Michigan - Sectoral Privacy Overview
The Constitution of Michigan does not provide a general right of privacy.
2.1. Personal Information Breach Notification
Michigan has enacted a personal information breach notification law, known as the Identity Theft Protection Act found under §445.61 et seq. of Act 452 of 2004 of Chapter 445 of the Michigan Compiled Laws ('MCL'). The Identity Theft Protection Act applies to an any individual, partnership, corporation, limited liability company, association, or other legal entity, or any department, board, commission, office, agency, authority, or other unit of state government of Michigan that owns or licenses data including personal identifying information of a Michigan resident (MCL §445.63).
Under the Identity Theft Protection Act, a covered entity shall provide notice of the breach to each resident of Michigan if:
- the resident's unencrypted and unredacted personal information was accessed and acquired by an unauthorised person; or
- the resident's personal information was accessed and acquired in encrypted form by a person with unauthorised access to the encryption key.
The following definitions are key to understanding whether the law's notification obligations are triggered.
Breach of the security of a database or security breach: The unauthorised access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals (MCL §445.63(b)).
These terms do not include unauthorised access to data by an employee or other individual if the access meets all of the following (MCL §445.63(b)):
- the employee or other individual acted in good faith in accessing the data;
- the access was related to the activities of the agency or person; and
- the employee or other individual did not misuse any personal information or disclose any personal information to an unauthorised person.
Encrypted: The transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, or securing information by another method that renders the data elements unreadable or unusable (MCL §445.63(g)).
Personal information: The first name or first initial and last name linked to one or more of the following data elements of a resident of Michigan (MCL §445.63(r)):
- social security number;
- driver's license number or state personal identification card number;
- demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident's financial accounts.
Redact: To alter or truncate data so that no more than four sequential digits of a driver's license number, state personal identification card number, or account number, or no more than five sequential digits of a social security number, are accessible as part of personal information (MCL §445.63(t)).
Like most personal information breach notification laws, the Identity Theft Protection Act allows notification to be delayed in certain circumstances. In particular, notification may be reasonably delayed if a law enforcement agency determines that the notice will impede a criminal investigation or jeopardise homeland or national security. Notification shall be given as soon as reasonably practicable after the law enforcement agency determines that it will not impede a criminal investigation and will not jeopardise homeland or national security (MCL §445.72(4)).
Notification to affected individuals may be provided by one of the following methods (MCL §445.72(5)(a) to (c)):
- written notice sent to the recipient at the recipient's postal address in the records of the agency or person;
- written notice sent electronically to the recipient if:
- the recipient has expressly consented to receive electronic notice;
- the entity has an existing business relationship with the recipient that includes periodic email communications and based on those communications the entity reasonably believes that it has the recipient's current email address; or
- the entity conducts its business primarily through internet account transactions or on the internet; or
- telephonic notice given by an individual who represents the entity if:
- the notice is not given in whole or in part by use of a recorded message;
- the recipient has expressly consented to receive notice by telephone, or if the recipient has not expressly consented to receive notice by telephone, the entity also provides notice pursuant to the above methods if the notice by telephone does not result in a live conversation between the individual representing the entity and the recipient within three business days after the initial attempt to provide telephonic notice.
Substitute notice may be used if the entity demonstrates that the cost of providing notice through one of the means above will exceed $250,000 or that the entity must provide notice to more than 500,000 residents (MCL §445.72(5)(d)). 'Substitute notice' is accomplished by doing all of the following:
- if the person or agency has electronic mail addresses for any of the residents of Michigan who are entitled to receive the notice, providing electronic notice to those residents;
- if the person or agency maintains a website, conspicuously posting the notice on that website; and
- notifying major statewide media.
A notification under MCL §445.72(5) shall include a telephone number or a website address that a person may use to obtain additional assistance and information (MCL §445.72(5)).
