In recent years, the privacy and data protection landscape in the United States has been in flux, characterized by legislative developments across the country. This has been evidenced by new state-level enactments, such as comprehensive privacy laws. While many states have enacted such legislation, other laws are still in the pipeline.
Although Michigan doesn't yet have a specific data protection law, businesses operating in the state must still be aware of the broader landscape, including federal laws and regulations. Developments in this space should be actively monitored regarding the collection, usage, and sharing of personal data.
In this guide, we will discuss a brief overview of Michigan’s current data protection laws. We will also highlight important considerations for businesses.
The Current State of the Data Protection Laws in Michigan
Michigan does not currently have a comprehensive data privacy law. As a result, businesses operating within the state must comply with several federal laws and regulations that govern how personal data is handled.
For instance, the Children’s Online Privacy Protection Act (COPPA) is a federal law designed to protect the personal information of children under 13 years of age. Therefore, businesses that operate online services for minors must comply with COPPA's rules on data collection and parental consent.
Another example is the Health Insurance Portability and Accountability Act (HIPAA), which applies to personally identifiable information (PII) that falls under the category of Protected Health Information (PHI), such as medical records, medical diagnoses, social security numbers, etc.
In the financial sector, the Gramm-Leach-Bliley Act (GLBA) governs how financial institutions must protect customer data, while the Fair Credit Reporting Act (FCRA) regulates consumer credit reporting and requires businesses to ensure the accurate and secure handling of consumer credit information.
Best Practices for Businesses
Businesses operating in Michigan are encouraged to implement certain data protection and privacy practices to ensure the safety of consumers’ personal information in data collection and processing. These practices serve to protect consumers and help to build trust, while consolidating compliance in the long term. The following are some of the best practices that businesses must consider when complying with state, local, and federal laws:
- Businesses must design procedures to assess the scale and sensitivity of consumers’ data and to ensure the implementation of appropriate technical and organizational safeguards.
- Businesses can organize training sessions for employees to educate them about cybersecurity practices, especially with regard to sensitive personal data.
- Businesses are required to implement optimal physical and technical measures to ensure data security.
- Businesses must provide clear and accessible privacy notices outlining:
- Types of personal data collected
- Purpose of data collection
- Whether data is shared or sold
- How consumers can exercise their rights
Conclusion
Although Michigan lacks a comprehensive data privacy law, businesses can still navigate the privacy legal landscape by tracking developments, adhering to industry standards, ensuring data security, and maintaining compliance.
