Michigan Consumer Privacy Law

Primary law

The PPPA prohibits a business selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings from knowingly disclosing a record that personally identifies a customer as having purchased, leased, rented, or borrowed those materials.

Subject to subsection (2) and except as provided in section 3 or as otherwise provided by law, a person, or an employee or agent of the person, engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings shall not knowingly disclose to any person, other than the customer, a record or information that personally identifies the customer as having purchased, leased, rented, or borrowed those materials from the person engaged in the business.

See MCL 445.1712(1).

Primary law

The Identity Theft Protection Act requires any breach notice to be provided without unreasonable delay.

A person or agency shall provide any notice required under this section without unreasonable delay.

See MCL 445.72(4).

Primary law

The Michigan Consumer Protection Act declares unfair, unconscionable, or deceptive methods, acts, or practices in trade or commerce unlawful, which reaches deceptive privacy representations.

Unfair, unconscionable, or deceptive methods, acts, or practices in the conduct of trade or commerce are unlawful and are defined as follows:

See MCL 445.903(1).

Primary law

With limited exceptions, the MCPA prohibits requiring a consumer to disclose a Social Security number as a condition of selling or leasing goods or providing a service.

Except as provided in subsection (3), requiring a consumer to disclose his or her Social Security number as a condition to selling or leasing goods or providing a service to the consumer, unless any of the following apply:

See MCL 445.903(1)(hh).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

The PPPA prohibits knowing disclosure of a record that personally identifies a customer as having purchased, leased, rented, or borrowed books or other written materials, sound recordings, or video recordings.

Subject to subsection (2) and except as provided in section 3 or as otherwise provided by law, a person, or an employee or agent of the person, engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings shall not knowingly disclose to any person, other than the customer, a record or information that personally identifies the customer as having purchased, leased, rented, or borrowed those materials from the person engaged in the business.

See MCL 445.1712(1).

Primary law

A covered record may be disclosed only in the statute's listed circumstances, including the customer's written permission, a warrant or court order, and collection of payment.

A record or information described in section 2 may be disclosed only in 1 or more of the following circumstances: (a) With the written permission of the customer. (b) Pursuant to a warrant or court order. (c) To the extent reasonably necessary to collect payment for the materials or the rental of the materials, if the customer has received written notice that the payment is due and has failed to pay or arrange for payment within a reasonable time after notice.

See MCL 445.1713.

Primary law

A marketing disclosure is permitted only if the customer receives written opt-out notice, and the business must stop disclosing the customer's name for marketing within 30 days after receiving an opt-out.

(e) If the disclosure is for the purpose of marketing goods and services to customers. All of the following apply for purposes of this subdivision: (i) The person that is disclosing the information shall inform the customer by written notice that the customer may remove his or her name at any time and shall specify the manner or manners by which the customer may remove his or her name. Unless the person's method of communication with customers is by electronic means, the written notice shall include a nonelectronic method that the customer may use to opt out of disclosure. Any of the following methods of notice satisfy the written notice requirements of this subparagraph: (A) Written notice included in or with any materials sold, rented, or lent to the customer under section 2. (B) Written notice provided to the customer at the time he or she orders any of the materials described in section 2 or otherwise provided to the customer in connection with the transaction between the person and customer for the sale, rental, or loan of the materials to the customer. (C) Notice that is included and clearly and conspicuously disclosed in an online privacy policy or similar communication that is posted on the Internet, is maintained by the person that is disclosing the information, and is available to customers or the general public. (ii) A customer may provide notice to the person that is disclosing information under this subdivision that the customer does not want his or her name disclosed. (iii) Beginning 30 days after the person receives the customer's notice, the person shall not knowingly disclose the customer's name to any other person for marketing goods and services.

See MCL 445.1713(e).

Primary law

The PPPA's prohibition does not apply to records that have been aggregated or processed to prevent association with an identifiable customer.

This section does not apply to the disclosure of a record or information that has been aggregated or has been processed in a manner designed to prevent its association with an identifiable customer.

See MCL 445.1712(2).

Primary law

The PPPA defines ordinary course of business as activities related to selling, renting, lending, or advertising in the covered materials.

means activities related to the sale, rental, or lending of, or advertising in, materials described in section 2.

See MCL 445.1711(d).

Primary law

The 2016 amendment's ordinary-course-of-business exception applies only to records created or obtained after the amendment's effective date.

To any person if the disclosure is incident to the ordinary course of business of the person that is disclosing the record or information. This subdivision only applies to a record or information that is created or obtained after the effective date of the amendatory act that added this subdivision.