Notification to affected individuals must (MCL §445.72(6)):
- be written in a clear and conspicuous manner, and shall clearly communicate the content required;
- describe the security breach in general terms;
- describe the type of personal information that is the subject of the unauthorised access or use;
- if applicable, generally describe what the agency or person providing the notice has done to protect data from further security breaches;
- include a telephone number where a notice recipient may obtain assistance or additional information; and
- remind notice recipients of the need to remain vigilant for incidents of fraud and identity theft.
If notification is provided to more than 1,000 persons of a breach of security, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on a nationwide basis of the timing, distribution, and content of the notices (MCL §445.72(8)).
The Identity Theft Protection Act provides criminal penalties for notice of a security breach that has not occurred, where such notice is given with the intent to defraud. The offense is a misdemeanour, punishable by imprisonment for not more than 30 days or a fine of not more than $250 per violation (or both). The penalty is the same for second and third violations, except that the fine increases to $500 per violation and $750 per violation, respectively.
Similarly, entities who distribute an advertisement or make any other solicitation that misrepresents to the recipient that a security breach has occurred that may affect the recipient are punishable by imprisonment for not more than 93 days or a fine of not more than $1,000 per violation (or both). The penalty is the same for second and third violations, except that the fine increases to $2,000 per violation and $3,000 per violation, respectively (MCL §445.69 and MCL §445.71).
In the event of a personal information breach, organisations are at risk of regulatory enforcement action. For example, the Attorney General ('AG') has joined multi-state enforcement actions in the past for incidents involving the breach of personal information.
3.1. Health Care Records
Under Michigan law, a health care corporation must use reasonable care to secure medical records from unauthorised access, and to collect only personal data that is necessary for the proper review and payment of claims and for health care operations, treatment, and research. Except as is necessary for the purpose of claims adjudication, claims verification, health care operations, treatment, research, payment, health oversight activities, or when required by law, a health care corporation shall not disclose records containing personal data that may be associated with an identifiable member, or personal information concerning a member, to a person other than the member, without the prior and specific informed consent of the member to whom the data or information pertains. The member's consent shall be in writing (§550.1406(1) of Part 4 of Act 350 of 1980 of Chapter 550 of the MCL).
If a member has authorised the release of personal data to a specific person, a health care corporation shall make a disclosure to that person upon the condition that the person shall not release the data to a third person unless the member executes in writing another prior and specific informed consent authorising the additional release (MCL §550.1406(1)).
A health care corporation that violates MCL §550.1406 is guilty of a misdemeanour, punishable by a fine of not more than $1,000 for each violation (MCL §550.1406(3)).
A member may bring a civil action for damages against a health care corporation for a violation of MCL §550.1406 and may recover actual damages or $200, whichever is greater, together with reasonable attorneys' fees and costs (MCL §550.1406(4)).
Michigan persons or businesses processing financial data are subject to the provisions of the Identity Theft Protection Act, described above in section 2.1.
In addition, from 20 January 2021, insurance businesses in Michigan became subject to §500.100 et seq. of Act 218 of 1956 of Chapter 500 of the MCL ('the Insurance Code').
The Insurance Code provides that commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control, each licensee shall develop, implement, and maintain a comprehensive written information security program, based on the licensee's risk assessment, that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system (MCL §500.555(1)).
Occurrence of Cybersecurity Event: Unless the licensee determines that the cybersecurity event has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents of Michigan, a licensee that owns or licenses data that are included in a database that discovers a cybersecurity event, or receives notice of a cybersecurity event under MCL §500.561(2), shall provide a notice of the cybersecurity event to each resident of Michigan who meets one or more of the following (MCL §500.561(1)):
- that resident's unencrypted and unredacted personal information was accessed and acquired by an unauthorised person; and/or
- that resident's personal information was accessed and acquired in encrypted form by a licensee with unauthorised access to the encryption key.
A licensee shall provide any notice required under MCL §500.561 by providing one or more of the following to the recipient (MCL §500.561(5)):
- written notice sent to the recipient at the recipient's postal address in the records of the licensee.
