The Michigan Social Security Number Privacy Act (SSNPA), enacted as Public Act 454 of 2004 and codified at MCL 445.81 et seq., establishes comprehensive restrictions on how individuals, businesses, and government entities may collect, use, display, and transmit Social Security Numbers (SSNs) within the state of Michigan. The law reflects growing legislative concern in the early 2000s over identity theft and the misuse of SSNs as universal identifiers in both public and private sectors.

Legislative Background and Purpose

The Act was passed in response to the escalating national crisis of identity theft, which by the early 2000s had become the fastest-growing white-collar crime in the United States. SSNs, originally created by the Social Security Administration in 1936 solely to track workers’ earnings for retirement benefit purposes, had evolved into a de facto national identifier used across virtually every sector of the economy — banking, healthcare, education, employment, and beyond.

Michigan lawmakers recognized that the widespread and often careless use of SSNs dramatically increased residents’ vulnerability to identity theft and financial fraud. The SSNPA was designed to curtail unnecessary exposure of SSNs and impose affirmative duties on those who handle them.

Scope and Applicability

The Act applies broadly to:

• Private persons and entities — including corporations, partnerships, sole proprietorships, associations, and individuals acting in a business capacity
• State and local government agencies — with some specific exemptions
• Any person or entity doing business in Michigan — even if not headquartered in the state

The Act does not apply to federal government agencies, which are governed by separate federal statutes such as the Privacy Act of 1974.

Core Prohibitions

The SSNPA establishes a set of strict prohibitions that govern how SSNs may — and may not — be handled.

1. Public Display and Posting

A person or entity shall not publicly post or display an individual’s SSN. This includes:

• Printing an SSN on any card required for the individual to access products or services
• Printing an SSN on any materials mailed to an individual, unless required by state or federal law
• Displaying an SSN on the internet in any manner that is accessible to the general public

The intent is to prevent the casual exposure of SSNs on ID badges, membership cards, insurance cards, and similar documents — a practice that was remarkably common before the Act’s passage.

2. Use as a Primary Account Number or Identifier

Entities shall not use an SSN as the primary account number assigned to an individual. This was directed particularly at insurance companies and healthcare providers, which had historically printed SSNs directly on member ID cards (a practice that exposed the number every time someone visited a doctor or pharmacy).

3. Encoding and Embedding

The Act prohibits encoding or embedding an SSN in or on a card or document, including a bar code, chip, magnetic strip, or other technology, in a place or manner that would allow the SSN to be scanned, swiped, or otherwise accessed.

4. Requiring SSN Transmission Over Unsecured Channels

Entities shall not require an individual to transmit his or her SSN over the internet unless the connection is secure or the SSN is encrypted. This provision anticipated the rise of online transactions and web-based account management.

5. Requiring SSN for Access Without Other Authentication

An entity shall not require an individual to use his or her SSN to access an internet website unless a password, PIN, or other authentication device is also required.

6. Printing on Mailed Materials

Entities shall not print an individual’s SSN on any materials that are mailed to the individual. Exceptions exist where:

• State or federal law requires it
• The document is a form or application
• The mailing is not in a manner that reveals the number through the envelope window or outside of the envelope

Affirmative Obligations

Beyond what entities cannot do, the SSNPA also imposes affirmative obligations on those who collect or maintain SSNs.

Written Policy Requirement

Any person or entity that collects SSNs in the course of business must develop a written privacy policy governing the use, protection, and proper disposal of SSNs. The policy must:

• Ensure the confidentiality of SSNs
• Prohibit the unlawful disclosure of SSNs
• Limit who has access to SSNs
• Describe procedures for proper disposal of documents containing SSNs

This requirement aligns with broader principles of information governance and forces organizations to be intentional about how they handle sensitive identifiers.

Secure Disposal

Though the Act focuses primarily on collection and use, the written policy requirement implicitly extends to secure disposal, ensuring that SSNs are not simply discarded in ways that allow unauthorized retrieval (e.g., dumpster diving — a recognized vector for identity theft).

Permitted Uses and Exceptions

The SSNPA is not absolute. It recognizes numerous legitimate uses of SSNs and carves out specific exceptions, including:

• Federal and state law requirements — where disclosure or use is mandated by law (e.g., IRS tax forms, employment eligibility verification under federal law)
• Internal verification purposes — entities may continue to use SSNs internally for verification and identification purposes, provided they are not publicly displayed
• Applications and forms — SSNs may appear on applications and forms that require them for legitimate business or governmental purposes
• Court orders and legal process
• Fraud prevention and investigation
• Law enforcement purposes
• Background checks — in certain regulated contexts such as employment screening or professional licensing

The exceptions reflect a pragmatic acknowledgment that SSNs cannot be eliminated from all legitimate administrative processes — the goal is restriction of unnecessary exposure, not total elimination.

Enforcement and Penalties

Civil Liability

The SSNPA provides a private right of action for individuals whose SSNs are disclosed or used in violation of the Act. An aggrieved individual may bring a civil lawsuit and recover:

• Actual damages — compensation for real, documented harm (financial loss, costs of remediation, etc.)
• Statutory damages — up to $1,000 per violation, even where actual damages cannot be proven
• Attorney’s fees and costs — prevailing plaintiffs may recover reasonable legal fees, which is a significant incentive for enforcement

Injunctive Relief

Courts may also award injunctive relief, ordering the violating party to cease the offending conduct and implement compliant policies and procedures.

