# Michigan Consumer Privacy Law[^about] Michigan has no comprehensive consumer-privacy act. The operative state laws are sectoral — the Preservation of Personal Privacy Act (a reading-and-viewing-records law with a private right of action and an active class-action docket), the Identity Theft Protection Act's breach-notice duty, and the Michigan Consumer Protection Act — plus the federal overlay (FTC Act § 5, GLBA, HIPAA, COPPA). ## Which privacy laws apply to your business in Michigan? {#which-privacy-laws-apply} **Short answer.** There is no comprehensive Michigan consumer-privacy law. The state framework is sectoral, and three statutes do the work. The Preservation of Personal Privacy Act (PPPA) prohibits a business that sells, rents, or lends books or other written materials, sound recordings, or video recordings from knowingly disclosing a record that personally identifies a customer as having obtained those materials [^q1-pppa-disclosure]. The Identity Theft Protection Act houses Michigan's data-breach notification duty, which requires notice without unreasonable delay [^q1-itpa-breach]. And the Michigan Consumer Protection Act (MCPA) makes unfair, unconscionable, or deceptive practices in trade or commerce unlawful [^q1-mcpa-unlawful], which is the hook for privacy promises a business makes but does not keep. Because there is no omnibus statute, Michigan residents have no general state-law rights to access, delete, or correct their personal data, no right to opt out of sale or targeted advertising, and no recognition of universal opt-out signals; businesses face no state notice-at-collection, consent, or data-protection-assessment duties. A comprehensive bill, Senate Bill 359, has been introduced in the current legislative session and would create consumer data rights and controller duties if it were enacted — but it has not been enacted, so the sectoral framework described here is the operative law. The MCPA also contributes a narrow data-minimization rule of its own: with limited exceptions, a business may not require a consumer to disclose a Social Security number as a condition of selling goods or providing a service [^q1-mcpa-ssn]. The rest of a Michigan-facing privacy program rides the federal overlay: Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide [^q1-fed-ftc5], the Gramm-Leach-Bliley Act governs financial institutions, HIPAA governs covered health entities and business associates, and COPPA governs services directed to children under 13. This note is written to stay durable: a program built to the overlay plus the three Michigan statutes upgrades rather than restarts if Michigan later passes an omnibus law. ## Can you share data about what your Michigan customers read, watch, or listen to? {#customer-reading-viewing-records} **Short answer.** Usually not unless a statutory exception applies. The PPPA — Michigan's most distinctive privacy statute — bars a business that sells, rents, or lends books or other written materials, sound recordings, or video recordings from knowingly disclosing a record that personally identifies a customer as having obtained those materials [^q2-pppa-disclosure]. Disclosure is lawful only through a statutory exception: the listed circumstances include the customer's written permission, a warrant or court order, and collection of payment [^q2-pppa-exceptions]. A marketing disclosure is allowed only with written notice and an opt-out, and once a customer opts out the business must stop disclosing that customer's name for marketing within 30 days [^q2-pppa-optout]. The act's popular shorthand is the Video Rental Privacy Act, but its text reaches reading, listening, and viewing records alike — federal courts have applied it to magazine publishers, not just video services. In the leading line of cases, Michigan subscribers sued a national publisher over the sale of subscriber data to data miners and other third parties [^q2-boelter-magazines]. Two boundaries keep the statute workable. First, it does not apply to records that have been aggregated or processed so they cannot be associated with an identifiable customer [^q2-pppa-aggregated] — so de-identified analytics are outside the prohibition. Second, a 2016 amendment added an exception for disclosures incident to the *ordinary course of business*, which is defined around selling, renting, lending, and advertising in the covered materials [^q2-pppa-ordinary-course-def], but that exception applies only to records created or obtained after the amendment's effective date [^q2-pppa-ordinary-course]. For a business in the covered trades, the practical compliance move is structural: treat customer-title-level data (who bought, rented, or borrowed what) as restricted, route any marketing use through the notice-and-opt-out channel, and de-identify everything else before it leaves your systems. ## What must your Michigan privacy policy contain? {#privacy-policy-contents} **Short answer.