers more control over their personal information. It also requires businesses to take reasonable steps to protect personal information from unauthorized access, use, and disclosure.
The Michigan Personal Data Privacy Act is designed to protect the privacy rights of Michigan residents and give them more control over their personal information. The State law also provides consumers with the right to opt-out of the sale of their personal data and request the deletion of their personal information.
What does the Michigan Personal Data Privacy Act cover?
The Michigan Personal Data Privacy Act covers personal information collected by a business from a Michigan resident. Personal information includes a person’s name, address, email address, phone number, social security number, bank account information, and health information. In addition, the law also covers any information that can be used to identify a person, including biometric data, such as fingerprints and retina scans.
The Act also covers personal information collected by third parties, such as data brokers, marketing companies, and advertising networks. The Michigan Personal Data Privacy Act applies to businesses that have collected personal information from Michigan residents in the past 12 months or have collected at least 10,000 records from the state in the past year.
The Michigan Personal Data Privacy Act & protection of consumer privacy
The MPDPA provides several protections for Michigan residents’ personal information. The law requires businesses to give consumers more control over their personal information. Consumers have the right to opt-out of the sale of their personal data, as well as the right to request the deletion of their personal information.
The law also requires businesses to take reasonable steps to protect personal information from unauthorized access, use, and disclosure. Businesses must provide consumers with clear and conspicuous notice of their data collection practices, how they use personal information, and the choices consumers have regarding using their personal information.
What types of consumer information does the Michigan Personal Data Privacy Act protect?
As mentioned before, the MPDPA protects the personal information of Michigan residents. This includes information such as a person’s name, address, email address, phone number, social security number, bank account information, and health information. In addition, the law also covers any information that can be used to identify a person, including biometric data, such as fingerprints and retina scans. The law also covers personal information collected by third parties, such as data brokers, marketing companies, and advertising networks.
The Michigan Personal Data Privacy Act (MPDPA) protects a wide range of consumer information, including:
Full name
Social security number
Driver’s license number or state ID number
Financial account number or credit card number
Health insurance information
Biometric data
Passwords and usernames for online accounts
Personal identifying information about a minor
Any other information that is linked or linkable to an individual.
It is important to note that the MPDPA applies to businesses and government entities that conduct business in Michigan and handle sensitive information about Michigan residents.
Businesses’ responsibilities under the Michigan Personal Data Privacy Act
Businesses that collect, process, or store the personal information of Michigan residents are required to comply with the MPDPA. Businesses must take reasonable steps to protect personal information from unauthorized access, use, and disclosure. Businesses must also provide consumers with clear and conspicuous notice of their data collection practices, how they use personal information, and the choices consumers have regarding the use of their personal information.
Businesses are also required to provide consumers with the right to opt-out of the sale of their personal information and request the deletion of their personal information. In addition, businesses must provide consumers access to their personal information and obtain consent before collecting sensitive personal data, such as health insurance portability information.
Implications of the Michigan Personal Data Privacy Act for businesses
The Michigan PDPA has a number of implications for businesses. Businesses must take steps to comply with the law, including developing a comprehensive data privacy policy, implementing a data protection impact assessment, and obtaining consent from consumers before collecting sensitive personal data.
Businesses must also provide consumers with clear and conspicuous notice of their data collection practices, how they use personal information, and the choices consumers have regarding the use of their personal information. In addition, businesses must provide consumers with the right to opt-out of the sale of their personal data, as well as the right to request the deletion of their personal information.
How can a business comply with the Michigan Personal Data Privacy Act?
Businesses that collect, process, or store the personal information of Michigan residents must comply with the MPDPA. Businesses should take the following steps in order to be compliant with the law:
Develop a comprehensive data privacy policy that outlines the business’s data collection, use, and sharing practices.
Implement a data protection impact assessment to evaluate the potential privacy risks of the business’s data collection and use practices.
Provide consumers with clear and conspicuous notice of their data collection practices, how they use personal information, and the choices consumers have regarding the use of their personal information.
