Michigan Privacy Policy
Unlike other states, such as California and Illinois, Michigan does not yet have a comprehensive, far-reaching data privacy law. However, businesses in Michigan must still comply with federal data protection laws and regulations, as well as several related Michigan laws regarding data breach notifications and identity theft protection.
- February 26, 2026
- Key Takeaways
- Michigan does not have a comprehensive, far-reaching data protection law; however, several bills have been introduced over the past few years in an effort to increase consumer protections.
- Under current Michigan law, companies are required to notify consumers of data breaches that could potentially cause harm, such as identity theft.
- Victims of data breaches in Michigan may have legal options under other laws, including the ability to pursue or join a class action, depending on the circumstances.
As of early 2026, Michigan still lacks a comprehensive data protection law for consumers, but businesses in the state must still abide by federal laws and regulations. However, several data privacy bills have been proposed over the last several years. In 2025, the Michigan Senate introduced Senate Bill 359, the Personal Privacy Data Act, which would establish consumers’ rights related to the collection and use of their personal data. The bill is still pending as of January 2026.
If passed, S.B. 359 would require data collectors to obtain consumers’ consent before processing their personal data and to provide a privacy notice regarding the purpose of the data processing. This would not apply to state agencies or medical data protected by HIPAA. Additionally, S.B. 359 would require businesses to allow consumers to opt out of data collection.
Overview of Data Privacy in Michigan
Michigan does not have a comprehensive, enacted state data privacy law. However, existing laws like the Identity Theft Protection Act mandate breach notifications and require businesses to safeguard sensitive information and provide prompt breach notifications. In the absence of a comprehensive state data protection law, Michigan businesses must follow existing breach notification rules and federal privacy laws.
Michigan’s Data Breach Notification Law
Under Michigan’s Identity Theft Protection Act of 2004 (ITPA), businesses are required to provide notice of a security breach to each resident whose unencrypted and unredacted personal information was accessed and acquired by an unauthorized person. There is an exception: if the agency that experienced a breach determines it is unlikely to cause substantial harm to residents, notification may not be necessary.
ITPA mandates that data breach notifications must be provided “without unreasonable delay,” unless a delay is necessary to determine the scope of the breach, restore the integrity of the database, or comply with law enforcement actions. Notice must be provided to the recipient’s postal address and/or electronically and must contain certain information about the breach.
Who Must Comply
Under the ITPA, a data breach is defined as unauthorized access and acquisition that compromises the security or confidentiality of covered information. This doesn’t apply to information that is encrypted or redacted, as long as the encryption key wasn’t also accessed. The act specifies that breach notifications for consumers are not required if the entity that breached determines that the breach has not and will not likely cause substantial harm to the affected people.
Timing and Content of Notifications
The ITPA stipulates that data breach notifications must be made without unreasonable delay and must be consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Notices must describe the security breach in general terms, describe the type of personal information that was subject to unauthorized access or use, and explain what the agency is doing to protect data from further breaches. Additionally, notices must include a phone number where recipients can obtain help or more information, and remind recipients of the need to remain vigilant for incidents of fraud or identity theft.
What Types of Personal Information Are Covered by Michigan Law?
Under Michigan law, personally identifiable information protected from data breaches includes an individual’s first name or initial and last name, combined with their Social Security number, driver’s license or ID card number, or financial account information.
New cases and investigations, settlement deadlines, and news straight to your inbox.
Business Obligations Under Michigan Law
Michigan’s Streamlined Sales and Use Tax Administration Act requires that certified service providers cannot retain or disclose consumers’ personally identifiable information. Their security and data management systems must be designed and tested to ensure consumer privacy. Businesses based in Michigan or that do business in the state must follow these regulations to remain compliant.
Implement Reasonable Security Measures
In light of Michigan’s laws and regulatory expectations, businesses should implement robust defenses, such as encryption, firewalls, and multi-factor authentication. Additionally, keep all software up to date, train employees on phishing awareness, use strong passwords, back up data, and secure your business’s Wi-Fi network.
Prepare Incident Response & Notification Protocols
Although Michigan lacks a comprehensive data protection law, the ITPA still requires businesses to notify Michigan residents when their data is breached. Have systems in place to be ready in case of a breach so that notifications can be sent out as soon as possible. Businesses should also plan methods for detecting and investigating breaches.
Monitor Pending Legislation to Avoid Future Noncompliance
It’s crucial for businesses in Michigan to monitor the status of pending legislation, such as S.B. 359, which, if passed, would take effect one year later. This bill, along with others like it, would affect the way businesses in Michigan must respond to and prepare for data breaches.
What Michigan Consumers Should Do After a Data Breach
If you have been affected by a data breach in Michigan, take the following steps to protect yourself, your information, and your rights.
- Verify What Data Was Compromised: Check the breach notice you received to understand what types of personal information were accessed.
- Credit Monitoring, Freezes & Identity Protections: The breached company may provide free services for monitoring or freezing your credit. Additionally, keep an eye on your bank statements for any unusual activity.
- File a Legal Claim: Explain that although Michigan’s breach law doesn’t provide a private right of action under that statute, victims may still have recourse under other laws or class actions.
How to File a Data Breach Lawsuit
When a business fails to protect your information, you may have grounds to file or join a class action lawsuit. Even if your stolen information has not yet been used, the imminent risk of harm may qualify as an injury, giving you standing to file a claim. It’s important to consult an experienced data breach attorney before filing a claim to determine the best course of action, be it through an individual lawsuit or a class action.
Class Action U is your authoritative source for all things related to class action lawsuits, serving as your first stop for the latest updates. Our goal is to simplify the process for individuals to join ongoing lawsuits, connecting them with our law firm partners who are ready to handle their cases. Contact Class Action U to be connected with a class action lawyer today.
Speak to a Data Breach Lawyer in Michigan
Though Michigan’s data privacy laws are not as comprehensive as those of many other states, consumers still have the right to be notified of a data breach and take legal action if their personal information is stolen. At Class Action U, we can help you determine whether there are class action opportunities or legal support options available after a breach.
Class Action U is your authoritative source for all things related to class action lawsuits, serving as your first stop for the latest updates. Our goal is to simplify the process for individuals to join ongoing lawsuits, connecting them with our law firm partners who are ready to handle their cases. Contact Class Action U to be connected with a class action lawyer today.
New cases and investigations, settlement deadlines, and news straight to your inbox.