** No Michigan statute requires a general website privacy policy or fixes general website notice contents. Three Michigan-specific rules nonetheless shape what a policy should say. First, a person that obtains Social Security numbers in the ordinary course of business must create an internal privacy policy covering confidentiality, unlawful disclosure, access limits, disposal, and penalties, and publish it in an employee handbook, procedures manual, or similar document [^q3-ssn-policy]. Second, if a business covered by the PPPA discloses customer information for marketing, it may deliver the required opt-out notice through a clearly and conspicuously disclosed online privacy policy [^q3-pppa-policy-notice] — making the policy a statutory compliance vehicle, not just boilerplate. Third, whatever the policy says must be true: failing to reveal a material fact that tends to mislead the consumer is an unlawful practice under the MCPA [^q3-mcpa-deception], and a policy that misstates data practices is deceptive under Section 5 of the FTC Act [^q3-fed-ftc5]. Federal case law under the PPPA adds a drafting upside worth knowing: in litigation against a video-rental kiosk operator, the court held that the operator's terms of use and privacy policy applied to every rental transaction and supplied the written permission the statute requires [^q3-cain-permission] — so a well-drafted policy can help supply written permission where the policy is incorporated into accepted transaction terms and the disclosure fits the authorized purposes. The reverse is the trap: a policy that promises more privacy than your data flows deliver converts ordinary vendor sharing into both a deception exposure and a PPPA exposure. Where a sectoral regime applies, that regime supplies the contents instead — a HIPAA covered entity must give individuals notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^q3-fed-hipaa-notice], GLBA privacy notices govern financial institutions, and COPPA prescribes notice for child-directed services. For everyone else, follow the overlay-driven best practice — describe the categories collected, the purposes, the third parties, and the choices you offer — and then honor it, because in Michigan the enforceable obligation is consistency between the statement and the conduct. ## What must your contracts with vendors say in Michigan? {#vendor-contracts} **Short answer.** Michigan has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. The state statutes touch vendors at two specific points. Under the breach statute, a person or agency that maintains a database of data it does not own or license must notify the data's owner or licensor after discovering a breach [^q4-itpa-maintainer]. And for businesses covered by the PPPA, sharing customer reading or viewing records with vendors is lawful only within an exception — the post-2016 *ordinary course of business* exception [^q4-pppa-ordinary-course] or the customer's permission [^q4-pppa-permission]. The PPPA case law shows where the vendor line sits. In the kiosk-operator litigation, the court treated sharing with service vendors for the operator's own functions — receipts, marketing emails, analytics, customer service — as consented internal-purpose use, while emphasizing the statute's outer boundary: the operator could not give or sell customer data to a third party for a use unrelated to its own business [^q4-cain-external]. So vendor contracts for a covered Michigan business should confine the vendor to performing functions for you, bar independent use or resale of customer-title data, and require de-identification where feasible. Where a federal regime is in scope, it supplies the contracting obligations directly: the GLBA Safeguards Rule requires financial institutions to oversee service providers and bind them by contract to maintain appropriate safeguards [^q4-fed-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and subcontractor terms before protected health information changes hands [^q4-fed-hipaa-baa]. Outside those verticals, carry the same protections forward as best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to you, and return or deletion at the end of the engagement — even though no Michigan statute compels them. ## When must you notify people of a data breach in Michigan? {#breach-notification} **Short answer.** A person or agency that owns or licenses data in a database must notify each Michigan resident whose unencrypted and unredacted personal information was accessed and acquired by an unauthorized person — or whose encrypted data was taken by someone with unauthorized access to the encryption key — unless it determines the breach is not likely to cause substantial loss or injury to, or result in identity theft with respect to, a Michigan resident [^q5-itpa-trigger]. Notice must go out without unreasonable delay [^q5-itpa-timing]. A knowing failure to notify can draw a civil fine of up to $250 per failure, capped at $750,000 for a single breach [^q5-itpa-fines]. *Personal information* means a resident's first name or initial and last name linked to a Social Security number, a driver license or state ID number, or a financial-account or card