See MCL 445.1713(d).

Case law · 2016-06-17

The PPPA has been applied to magazine publishers — the plaintiffs were Michigan magazine subscribers suing over disclosure of subscriber data — not just video-rental services.

Plaintiffs Boelter and Edwards are Michigan citizens who subscribe to Country Living and Good Housekeeping, respectively, two magazines published by Defendant.

See Boelter v. Hearst Commc'ns, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016).

Primary law

A person obtaining Social Security numbers in the ordinary course of business must create and publish an internal privacy policy addressing confidentiality, unlawful disclosure, access, disposal, and penalties.

(1) Beginning January 1, 2006, a person who obtains 1 or more social security numbers in the ordinary course of business shall create a privacy policy that does at least all of the following concerning the social security numbers the person possesses or obtains: (a) Ensures to the extent practicable the confidentiality of the social security numbers. (b) Prohibits unlawful disclosure of the social security numbers. (c) Limits who has access to information or documents that contain the social security numbers. (d) Describes how to properly dispose of documents that contain the social security numbers. (e) Establishes penalties for violation of the privacy policy. (2) A person that creates a privacy policy under subsection (1) shall publish the privacy policy in an employee handbook, in a procedures manual, or in 1 or more similar documents, which may be made available electronically.

See MCL 445.84(1)-(2).

Primary law

A business disclosing covered customer information for marketing may give the required opt-out notice through a clear and conspicuous online privacy policy.

Notice that is included and clearly and conspicuously disclosed in an online privacy policy or similar communication that is posted on the Internet, is maintained by the person that is disclosing the information, and is available to customers or the general public.

See MCL 445.1713(e)(i)(C).

Primary law

The MCPA makes it unlawful to fail to reveal a material fact whose omission tends to mislead or deceive the consumer, which reaches privacy policies that conceal actual data practices.

Failing to reveal a material fact, the omission of which tends to mislead or deceive the consumer, and which fact could not reasonably be known by the consumer.

See MCL 445.903(1)(s).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Case law · 2015-09-30

Terms of use and a privacy policy that apply to every transaction can supply the written permission the PPPA requires, defeating a disclosure claim.

Defendant has shown that its Terms of Use and portions of its Privacy Policy apply to every rental transaction, and that these documents provide the written permission required by the VRPA.

See Cain v. Redbox Automated Retail, LLC, 136 F. Supp. 3d 824 (E.D. Mich. 2015).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520(a).

Primary law

A person or agency that maintains a database of data it does not own or license must notify the owner or licensor of the data after discovering a security breach.

Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state, a person or agency that maintains a database that includes data that the person or agency does not own or license that discovers a breach of the security of the database shall provide a notice to the owner or licensor of the information of the security breach.

See MCL 445.72(2).

Primary law

Disclosure of covered customer records is permitted when incident to the discloser's ordinary course of business, but only for records created or obtained after the 2016 amendment's effective date.

To any person if the disclosure is incident to the ordinary course of business of the person that is disclosing the record or information. This subdivision only applies to a record or information that is created or obtained after the effective date of the amendatory act that added this subdivision.

See MCL 445.1713(d).

Primary law

The PPPA permits disclosure of covered records with the customer's written permission.

(a) With the written permission of the customer.

See MCL 445.1713(a).

Case law · 2015-09-30

Consent through terms of use covered vendor sharing for the business's own internal purposes, but the court stressed that giving or selling customer data to a third party for an unrelated external use would remain outside that consent.

Redbox clearly could not, for example, give or sell any customer data to a third party for a use unrelated to Redbox’s own business.

See Cain v. Redbox Automated Retail, LLC, 136 F. Supp. 3d 824 (E.D. Mich. 2015).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Requiring your service providers by contract to implement and maintain such safeguards

See 16 C.F.R. § 314.4(f)(2).

Primary law

HIPAA requires a written business-associate contract that sets permitted uses and disclosures, requires safeguards and breach reporting, and flows restrictions down to subcontractors.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

See 45 C.F.R. § 164.504(e)(2).

Primary law

A data owner or licensor must notify each Michigan resident whose unencrypted and unredacted personal information was accessed and acquired by an unauthorized person, or whose encrypted data was taken with the key, unless it determines the breach is not likely to cause substantial loss, injury, or identity theft.

Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state, a person or agency that owns or licenses data that are included in a database that discovers a security breach, or receives notice of a security breach under subsection (2), shall provide a notice of the security breach to each resident of this state who meets 1 or more of the following: (a) That resident's unencrypted and unredacted personal information was accessed and acquired by an unauthorized person. (b) That resident's personal information was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key.