Obtain consent from consumers before collecting sensitive personal data, such as health insurance portability information.
Provide consumers with the right to opt-out of the sale of their personal information, as well as the right to request the deletion of their personal data.
Take reasonable steps to protect personal information from unauthorized access, use, and disclosure.
Exceptions to the MPDPA: Health Insurance Portability and Accountability Act & Fair Credit Reporting Act
Yes, there are a few exceptions to the MPDPA. The law does not apply to covered entities governed by the Health Insurance Portability and Accountability Act (HIPAA) or the Fair Credit Reporting Act (FCRA). The law also does not apply to financial institutions regulated by state or federal law or other federal agencies, such as the Federal Trade Commission (FTC).
In addition, the law does not apply to businesses that collect personal information solely for direct marketing purposes. The law also does not apply to businesses that do not collect or store personal information, such as those that only use cookies or other tracking technologies.
Requirements and exceptions of the Michigan Personal Data Privacy Act
In addition to the protections and responsibilities outlined above, the Michigan PDPA also includes provisions for enforcement and penalties for non-compliance. The law grants the state attorney general the authority to investigate and bring enforcement actions against businesses that violate the law. Businesses disregarding the MPDPA may be subject to fines and penalties. Under the MPDPA, businesses are also required to notify individuals and the attorney general in case of a data breach. This includes providing notice to affected individuals without unreasonable delay and detailed information about the nature of the violation and the actions taken to address it.
The MPDPA also provides a private right of action for individuals whose rights have been violated. This means an individual can file a lawsuit against a business for violating the MPDPA. In addition, the MPDPA provides a transparency and accountability framework for data processors. Under the MPDPA, data processors must implement security measures to protect personal data and give the data controller information about the security measures implemented.
Businesses operating in Michigan should be aware of the MPDPA and take steps to ensure compliance with the law. This includes understanding the types of personal information covered by the law, developing comprehensive data privacy policies, and implementing appropriate security measures to protect personal information. The Michigan Personal Data Privacy Act is a comprehensive data privacy law that provides robust protections for Michigan residents’ personal information. The law was designed to protect the privacy rights of Michigan residents and give them more control over their personal information.
The penalties for violating the Michigan Personal Data Privacy Act
The penalties for violating the Michigan Personal Data Privacy Act can include fines, penalties, and civil damages. The exact amount of the penalty will depend on the nature and severity of the violation and may be determined by a court of law. Violations of the Michigan PDPA can result in major civil penalties per violation. In addition, the Michigan Attorney General can seek injunctive relief or restitution for consumers harmed by a business’s breaches of the law.
Under the Michigan Personal Data Privacy Act, the penalties for violating the law can be either civil or criminal in nature. Civil penalties may include fines of up to $2,500 per violation, while criminal penalties may include imprisonment for up to five years and/or fines of up to $250,000 for individuals or $500,000 for organizations.
Additionally, the Michigan Attorney General may seek an injunction to prevent future violations of the Act and may also seek damages for individuals who have suffered harm as a result of a violation. The act also provides for a private right of action, allowing individuals to bring a lawsuit against entities that have violated the act and recover damages, as well as attorney’s fees and costs. It is important to note that the penalties for violating the Michigan Personal Data Privacy Act can be severe, and it is important for organizations to take appropriate steps to protect the personal data of individuals in accordance with the law.
Conclusion
The Michigan PDPA is a comprehensive data privacy law that provides robust protections for Michigan residents’ personal information. The law applies to businesses that collect, process, or store the personal information of Michigan residents and requires them to take reasonable steps to protect personal information from unauthorized access, use, and disclosure. The law also provides consumers with the right to opt-out of the sale of their personal information, as well as the right to request the deletion of their personal information.
Businesses must take steps to comply with the law, including developing a comprehensive data privacy policy, implementing a data protection impact assessment, and obtaining consent from consumers before collecting sensitive personal data. Violations of the law can result in major civil penalties per violation. The law is an essential step in protecting Michigan residents’ privacy and ensuring that businesses are held accountable for their data collection practices.