number with its access code or password [^q5-pi-def] — so encryption and redaction function as practical safe harbors, and the risk-of-harm threshold (judged with the care an ordinarily prudent person would exercise) lets a business close out genuinely harmless incidents without notice. The notice itself must describe the breach in general terms, identify the type of personal information involved, describe protective steps taken, give a phone number for more information, and remind recipients to stay vigilant for fraud and identity theft [^q5-itpa-content]; written or compliant electronic notice is standard, and substitute notice through email, website posting, and statewide media is available when costs exceed $250,000 or more than 500,000 residents are affected [^q5-itpa-methods]. After notifying more than 1,000 residents, the business must also tell the nationwide consumer reporting agencies unless the GLBA exception applies [^q5-itpa-cra]. Two deemed-compliance lanes matter for regulated entities: a financial institution following the federal interagency breach guidance is considered compliant [^q5-itpa-glb], as is a HIPAA-regulated entity complying with the HIPAA rules [^q5-itpa-hipaa]. The section identifies resident, owner/licensor, CRA, GLBA/HIPAA, and public-utility notice paths, but does not include a separate Attorney General notice step. The section applies to breach discovery or notification on or after July 2, 2006 and preempts local breach rules [^q5-itpa-effective-preemption]; bills pending in the current session (Senate Bills 360 through 364) would revise the framework if enacted, but until then the duties above are the operative ones. The Act also prohibits advertisements that misrepresent that a breach has occurred [^q5-itpa-fake-notice] or that mimic a required breach notice [^q5-itpa-mimic]. ## Can a consumer sue your business in Michigan over privacy? {#consumer-lawsuit} **Short answer.** Yes — and the live exposure is the PPPA. A customer who suffers actual damages from a violation may sue and recover actual damages, including damages for emotional distress, plus costs and attorney fees [^q6-pppa-pra]. For conduct predating the statute's 2016 amendment the exposure is larger: the pre-amendment act let a customer recover actual damages or $5,000, whichever was greater [^q6-boelter-5000], and the federal courts to decide the question have held that the amendment — effective July 31, 2016 [^q6-perlin-effective] — does not apply retroactively, so pre-amendment disclosures still carry the $5,000-per-customer remedy [^q6-perlin-retroactivity] [^q6-boelter-retroactivity]. That statutory-damages remedy, multiplied across a subscriber list, is what built the PPPA class-action industry against publishers and media businesses. A 2022 Eastern District of Michigan decision held that a six-year limitations period applies to PPPA claims [^q6-pratt-limitations], which made pre-amendment disclosures economically live for the second wave of cases. The retroactivity holdings come from federal district courts in New York and Michigan [^q6-boelter-retroactivity] [^q6-perlin-retroactivity]; neither the Sixth Circuit nor a Michigan appellate court appears to have squarely resolved the retroactivity or six-year limitations questions, so those points remain district-court law rather than settled appellate law. The MCPA looks like a second consumer-suit engine on paper — a person who suffers loss may sue for actual damages or $250, whichever is greater, with attorney fees [^q6-mcpa-pra], and class actions for actual damages are available [^q6-mcpa-class] — but the Michigan Supreme Court cut its practical reach in *Smith v. Globe Life Insurance Co.* The act exempts a transaction or conduct specifically authorized under laws administered by a state or federal regulatory board or officer [^q6-mcpa-exemption], and *Smith* held that the relevant inquiry is whether the general transaction is specifically authorized by law, regardless of whether the specific misconduct alleged is prohibited [^q6-smith-exemption]. Under that reading, businesses in licensed and regulated lines of business can often invoke the exemption even when the complained-of conduct itself was unlawful — and the Legislature later closed *Smith*'s own pathway, barring MCPA actions over insurance-code conduct occurring on or after March 28, 2001 [^q6-mcpa-insurance]. So an MCPA privacy claim is most viable against an ordinary, unregulated consumer business and weakest against banks, insurers, utilities, and other licensed industries. MCL 445.72 does not create an express consumer damages action for failure to notify: civil fines are recovered by the Attorney General or a prosecuting attorney, and other civil remedies remain outside subsections (12) and (13) [^q6-itpa-fines] [^q6-itpa-civil-remedies], leaving post-breach private suits to common-law theories with their usual standing hurdles. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Michigan. This article synthesizes Michigan primary law and is not legal advice from a Michigan-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^q1-pppa-disclosure]: **MCL 445.1712** — "Subject to subsection (2) and except as provided in section 3 or as otherwise provided by law, a person, or an employee or agent of the person, engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings shall not knowingly disclose to any person, other than the customer, a record or information that personally identifies the customer as having purchased, leased, rented, or borrowed those materials from the person engaged in the business." *MCL 445.1712(1).* [^q1-itpa-breach]: **MCL 445.72** — "A person or agency shall provide any notice required under this section without unreasonable delay." *MCL 445.72(4).* [^q1-mcpa-unlawful]: **MCL 445.903** — "Unfair, unconscionable, or deceptive methods, acts, or practices in the conduct of trade or commerce are unlawful and are defined as follows:" *MCL 445.903(1).* [^q1-mcpa-ssn]: **MCL 445.903(1)(hh)** — "Except as provided in subsection (3), requiring a consumer to disclose his or her Social Security number as a condition to selling or leasing goods or providing a service to the consumer, unless any of the following apply:" *MCL 445.903(1)(hh).* [^q1-fed-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q2-pppa-disclosure]: **MCL 445.1712** — "Subject to subsection (2) and except as provided in section 3 or as otherwise provided by law, a person, or an employee or agent of the person, engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings shall not knowingly disclose to any person, other than the customer, a record or information that personally identifies the customer as having purchased, leased, rented, or borrowed those materials from the person engaged in the business." *MCL 445.1712(1).* [^q2-pppa-exceptions]: **MCL 445.1713** — "A record or information described in section 2 may be disclosed only in 1 or more of the following circumstances: (a) With the written permission of the customer. (b) Pursuant to a warrant or court order. (c) To the extent reasonably necessary to collect payment for the materials or the rental of the materials, if the customer has received written notice that the payment is due and has failed to pay or arrange for payment within a reasonable time after notice." *MCL 445.1713.* [^q2-pppa-optout]: **MCL 445.1713(e)** — "(e) If the disclosure is for the purpose of marketing goods and services to customers. All of the following apply for purposes of this subdivision: (i) The person that is disclosing the information shall inform the customer by written notice that the customer may remove his or her name at any time and shall specify the manner or manners by which the customer may remove his or her name. Unless the person's method of communication with customers is by electronic means, the written notice shall include a nonelectronic method that the customer may use to opt out of disclosure. Any of the following methods of notice satisfy the written notice requirements of this subparagraph: (A) Written notice included in or with any materials sold, rented, or lent to the customer under section 2. (B) Written notice provided to the customer at the time he or she orders any of the materials described in section 2 or otherwise provided to the customer in connection with the transaction between the person and customer for the sale, rental, or loan of the materials to the customer. (C) Notice that is included and clearly and conspicuously disclosed in an online privacy policy or similar communication that is posted on the Internet, is maintained by the person that is disclosing the information, and is available to customers or the general public. (ii) A customer may provide notice to the person that is disclosing information under this subdivision that the customer does not want his or her name disclosed. (iii) Beginning 30 days after the person receives the customer's notice, the person shall not knowingly disclose the customer's name to any other person for marketing goods and services." *MCL 445.1713(e).* [^q2-boelter-magazines]: **Boelter v. Hearst Communications, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016)** — "Plaintiffs Boelter and Edwards are Michigan citizens who subscribe to Country Living and Good Housekeeping, respectively, two magazines published by Defendant." *Boelter v. Hearst Commc'ns, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016).* [^q2-pppa-aggregated]: **MCL 445.1712(2)** — "This section does not apply to the disclosure of a record or information that has been aggregated or has been processed in a manner designed to prevent its association with an identifiable customer." *MCL 445.1712(2).* [^q2-pppa-ordinary-course-def]: **MCL 445.1711(d)** — "means activities related to the sale, rental, or lending of, or advertising in, materials described in section 2." *MCL 445.1711(d).* [^q2-pppa-ordinary-course]: **MCL 445.1713(d)** — "To any person if the disclosure is incident to the ordinary course of business of the person that is disclosing the record or information. This subdivision only applies to a record or information that is created or obtained after the effective date of the amendatory act that added this subdivision." *MCL 445.1713(d).