See MCL 445.72(1).

Primary law

Breach notice must be provided without unreasonable delay, subject to delays for scoping, restoring system integrity, and law-enforcement holds.

A person or agency shall provide any notice required under this section without unreasonable delay. A person or agency may delay providing notice without violating this subsection if either of the following is met: (a) A delay is necessary in order for the person or agency to take any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database. However, the agency or person shall provide the notice required under this subsection without unreasonable delay after the person or agency completes the measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database. (b) A law enforcement agency determines and advises the agency or person that providing a notice will impede a criminal or civil investigation or jeopardize homeland or national security. However, the agency or person shall provide the notice required under this section without unreasonable delay after the law enforcement agency determines that providing the notice will no longer impede the investigation or jeopardize homeland or national security.

See MCL 445.72(4).

Primary law

Personal information under the breach statute is a resident's name linked to a Social Security number, driver license or state ID number, or a financial-account or card number with its access code or password.

“Personal information” means the first name or first initial and last name linked to 1 or more of the following data elements of a resident of this state: (i) Social security number. (ii) Driver license number or state personal identification card number. (iii) Demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident's financial accounts.

See MCL 445.63(r).

Primary law

Michigan breach notice may be written, electronic, telephonic if statutory conditions are met, or substitute notice when cost or resident-volume thresholds are met.

(5) Except as provided in subsection (11), an agency or person shall provide any notice required under this section by providing 1 or more of the following to the recipient: (a) Written notice sent to the recipient at the recipient's postal address in the records of the agency or person. (b) Written notice sent electronically to the recipient if any of the following are met: (i) The recipient has expressly consented to receive electronic notice. (ii) The person or agency has an existing business relationship with the recipient that includes periodic electronic mail communications and based on those communications the person or agency reasonably believes that it has the recipient's current electronic mail address. (iii) The person or agency conducts its business primarily through internet account transactions or on the internet. (c) If not otherwise prohibited by state or federal law, notice given by telephone by an individual who represents the person or agency if all of the following are met: (i) The notice is not given in whole or in part by use of a recorded message. (ii) The recipient has expressly consented to receive notice by telephone, or if the recipient has not expressly consented to receive notice by telephone, the person or agency also provides notice under subdivision (a) or (b) if the notice by telephone does not result in a live conversation between the individual representing the person or agency and the recipient within 3 business days after the initial attempt to provide telephonic notice. (d) Substitute notice, if the person or agency demonstrates that the cost of providing notice under subdivision (a), (b), or (c) will exceed $250,000.00 or that the person or agency has to provide notice to more than 500,000 residents of this state. A person or agency provides substitute notice under this subdivision by doing all of the following: (i) If the person or agency has electronic mail addresses for any of the residents of this state who are entitled to receive the notice, providing electronic notice to those residents. (ii) If the person or agency maintains a website, conspicuously posting the notice on that website. (iii) Notifying major statewide media. A notification under this subparagraph shall include a telephone number or a website address that a person may use to obtain additional assistance and information.

See MCL 445.72(5).

Primary law

Michigan breach notices must describe the breach, the personal-information type, protective steps if applicable, assistance contact information, and a fraud and identity-theft vigilance reminder.

(6) A notice under this section shall do all of the following: (a) For a notice provided under subsection (5)(a) or (b), be written in a clear and conspicuous manner and contain the content required under subdivisions (c) to (g). (b) For a notice provided under subsection (5)(c), clearly communicate the content required under subdivisions (c) to (g) to the recipient of the telephone call. (c) Describe the security breach in general terms. (d) Describe the type of personal information that is the subject of the unauthorized access or use. (e) If applicable, generally describe what the agency or person providing the notice has done to protect data from further security breaches. (f) Include a telephone number where a notice recipient may obtain assistance or additional information. (g) Remind notice recipients of the need to remain vigilant for incidents of fraud and identity theft.

See MCL 445.72(6).

Primary law

A knowing failure to provide required breach notice carries a civil fine of up to $250 per failure, recoverable by the Attorney General or a prosecuting attorney, with aggregate liability for one breach capped at $750,000.

Subject to subsection (14), a person that knowingly fails to provide any notice of a security breach required under this section may be ordered to pay a civil fine of not more than $250.00 for each failure to provide notice. The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section. (14) The aggregate liability of a person for civil fines under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not exceed $750,000.00.

See MCL 445.72(13)-(14).