- written notice sent electronically to the recipient if any of the following are met:
- the recipient has expressly consented to receive electronic notice;
- the licensee has an existing business relationship with the recipient that includes periodic electronic mail communications and based on those communications the licensee reasonably believes that it has the recipient's current electronic mail address; and/or
- the licensee conducts its business primarily through internet account transactions or on the internet;
- if not otherwise prohibited by state or federal law, notice given by telephone by an individual who represents the licensee if all of the following are met:
- the notice is not given in whole or in part by use of a recorded message; and
- the recipient has expressly consented to receive notice by telephone, or if the recipient has not expressly consented to receive notice by telephone, the licensee also provides notice under MCL §500.561(5)(a) or (b) if the notice by telephone does not result in a live conversation between the individual representing the licensee and the recipient within three business days after the initial attempt to provide telephonic notice.
4.2. Scope of Application/Key Definitions
Authorised Individual: An individual known to and screened by the licensee and determined to be necessary and appropriate to have access to the nonpublic information held by the licensee and its information systems (MCL 500.553(a)).
Consumer: An individual, including, but not limited to, an applicant, a policyholder, an insured, a beneficiary, a claimant, and a certificate holder, who is a resident of Michigan and whose nonpublic information is in a licensee's possession, custody, or control (MCL §500.553(b)).
Cybersecurity event: An event that results in unauthorised access to and acquisition of, or disruption or misuse of, an information system or nonpublic information stored on an information system (MCL §500.553(c)).
'Cybersecurity event' does not include either of the following:
- the unauthorised acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorisation; and
- the unauthorised access to data by a person if the access meets both of the following criteria:
- the person acted in good faith in accessing the data; and
- the access was related to activities of the person.
Each licensee shall notify the director as promptly as possible but not later than ten business days after a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred when either of the following criteria has been met (MCL §500.559(1)):
- Michigan is the licensee's state of domicile, for an insurer, or Michigan is the licensee' home state, for an insurance producer as that term is defined in MCL §500.1201, and the cybersecurity event has a reasonable likelihood of materially harming either of the following:
- a consumer residing in Michigan; or
- any material part of a normal operation of the licensee;
- the licensee reasonably believes that the nonpublic information involved is of 250 or more consumers residing in Michigan and is either of the following:
- a cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or other supervisory body under any state or federal law; and
- a cybersecurity event that has a reasonable likelihood of materially harming either of the following:
- any consumer residing in Michigan; or
- any material part of the normal operation of the licensee.
Michigan persons or businesses processing financial data are subject to the provisions of the Identity Theft Protection Act, described above in section 2.1.
6.1. Children's Data
Children's data is governed by the protection of pupil privacy law under §380.1136 of Part 15 of Article 2 Act 451 of 1976 of Chapter 380 of the MCL ('the Protection of Pupil Privacy Law '). The law ensures the Michigan Department of Education or Center for Educational Performance and Information ('CEPI') shall not sell any information that is part of a pupil's education records.
The Department of Education and CEPI are required each to post on their website a notice of the information collected for a pupil's education records. The notice shall include at least an inventory of all pupil data elements collected by the Department of Education or CEPI and a description of each pupil data element (MCL §380.1136(1)(b)).
At least 30 days before initiating the collection of any pupil data elements in addition to those already disclosed in the inventory under MCL §380.1136(1)(b), the Department of Education or CEPI shall post on its website a notice of the additional pupil data elements it is proposing to collect and an explanation of the reasons for the proposal (MCL §380.1136(1)(c)).
The Department of Education or CEPI shall not disclose any information concerning a pupil that is collected or created by the them except in accordance with a policy adopted and made publicly available by the Superintendent of Public Instruction or State Budget Office Director, as applicable, that clearly states the criteria for the disclosure of the information (MCL §380.1136(1)(d)).
The Department of Education or CEPI shall ensure that any contract it has with a vendor that allows the vendor access to education records contains express provisions requiring the vendor to protect the privacy of education records and provides express penalties for noncompliance (MCL §380.1136(1)(e)).