Pattern and Practice Claims

Where violations are systemic — i.e., part of a pattern or practice rather than isolated incidents — courts may award enhanced damages, making compliance a matter of significant financial risk management for larger organizations.

No Criminal Penalties

Unlike some privacy statutes, the SSNPA does not impose criminal penalties. Enforcement is exclusively civil, which some critics argue limits its deterrent effect against large institutional actors for whom individual $1,000 statutory damages may be relatively inconsequential.

Interaction with Federal Law

The Michigan SSNPA operates alongside a patchwork of federal protections, including:

• The Privacy Act of 1974 — governs federal agency collection and use of SSNs
• The Social Security Act (42 U.S.C. § 405(c)(2)(C)(i)) — limits the use of SSNs as a condition of receiving state or local government services
• HIPAA — governs SSNs embedded in protected health information
• GLBA (Gramm-Leach-Bliley Act) — applies to financial institutions handling SSNs as part of nonpublic personal information
• FACTA (Fair and Accurate Credit Transactions Act) — addresses truncation of SSNs on receipts and credit reports

Michigan’s law generally provides a floor, not a ceiling. Federal law may preempt state law in specific regulated industries (banking, healthcare), but in the absence of federal preemption, the SSNPA imposes its own independent requirements.

Compliance Considerations for Businesses

Organizations operating in Michigan must take the following practical steps to achieve and maintain SSNPA compliance:

Audit and Inventory Identify all business processes, systems, and documents that collect, store, transmit, or display SSNs. This is a prerequisite to designing compliant policies.

Update Physical Documents Eliminate SSNs from ID cards, membership cards, and mailed materials. Replace with account numbers, employee IDs, or other non-sensitive identifiers.

Secure Online Transmission Ensure all web-based portals that collect SSNs use SSL/TLS encryption and require multi-factor or password-based authentication before any SSN is accepted or displayed.

Written Policy Development Draft and maintain a formal written SSN privacy policy addressing collection, access controls, storage, use, and disposal.

Employee Training Train employees who handle SSNs on applicable legal requirements, internal policies, and what to do in the event of a breach or unauthorized disclosure.

Vendor Management Assess and contractually obligate third-party vendors and service providers who may receive SSNs to comply with equivalent protections.

Secure Disposal Procedures Implement shredding, secure digital deletion, and chain-of-custody procedures for disposing of records containing SSNs.

Relationship to Michigan’s Broader Privacy Framework

The SSNPA sits within a broader ecosystem of Michigan privacy and data security laws, including:

• Michigan Identity Theft Protection Act (MCL 445.61 et seq.) — governs data breach notification obligations
• Michigan Consumer Protection Act — provides additional remedies for deceptive practices
• Michigan Occupational Code — contains professional licensing provisions that intersect with identity verification

Together, these statutes reflect Michigan’s approach to data privacy: sector-by-sector statutory frameworks rather than a comprehensive omnibus privacy law (unlike, for example, California’s CCPA/CPRA framework).

Criticisms and Limitations

Despite its significance, the SSNPA has attracted criticism on several fronts:

Limited Enforcement Infrastructure Unlike data protection authorities in European countries, Michigan has no dedicated privacy enforcement agency. Enforcement depends largely on private litigation, which requires individual victims to bear the cost and burden of suit.

No Breach Notification Requirement The SSNPA itself does not require entities to notify individuals when their SSNs have been compromised. That obligation falls under the separate Identity Theft Protection Act, creating a fragmented compliance landscape.

Modest Statutory Damages The $1,000 per-violation cap, while meaningful for individuals, may not deter large corporations from cost-benefit calculations that treat non-compliance as an acceptable business risk.

Technological Lag Enacted in 2004, the Act predates many modern data-sharing technologies — cloud computing, mobile applications, API-driven data ecosystems — and does not explicitly address the challenges these technologies pose to SSN protection.

MI. Social Security Number Privacy Act Compliance Software

We are one of the only solutions out there to help businesses comply with the Michigan Social Security Number Privacy Act. Get a quote today from our privacy experts here. The Michigan Social Security Number Privacy Act represents an important but limited milestone in the state’s efforts to protect residents from identity theft and unauthorized data exposure. By prohibiting the most egregious practices of the pre-digital era — printing SSNs on ID cards, sending them in visible envelope windows, using them as public passwords — and by imposing affirmative obligations on businesses to develop privacy policies, the Act established a meaningful baseline of protection.

However, as data ecosystems have grown exponentially more complex in the two decades since its enactment, and as identity theft has evolved from opportunistic physical theft to sophisticated cyberattacks, the Act’s limitations have become increasingly apparent. Observers and policymakers continue to debate whether Michigan needs a more comprehensive, modern privacy statute to meet the challenges of today’s digital economy.

For businesses, legal counsel, and individuals alike, understanding and complying with the SSNPA remains an essential component of responsible data stewardship in Michigan.