Primary law

After providing breach notice, a business must notify the nationwide consumer reporting agencies without unreasonable delay, unless 1,000 or fewer Michigan residents were notified or the business is subject to GLBA.

Except as provided in this subsection, after a person or agency provides a notice under this section, the person or agency shall notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as defined in 15 USC 1681a(p), of the security breach without unreasonable delay. A notification under this subsection shall include the number of notices that the person or agency provided to residents of this state and the timing of those notices. This subsection does not apply if either of the following is met: (a) The person or agency is required under this section to provide notice of a security breach to 1,000 or fewer residents of this state. (b) The person or agency is subject to 15 USC 6801 to 6809.

See MCL 445.72(8).

Primary law

A financial institution with notification procedures subject to examination under the federal interagency breach-response guidance is considered in compliance with Michigan's breach-notice section.

A financial institution that is subject to, and has notification procedures in place that are subject to examination by the financial institution's appropriate regulator for compliance with, the interagency guidance on response programs for unauthorized access to customer information and customer notice prescribed by the board of governors of the federal reserve system and the other federal bank and thrift regulatory agencies, or similar guidance prescribed and adopted by the national credit union administration, and its affiliates, is considered to be in compliance with this section.

See MCL 445.72(9).

Primary law

A person or agency subject to and complying with HIPAA and its regulations for preventing unauthorized access and giving customer notice is considered in compliance with Michigan's breach-notice section.

A person or agency that is subject to and complies with the health insurance portability and accountability act of 1996, Public Law 104-191, and with regulations promulgated under that act, 45 CFR parts 160 and 164, for the prevention of unauthorized access to customer information and customer notice is considered to be in compliance with this section.

See MCL 445.72(10).

Primary law

Michigan's breach-notice section applies to breach discovery or notification on or after July 2, 2006 and preempts local regulation of matters expressly set forth in the section.

(16) This section applies to the discovery or notification of a breach of the security of a database that occurs on or after July 2, 2006. (17) This section does not apply to the access or acquisition by a person or agency of federal, state, or local government records or documents lawfully made available to the general public. (18) This section deals with subject matter that is of statewide concern, and any charter, ordinance, resolution, regulation, rule, or other action by a municipal corporation or other political subdivision of this state to regulate, directly or indirectly, any matter expressly set forth in this section is preempted.

See MCL 445.72(16), (18).

Primary law

The Act prohibits advertisements or solicitations that misrepresent that a security breach has occurred that may affect the recipient.

A person shall not distribute an advertisement or make any other solicitation that misrepresents to the recipient that a security breach has occurred that may affect the recipient.

See MCL 445.72b(1).

Primary law

The Act prohibits advertisements or solicitations that are substantially similar to a required breach notice when the required notice form is prescribed by law.

(2) A person shall not distribute an advertisement or make any other solicitation that is substantially similar to a notice required under section 12(5) or by federal law, if the form of that notice is prescribed by state or federal law, rule, or regulation.

See MCL 445.72b(2).

Primary law

Under the current PPPA, a customer who suffers actual damages from a violation may bring a civil action and recover actual damages, including emotional-distress damages, plus reasonable costs and attorney fees.

Regardless of any criminal prosecution for the violation, a person that violates this act may be liable in a civil action for damages to a customer under subsection (2). (2) A customer described in subsection (1) who suffers actual damages as a result of a violation of this act may bring a civil action against the person that violated this act and may recover both of the following: (a) The customer's actual damages, including damages for emotional distress. (b) Reasonable costs and attorney fees.

See MCL 445.1715.

Case law · 2016-06-17

The pre-amendment PPPA allowed a customer identified in unlawfully disclosed information to recover actual damages or $5,000, whichever was greater, plus costs and attorney fees.

customers who are “identified in ... information that is disclosed in violation of [the] act” may bring a civil action to recover “actual damages, including damages for emotional distress, or $5,000.00, whichever is greater,” as well as costs and attorneys’ fees

See Boelter v. Hearst Commc'ns, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016).

Case law · 2017-02-15

The PPPA amendment enacted as Senate Bill 490 became effective on July 31, 2016.

Senate Bill 490 became effective on July 31, 2016.

See Perlin v. Time Inc., 237 F. Supp. 3d 623 (E.D. Mich. 2017).

Case law · 2017-02-15

The Eastern District of Michigan held that the 2016 PPPA amendment is substantive, not remedial or procedural, and is not retroactive — so it does not extinguish statutory-damages claims based on pre-amendment conduct.

Based on the first, third, and fourth retroactivity principles, the Court concludes that Senate Bill 490 is not retroactive.