7.1. Unauthorised Electornic Messages
The Unsolicited Commercial Email Protection Act, under §§445.2501 to 445.2508 of Act 42 of 2003 of Chapter 445 of the MCL, requires that any individual sending or causing to be sent unsolicited emails through an email service provider located within Michigan or to a resident of Michigan to (MCL §445.2503):
- include 'ADV:' as the first four characters in the email subject line;
- provide clear and conspicuous language detailing the sender's:
- legal name;
- correct address;
- valid internet domain; and
- valid email return address;
- establish a toll-free telephone number, a valid sender-operated return email address, or another easy-to-use electronic method that the recipient of the commercial email message may call or access by e-mail or other electronic means to notify the sender not to transmit by email any further unsolicited commercial email messages; and
- conspicuously provide in the text of the commercial e-mail, in print as large as the print used for the majority of the e-mail, a notice that informs the recipient that the recipient may conveniently and at no cost be excluded from future commercial e-mail from the sender.
MCL §445.2504 prohibits any individual from sending an unsolicited email to a Michigan resident that contains mischaracterisations of its origin. This may include using a third- party's internet domain in identifying a point of origin or misrepresenting information necessary in identifying the sender of such emails. In the instances where a recipient of emails opts-out, the sender is prohibited from sending any further emails either directly or indirectly.
A sender of unsolicited commercial emails must establish and maintain policies and records to ensure that the recipient who has opted out will not receive any further unsolicited emails. It is required that these policies and procedures are updated at a minimum of every 14 business days (MCL §445.2504).
An individual who violates these Sections is guilty of a misdemeanour and is subject to a prison sentence of not more than one year and/or a fine of not more than $10,000. If the violation is in furtherance of another crime, the individual is guilty of a felony punishable by no more than four years imprisonment and/or a fine of no more than $25,000. Each commercial email sent in violation of these provisions is considered a separate violation and punishable accordingly. It is considered a per se violation if the recipient of the commercial communication is unable to contact the sender through the return email address provided. However, it is considered a defense to liability if the violating communication was transmitted accidentally or as a result of a previous, ongoing business relationship (MCL §445.2507).
An injured party under these provisions is entitled to seek civil remedy in the form of actual damages or statutory damages (MCL §445.2508). In lieu of actual damages, the individual may recover the lesser of $500 per unsolicited commercial email, or $250,000 for each day that the violation occurs. Additionally, the recipient may be awarded reasonable attorneys' fees.
7.2. Telemarketing Solicitation
The Home Solicitation Sales Act, under §§445.111 to 445.117 of Act 227 of 1971 of Chapter 445 of the MCL, specifically MCL §445.111a,_prohibits home solicitation sales using pre-recorded messages. Pursuant to MCL §445.111c, it is considered an unfair or deceptive act or practice and violation of the act for a telephone solicitor to:
- misrepresent or fail to disclose, in clear and conspicuous language the following information:
- total purchase price for goods or services;
- restrictions, limitations, or conditions to purchase or use the goods that are subject to the offer;
- material terms or conditions concerning the refund, cancellation, or exchange policy;
- material costs or conditions related to receiving a prize;
- any material aspect of an investment opportunity the seller is offering;
- the quantity and any material aspect of the quality or basic characteristics of any goods or services offered; and
- the individual's right to cancel the sale;
- misrepresent any material aspect of the quality of the goods or services;
- make a telephone solicitation to a consumer that requests they not receive calls;
- offer a prize promotion in which purchase is necessary to obtain;
- processing payment before receiving consumers authorisation; and
- make false or misleading statements with the purpose of inducing the consumer to pay for goods.
The Michigan Legislature has adopted the federal Do Not Call Registry as the state of Michigan's do not call list. Telemarketers are required to check their solicitation lists and remove all registered numbers periodically.