* [^q3-ssn-policy]: **MCL 445.84** — "(1) Beginning January 1, 2006, a person who obtains 1 or more social security numbers in the ordinary course of business shall create a privacy policy that does at least all of the following concerning the social security numbers the person possesses or obtains: (a) Ensures to the extent practicable the confidentiality of the social security numbers. (b) Prohibits unlawful disclosure of the social security numbers. (c) Limits who has access to information or documents that contain the social security numbers. (d) Describes how to properly dispose of documents that contain the social security numbers. (e) Establishes penalties for violation of the privacy policy. (2) A person that creates a privacy policy under subsection (1) shall publish the privacy policy in an employee handbook, in a procedures manual, or in 1 or more similar documents, which may be made available electronically." *MCL 445.84(1)-(2).* [^q3-pppa-policy-notice]: **MCL 445.1713(e)** — "Notice that is included and clearly and conspicuously disclosed in an online privacy policy or similar communication that is posted on the Internet, is maintained by the person that is disclosing the information, and is available to customers or the general public." *MCL 445.1713(e)(i)(C).* [^q3-mcpa-deception]: **MCL 445.903(1)(s)** — "Failing to reveal a material fact, the omission of which tends to mislead or deceive the consumer, and which fact could not reasonably be known by the consumer." *MCL 445.903(1)(s).* [^q3-fed-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q3-cain-permission]: **Cain v. Redbox Automated Retail, LLC, 136 F. Supp. 3d 824 (E.D. Mich. 2015)** — "Defendant has shown that its Terms of Use and portions of its Privacy Policy apply to every rental transaction, and that these documents provide the written permission required by the VRPA." *Cain v. Redbox Automated Retail, LLC, 136 F. Supp. 3d 824 (E.D. Mich. 2015).* [^q3-fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a).* [^q4-itpa-maintainer]: **MCL 445.72(2)** — "Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state, a person or agency that maintains a database that includes data that the person or agency does not own or license that discovers a breach of the security of the database shall provide a notice to the owner or licensor of the information of the security breach." *MCL 445.72(2).* [^q4-pppa-ordinary-course]: **MCL 445.1713(d)** — "To any person if the disclosure is incident to the ordinary course of business of the person that is disclosing the record or information. This subdivision only applies to a record or information that is created or obtained after the effective date of the amendatory act that added this subdivision." *MCL 445.1713(d).* [^q4-pppa-permission]: **MCL 445.1713(a)** — "(a) With the written permission of the customer." *MCL 445.1713(a).* [^q4-cain-external]: **Cain v. Redbox Automated Retail, LLC, 136 F. Supp. 3d 824 (E.D. Mich. 2015)** — "Redbox clearly could not, for example, give or sell any customer data to a third party for a use unrelated to Redbox’s own business." *Cain v. Redbox Automated Retail, LLC, 136 F. Supp. 3d 824 (E.D. Mich. 2015).* [^q4-fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* [^q4-fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;" *45 C.F.R. § 164.504(e)(2).* [^q5-itpa-trigger]: **MCL 445.72(1)** — "Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state, a person or agency that owns or licenses data that are included in a database that discovers a security breach, or receives notice of a security breach under subsection (2), shall provide a notice of the security breach to each resident of this state who meets 1 or more of the following: (a) That resident's unencrypted and unredacted personal information was accessed and acquired by an unauthorized person. (b) That resident's personal information was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key." *MCL 445.72(1).* [^q5-itpa-timing]: **MCL 445.72(4)** — "A person or agency shall provide any notice required under this section without unreasonable delay. A person or agency may delay providing notice without violating this subsection if either of the following is met: (a) A delay is necessary in order for the person or agency to take any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database. However, the agency or person shall provide the notice required under this subsection without unreasonable delay after the person or agency completes the measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database. (b) A law enforcement agency determines and advises the agency or person that providing a notice will impede a criminal or civil investigation or jeopardize homeland or national security. However, the agency or person shall provide the notice required under this section without unreasonable delay after the law enforcement agency determines that providing the notice will no longer impede the investigation or jeopardize homeland or national security." *MCL 445.72(4).