See Perlin v. Time Inc., 237 F. Supp. 3d 623 (E.D. Mich. 2017).

Case law · 2016-06-17

The Southern District of New York held that the 2016 PPPA amendment does not apply retroactively to claims based on pre-amendment disclosures.

The parties dispute whether the amended law retroactively applies to Plaintiffs’ claims. For the reasons stated below, the Court finds that it does not.

See Boelter v. Hearst Commc'ns, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016).

Case law · 2022-02-15

The Eastern District of Michigan held that a six-year statute of limitations applies to PPPA claims.

A six-year statute of limitations applies to PPPA claims. Mich. Comp. Laws §§ 445.1711 et seq., 600.5813.

See Pratt v. KSE Sportsman Media, Inc., 586 F. Supp. 3d 666 (E.D. Mich. 2022).

Primary law

The MCPA gives a person who suffers loss from a violation an individual action for actual damages or $250, whichever is greater, together with reasonable attorney fees.

Except in a class action or as otherwise provided in subsection (3), a person who suffers loss as a result of a violation of this act may bring an action to recover actual damages or $250.00, whichever is greater, together with reasonable attorney fees.

See MCL 445.911(2).

Primary law

The MCPA permits class actions for actual damages caused by covered unlawful practices.

(4) A person who suffers loss as a result of a violation of this act may bring a class action on behalf of persons residing or injured in this state for the actual damages caused by any of the following: (a) A method, act, or practice in trade or commerce defined as unlawful under section 3. (b) A method, act, or practice in trade or commerce declared to be unlawful under section 3(1) by a final judgment of the circuit court or an appellate court of this state that is either reported officially or made available for public dissemination pursuant to section 9 by the attorney general not less than 30 days before the method, act, or practice on which the action is based occurs. (c) A method, act, or practice in trade or commerce declared by a circuit court of appeals or the United States Supreme Court to be an unfair or deceptive act or practice within the meaning of section 5(a)(1) of the federal trade commission act, 15 USC 45(a)(1), in a decision that affirms or directs the affirmance of a cease and desist order issued by the Federal Trade Commission if the order is final within the meaning of section 5(g) of the federal trade commission act, 15 USC 45(g), and that is officially reported not less than 30 days before the method, act, or practice on which the action is based occurs. For purposes of this subdivision, a method, act, or practice is not unfair or deceptive within the meaning of section 5(a)(1) of the federal trade commission act, 15 USC 45(a)(1), solely because the method, act, or practice is made unlawful by another federal statute that refers to or incorporates section 5(a)(1) of the federal trade commission act, 15 USC 45(a)(1).

See MCL 445.911(4).

Primary law

The MCPA does not apply to a transaction or conduct specifically authorized under laws administered by a state or federal regulatory board or officer.

This act does not apply to either of the following: (a) A transaction or conduct specifically authorized under laws administered by a regulatory board or officer acting under statutory authority of this state or the United States.

See MCL 445.904(1)(a).

Case law · 1999-07-13

The Michigan Supreme Court held that the MCPA's regulated-conduct exemption turns on whether the general transaction is specifically authorized by law, regardless of whether the specific misconduct alleged is prohibited — a reading that exempts much regulated-industry conduct from the act.

Contrary to the “common-sense reading” of this provision by the Court of Appeals, we conclude that the relevant inquiry is not whether the specific misconduct alleged by the plaintiffs is “specifically authorized.” Rather, it is whether the general transaction is specifically authorized by law, regardless of whether the specific misconduct alleged is prohibited.

See Smith v. Globe Life Ins. Co., 460 Mich. 446 (1999).

Primary law

After Smith, the Legislature barred MCPA actions over conduct made unlawful by chapter 20 of the Insurance Code occurring on or after March 28, 2001.

This act does not apply to or create a cause of action for an unfair, unconscionable, or deceptive method, act, or practice that is made unlawful by chapter 20 of the insurance code of 1956, 1956 PA 218, MCL 500.2001 to 500.2093, if either of the following is met: (a) The method, act, or practice occurred on or after March 28, 2001.

See MCL 445.904(3).

Primary law

Civil fines for failing to give required breach notice are recovered by the Attorney General or a prosecuting attorney.

The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section.

See MCL 445.72(13).

Primary law

The breach statute preserves civil remedies for violations of other state or federal law outside the breach-notice misdemeanor and civil-fine subsections.

Subsections (12) and (13) do not affect the availability of any civil remedy for a violation of state or federal law.

See MCL 445.72(15).