The telemarking solicitation provision applies specifically to 'home solicitation sale[s]', which specifically includes calls placed at a consumer's home for goods or services exceeding $25 (MCL §445.111). At the beginning of each solicitation, the solicitor must state their full name and the name of the organisation or person they are calling on behalf of. A natural-born person must be available to answer the telephone when solicitations are being made. Furthermore, a telephone solicitor may not block or otherwise interfere with the caller ID function when calling a residential subscriber.
MCL §445.111c states that an individual who knowingly or intentionally violates this Section is guilty of a misdemeanour punishable by imprisonment for not more than six months and/or a fine of not more than $500. In regard to civil remedies, a person who suffers a loss due to a violation of this Section may bring an action to recover actual damages. Additionally, statutory damages in the amount of $250 are permitted, whichever is greater, and attorneys' fees may also be awarded (MCL §445.111d).
7.3. Malicious Use of Service Provided by Telecommunication Service
§750.540e of Chapter LXXXII of Act 328 of 1931 of Chapter 750 of the MCL prohibits the malicious use of any service provided by a telecommunications service provider with the intent to terrorise, frighten, intimidate, harass, or annoy. Actions subject to the statute include but are not limited to threatening physical harm, repeatedly initiating calls to an individual's number, using vulgar, offensive language, and making unsolicited commercial telephone calls between the hours of 9 p.m. and 9 a.m. A violation of this Section is considered a misdemeanour subject to not more than a six-month prison sentence and/or a fine of not more than $1,000.
7.4. Faxes, Texts, and Other Media Anti-Solicitation
The Facsimile Machines Act under §§445.1771 to 445.1776 of Act 48 of 1990 of Chapter 445 of the MCL, specifically MCL §445.1772, prohibits the sending of any advertisement by facsimile without first obtaining the consent of the recipient. Consent for the purpose of the Section may be given by telephone to a particular vendor or by general notification to marketing or industry trade associations. The aforementioned consent does not include consent to have a facsimile number published in a directory or disseminated to any other person.
Enforcement of this provision is the duty of the AG (MCL §445.1773). If the AG knows of or has reason to believe that a violation occurred, they must notify the violating person with a cease and desist and provide the individual with an opportunity to meet and confer with the AG. The AG may settle the matter by accepting an assurance of discontinuance from the violating individual in writing (MCL §445.1774).
After such action has been taken, if the AG believes that there is probable cause of a continuous violation of the statute, an action for temporary or permanent injunction may be initiated. If the individual knowingly violates the terms of the injunction, order, decree, or judgment, they shall pay a statutory fine of no more than $500 for each violation (MCL §445.1775).
A person who receives an advertisement in violation of statute is permitted to file a civil action if the following requirements are met (MCL §445.1776):
- the AG issued a notice to cease and desist;
- the person who sent the advertisement entered into an assurance of discontinuance with the AG; and
- the person notified the sender in writing that they did not have the person's consent to send the advertisement.
If the aforementioned requirements are met, the consumer is entitled to recover actual damages of $500, whichever is greater, plus reasonable attorneys' fees (MCL §445.1776).
8.1. Social Media and Private Internet Accounts
The Internet Privacy Protection Act, under §§37.271 to 37.278 of Act 478 of 2012 of Chapter 37 of the MCL, prohibits employers and educational institutions from requiring individuals to allow access or disclose information pertaining to personal internet accounts. Pursuant to MCL §§37.273 and 37.274, employers and educational institutions are expressly prohibited from:
- requesting an employee or applicant to grant access or allow observation of an employee's or applicant's personal internet account; and/or
- discharge, discipline, fail to hire, expel, or otherwise penalise an employee or applicant for failure to grant access to their personal internet account.
The Act provides a host of exceptions for employers, which can be found in MCL §37.275. The exceptions include but are not limited to:
- requesting or requiring an employee to disclose access information to the employer to gain access to the following:
- an electronic device paid for in whole or part by the employer; or
- an account or service provided by the employer to the employee for business purposes;
- disciplining or discharging an employee for transferring the employers proprietary or confidential information to a personal internet account;
- conducting an investigation into workplace misconduct requiring employee cooperation (see additional requirements MCL §37.275);
- restricting or prohibiting access to an employee's accounts while using devices paid for by an employer or using an employer's network or resources; and
- screening employees or applicants prior to hiring according to federal law or a self-regulatory organisation.