* [^q5-itpa-fines]: **MCL 445.72(13)-(14)** — "Subject to subsection (14), a person that knowingly fails to provide any notice of a security breach required under this section may be ordered to pay a civil fine of not more than $250.00 for each failure to provide notice. The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section. (14) The aggregate liability of a person for civil fines under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not exceed $750,000.00." *MCL 445.72(13)-(14).* [^q5-pi-def]: **MCL 445.63** — "‘Personal information’ means the first name or first initial and last name linked to 1 or more of the following data elements of a resident of this state: (i) Social security number. (ii) Driver license number or state personal identification card number. (iii) Demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident's financial accounts." *MCL 445.63(r).* [^q5-itpa-content]: **MCL 445.72(6)** — "(6) A notice under this section shall do all of the following: (a) For a notice provided under subsection (5)(a) or (b), be written in a clear and conspicuous manner and contain the content required under subdivisions (c) to (g). (b) For a notice provided under subsection (5)(c), clearly communicate the content required under subdivisions (c) to (g) to the recipient of the telephone call. (c) Describe the security breach in general terms. (d) Describe the type of personal information that is the subject of the unauthorized access or use. (e) If applicable, generally describe what the agency or person providing the notice has done to protect data from further security breaches. (f) Include a telephone number where a notice recipient may obtain assistance or additional information. (g) Remind notice recipients of the need to remain vigilant for incidents of fraud and identity theft." *MCL 445.72(6).* [^q5-itpa-methods]: **MCL 445.72(5)** — "(5) Except as provided in subsection (11), an agency or person shall provide any notice required under this section by providing 1 or more of the following to the recipient: (a) Written notice sent to the recipient at the recipient's postal address in the records of the agency or person. (b) Written notice sent electronically to the recipient if any of the following are met: (i) The recipient has expressly consented to receive electronic notice. (ii) The person or agency has an existing business relationship with the recipient that includes periodic electronic mail communications and based on those communications the person or agency reasonably believes that it has the recipient's current electronic mail address. (iii) The person or agency conducts its business primarily through internet account transactions or on the internet. (c) If not otherwise prohibited by state or federal law, notice given by telephone by an individual who represents the person or agency if all of the following are met: (i) The notice is not given in whole or in part by use of a recorded message. (ii) The recipient has expressly consented to receive notice by telephone, or if the recipient has not expressly consented to receive notice by telephone, the person or agency also provides notice under subdivision (a) or (b) if the notice by telephone does not result in a live conversation between the individual representing the person or agency and the recipient within 3 business days after the initial attempt to provide telephonic notice. (d) Substitute notice, if the person or agency demonstrates that the cost of providing notice under subdivision (a), (b), or (c) will exceed $250,000.00 or that the person or agency has to provide notice to more than 500,000 residents of this state. A person or agency provides substitute notice under this subdivision by doing all of the following: (i) If the person or agency has electronic mail addresses for any of the residents of this state who are entitled to receive the notice, providing electronic notice to those residents. (ii) If the person or agency maintains a website, conspicuously posting the notice on that website. (iii) Notifying major statewide media. A notification under this subparagraph shall include a telephone number or a website address that a person may use to obtain additional assistance and information." *MCL 445.72(5).* [^q5-itpa-cra]: **MCL 445.72(8)** — "Except as provided in this subsection, after a person or agency provides a notice under this section, the person or agency shall notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as defined in 15 USC 1681a(p), of the security breach without unreasonable delay. A notification under this subsection shall include the number of notices that the person or agency provided to residents of this state and the timing of those notices. This subsection does not apply if either of the following is met: (a) The person or agency is required under this section to provide notice of a security breach to 1,000 or fewer residents of this state. (b) The person or agency is subject to 15 USC 6801 to 6809." *MCL 445.72(8).