“The bill would enact the “Personal Privacy Data Act” to establish consumers’ rights related to the collection and use of personal data. It also would establish requirements of collectors and processors of personal data. Among other requirements, a collector would have to obtain consent from a consumer before processing the consumer’s personal data and provide a privacy notice concerning the purpose of that data processing. The bill prescribes the scope of its provisions, specifying that its requirements would not apply to State agencies or collectors of medical data governed by the Health Insurance Portability and Accountability Act, or to other specified data. The bill would allow the Attorney General and consumers to initiate civil actions for violations and would create the Data Broker Registry and two funds for administration of the bill’s provisions.”
In other words you will need to use a software like the one provided by Captain Compliance to abide by the Michigan Personal Data Privacy Act. If you haven’t already booked a demo to see about getting compliant or if you want a privacy audit get with the Captain Compliance team ASAP.
Michigan is poised to join the growing list of states with comprehensive privacy legislation, but its proposed Personal Data Privacy Act (PDPA), driven by bills like Senate Bill 359 (SB 359) and its predecessors, introduces several provisions that elevate compliance requirements beyond the standard “Virginia-style” model. Notably, the bill proposes stricter controls over sensitive data, mandatory recognition of universal opt-out signals, and a Data Broker Registry designed to increase transparency and enforcement.
For business owners and large corporations, the PDPA is not merely another checklist; it mandates a re-engineering of data collection consent flows and data mapping architecture. While the law grants exclusive enforcement to the Attorney General (AG), the high penalty ceiling of up to $7,500 per violation means non-compliance carries a significant financial threat, demanding that privacy software solutions are robust, auditable, and automated.
The Architecture of the Michigan PDPA
The PDPA is structured to protect consumers by imposing explicit duties on Controllers (those who determine the purpose and means of processing personal data) and Processors (those who process data on behalf of a controller).
Applicability and Thresholds
The bill is aimed primarily at organizations with significant data processing operations, yet it is designed to capture data brokers aggressively. A business is covered if it conducts business in Michigan or targets its residents and meets one of the following thresholds:
-
Controls or processes the personal data of at least 100,000 Michigan consumers in a calendar year.
-
Controls or processes the personal data of at least 25,000 Michigan consumers in a calendar year and derives any amount of revenue from the sale of personal data.
Key Mandates for Controllers in Michigan
The bill requires data minimization and heightened security across all operations.
-
Mandatory Sensitive Data Opt-In: Controllers must obtain the consumer’s affirmative consent before processing any sensitive data. This is a critical opt-in standard that forces companies away from passive collection models.
-
Strictly Necessary Standard: Collection and processing of sensitive data must be limited to what is strictly necessary to provide or maintain the specific product or service requested by the consumer.
-
Universal Opt-Out Recognition: Businesses must honor a technical opt-out preference signal (like the Global Privacy Control – GPC) for the purpose of opting a consumer out of targeted advertising and the sale of personal data.
-
Prohibition on Targeted Ads to Minors: The bill sets a complete prohibition on targeted advertising to minors under the age of 18, effectively raising the protection bar for all digital services directed at teens.
-
Data Broker Registry: Requires data brokers—entities that knowingly collect and sell or license brokered personal data of consumers with whom they have no direct relationship—to register annually with the Attorney General.
Comparison: Michigan PDPA vs. Established State Privacy Frameworks
Michigan’s proposal incorporates elements from both the established “opt-out” laws (Virginia/Connecticut) and the stricter “opt-in” frameworks (GDPR and, increasingly, California’s sensitive data requirements). This blend creates a unique compliance profile that businesses must address with purpose-built data privacy software.
| Feature | Michigan PDPA (Proposed) | California CPRA (Enacted) | Connecticut CTDPA (Enacted) | Virginia VCDPA (Enacted) |
| Sensitive Data Consent | Affirmative Opt-In and Strict Necessity required for processing. | Opt-Out/Limit Use right for consumer. | Opt-In Consent required for processing. | Opt-In Consent required for processing. |
| Revenue Threshold | Any Revenue from sale (if processing 25k+ consumers). | $25 Million Gross Revenue. | None (Volume-only threshold). | None (Volume-only threshold). |
| Universal Opt-Out (GPC) | Required for Opt-Out of Sale/Targeted Ads. | Required for Opt-Out of Sale/Sharing. | Required for Opt-Out of Targeted Advertising/Sale. | Not Required. |
| Private Right of Action (PRA) | None (Exclusive AG Enforcement). | Limited PRA for Data Breaches only. | None. | None. |
| Data Broker Registry | Required (Annual registration with AG). | Required (Separate state law). | Not Required. | Not Required. |
| Enforcement Penalty Cap | Up to $7,500 per violation. | Up to $7,500 per intentional violation. | Up to $5,000 per violation. | Up to $7,500 per violation. |
The Operational Imperative: A Three-Step Readiness Plan
The Michigan PDPA elevates the requirement for privacy-by-design and automated compliance. The risk of incurring $7,500 fines requires businesses to eliminate manual, spreadsheet-based privacy processes.
-
Re-Engineer Consent and Opt-Out Flows: The most immediate technical challenge is honoring the affirmative opt-in requirement for sensitive data and the Universal Opt-Out Signal (GPC) simultaneously.
-
The platform must detect a GPC signal and automatically enforce the opt-out of sale/targeted advertising.
-
For sensitive data, the system must pause processing and prompt the consumer for an explicit, verifiable opt-in before proceeding, logging the consent for audit.
-
-
Conduct Data Protection Assessments (DPAs) and Minimization Audits: The PDPA requires DPAs for processing that presents a heightened risk of harm, including targeted advertising, data sales, and processing sensitive data. Your compliance software should guide this process, helping you:
-
Map data collection to a specific, necessary purpose.
-
Demonstrate that data is not retained longer than reasonably necessary for the purpose.
-
Document the safeguards used to mitigate risks identified in the DPA.
-
-
Establish Data Broker Registration and Deletion Protocol: If your business meets the data broker definition, the privacy platform must be configured to handle two concurrent duties:
-
Registration: Assign personnel and schedule annual registration with the Michigan AG (starting, for example, February 1, 2026, one year after potential enactment).
-
Deletion/Correction: Ensure the platform can locate, verify, and complete consumer deletion and correction requests across all databases within the 45-day response window required by the Act, including downstream notification to processors.
-
The PDPA’s blend of broad coverage (low revenue trigger for data sellers) and stringent restrictions (strict necessity for sensitive data) makes it a critical piece of the US privacy landscape. Businesses that utilize advanced, integrated data privacy software will be best equipped to navigate the dual requirements of affirmative consent and technical opt-outs, protecting them from the high-stakes enforcement actions of the Michigan AG.