Pursuant to MCL §37.276, educational institutions are not prohibited from requesting or requiring a student to disclose access information when either the electronic communication device was paid for in whole or part by the institution or an account or service was provided by the institution to the student for educational purposes. This Section does not prohibit an institution from viewing or accessing information of a student or applicant obtained in the public domain.
Under these Sections, an employer or educational institution is under no affirmative duty to search or monitor personal internet accounts (MCL §37.277). However, a violation of the aforementioned provisions is considered a misdemeanour punishable by a fine of not more than $1,000. A private right of action is permitted, but the individual must first serve written demand on the institution 60 days before filing the civil action detailing the remedy sought (MCL §37.278).
9.1. Data Breach
The Identity Theft Protection Act applies to an individual or legal entity that owns or licenses data of one or more Michigan residents (MCL §445.65a). The Act protects against unauthorised access and acquisition of data that contains confidential information, which includes social security number, driver's license number or state identification card, or financial information that would permit access to a resident's accounts.
Pursuant to MCL §445.72, notification of a data breach is required if the resident's unencrypted and unredacted personal information was accessed and acquired by an unauthorised person, or the resident's information was acquired in encrypted form by a person with access to the encryption key. In instances that a breach has not or is not likely to cause substantial loss or injury to an individual, notification is not required. Notice may be provided through written record sent to recipient's postal address, telephonic notice, or electronic notice (see additional requirements under MCL §445.72(4) to (18)).
Breaches of over 1,000 Michigan residents require an entity to notify each consumer reporting agency. Such notification must include the number and timing of notices that the entity provided to residents. In some instances, substituted notice is permitted if the entity demonstrates that the cost of providing such notice would exceed $250,000 or that the notice has to be provided to more than 500,000 Michigan residents. The substituted notice includes:
- email notice to all of those individuals affected;
- conspicuous posting of the notice on the entity's website; and
- notification to all major statewide media outlets must include a telephone number or website that a person may use to obtain assistance.
A person that knowingly fails to provide any required notice of a security breach may be ordered to pay a civil fine of not more than $250 for each failure to provide notice. The aggregate liability for a violation is capped at $750,000.
9.2. Data Disposal
MCL §445.72a requires the disposal of personal information when it is removed from a database, and the person or agency is not retaining the data elsewhere. However, the Section does not prohibit the retention of personal information for the purposes of an investigation, audit, or internal review. A person who knowingly violates this Section is guilty of a misdemeanour punishable by a fine of not more than $250 for each violation.
10.1. Children's Protection Registry
The Michigan Children's Protection Registry Act, under §§752.1061 to 752.1068 of Act 241 of 2004 of Chapter 752 of the MCL, provides for telecommunications and email contact points used by minors. The Children's Protection Registry Act prohibits sending a message to a contact point that has been registered on the state's child protection registry for more than 30 days (MCL §752.1065). Prohibited contacts include messages with the primary purpose of advertising a product or service that the minor is prohibited under the law from purchasing, viewing, possessing, participating in, or otherwise receiving.
A person who violates the Children's Protection Registry Act is guilty of a misdemeanour punishable by imprisonment of not more than a year and/or a fine of $10,000. Subsequent violations are considered felonies and punishable for up to three years imprisonment and/or a $300,000 fine (MCL §752.1067). Additionally, all equipment used to perpetrate the communication in violation of these Sections, and money derived, is subject to forfeiture.
MCL §752.1068 provides a civil right of action for a violation of the aforementioned Sections. Under MCL §752.1068, a person bringing an action may recover actual damages, including reasonable attorneys' fees. In lieu of actual damages, the individual may recover $5,000 per each message received, or $250,000 for each day that the violation occurs, whichever is the lesser.