Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Comprehensive requirements for notice letter and notification delivery
  • Data owners are responsible for reporting and notifications
  • Vendors must report to MI Data Owners
  • Reporting to Consumer Reporting Agencies may be required with specific information
  • Michigan’s state attorney general may bring civil action and up to $25,000 for each violation, not to exceed $750,000 per breach.  Civil remedy is allowed.

Who Me?


Michigan breach and notification laws may apply if you are a person or agency that:

  • Owns or licenses data that are in a database
  • Maintains a database that includes data that the person or agency does not own or license

There are exemptions.

Other state or federal laws, industry regulations, and/or out-of-country laws may apply.

What is PII?


PII relevant to a breach in Michigan include a person's name plus one or more of the following:

  • Social Security Number
  • Driver license or state identification card number
  • Demand deposit or other financial account, credit or debit card number, in combination with any required security or access code, etc. permitting access to the individual's account



A few applicable statutes include, but are not limited to:

Chapter 445 Trade and Commerce

Section 445.72 Identity Theft Protection Act

445.62, 445.72


Michigan has personal information data protection and disposal laws. 

These statutes include, but are not limited to:

Chapter 445 Trade and Commerce

Section 445.72 Identity Theft Protection Act

445.62, 445.72a

Chapter 445 Trade and Commerce

Section 445.83 of Social Security Number Privacy Act



Penalties for a person that knowingly fails to provide any notice of security breach is up to $25,000 for each failure to provide notice, and the attorney general may bring civil action to recover a civil fine. Total aggregate liability is not to exceed $750,000. Civil remedy is available.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • If it was acquired by an unauthorized person
  • Whether the breach will or likely cause substantial loss or injury
  • Whether the breach will or likely result in identity theft


Notification may be delayed if law enforcement advises the person it will impede a criminal or civil investigation or jeopardize homeland or national security; otherwise the notification must be made without unreasonable delay.


Requires detailed information and potential provision of services

Disclosure may be made by written notice, telephone, or electronically (with stipulations). 

A substitute notice, with specific requirements, may be sent if the cost of the notice exceeds $250,000 or persons notified exceeds 500,000.

Contact the Privacy Experts at CSR