* [^q5-itpa-glb]: **MCL 445.72(9)** — "A financial institution that is subject to, and has notification procedures in place that are subject to examination by the financial institution's appropriate regulator for compliance with, the interagency guidance on response programs for unauthorized access to customer information and customer notice prescribed by the board of governors of the federal reserve system and the other federal bank and thrift regulatory agencies, or similar guidance prescribed and adopted by the national credit union administration, and its affiliates, is considered to be in compliance with this section." *MCL 445.72(9).* [^q5-itpa-hipaa]: **MCL 445.72(10)** — "A person or agency that is subject to and complies with the health insurance portability and accountability act of 1996, Public Law 104-191, and with regulations promulgated under that act, 45 CFR parts 160 and 164, for the prevention of unauthorized access to customer information and customer notice is considered to be in compliance with this section." *MCL 445.72(10).* [^q5-itpa-effective-preemption]: **MCL 445.72(16), (18)** — "(16) This section applies to the discovery or notification of a breach of the security of a database that occurs on or after July 2, 2006. (17) This section does not apply to the access or acquisition by a person or agency of federal, state, or local government records or documents lawfully made available to the general public. (18) This section deals with subject matter that is of statewide concern, and any charter, ordinance, resolution, regulation, rule, or other action by a municipal corporation or other political subdivision of this state to regulate, directly or indirectly, any matter expressly set forth in this section is preempted." *MCL 445.72(16), (18).* [^q5-itpa-fake-notice]: **MCL 445.72b** — "A person shall not distribute an advertisement or make any other solicitation that misrepresents to the recipient that a security breach has occurred that may affect the recipient." *MCL 445.72b(1).* [^q5-itpa-mimic]: **MCL 445.72b(2)** — "(2) A person shall not distribute an advertisement or make any other solicitation that is substantially similar to a notice required under section 12(5) or by federal law, if the form of that notice is prescribed by state or federal law, rule, or regulation." *MCL 445.72b(2).* [^q6-pppa-pra]: **MCL 445.1715** — "Regardless of any criminal prosecution for the violation, a person that violates this act may be liable in a civil action for damages to a customer under subsection (2). (2) A customer described in subsection (1) who suffers actual damages as a result of a violation of this act may bring a civil action against the person that violated this act and may recover both of the following: (a) The customer's actual damages, including damages for emotional distress. (b) Reasonable costs and attorney fees." *MCL 445.1715.* [^q6-boelter-5000]: **Boelter v. Hearst Communications, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016)** — "customers who are ‘identified in ... information that is disclosed in violation of [the] act’ may bring a civil action to recover ‘actual damages, including damages for emotional distress, or $5,000.00, whichever is greater,’ as well as costs and attorneys’ fees" *Boelter v. Hearst Commc'ns, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016).* [^q6-perlin-effective]: **Perlin v. Time Inc., 237 F. Supp. 3d 623 (E.D. Mich. 2017)** — "Senate Bill 490 became effective on July 31, 2016." *Perlin v. Time Inc., 237 F. Supp. 3d 623 (E.D. Mich. 2017).* [^q6-perlin-retroactivity]: **Perlin v. Time Inc., 237 F. Supp. 3d 623 (E.D. Mich. 2017)** — "Based on the first, third, and fourth retroactivity principles, the Court concludes that Senate Bill 490 is not retroactive." *Perlin v. Time Inc., 237 F. Supp. 3d 623 (E.D. Mich. 2017).* [^q6-boelter-retroactivity]: **Boelter v. Hearst Communications, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016)** — "The parties dispute whether the amended law retroactively applies to Plaintiffs’ claims. For the reasons stated below, the Court finds that it does not." *Boelter v. Hearst Commc'ns, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016).* [^q6-pratt-limitations]: **Pratt v. KSE Sportsman Media, Inc., 586 F. Supp. 3d 666 (E.D. Mich. 2022)** — "A six-year statute of limitations applies to PPPA claims. Mich. Comp. Laws §§ 445.1711 et seq., 600.5813." *Pratt v. KSE Sportsman Media, Inc., 586 F. Supp. 3d 666 (E.D. Mich. 2022).* [^q6-mcpa-pra]: **MCL 445.911** — "Except in a class action or as otherwise provided in subsection (3), a person who suffers loss as a result of a violation of this act may bring an action to recover actual damages or $250.00, whichever is greater, together with reasonable attorney fees." *MCL 445.911(2).* [^q6-mcpa-class]: **MCL 445.911(4)** — "(4) A person who suffers loss as a result of a violation of this act may bring a class action on behalf of persons residing or injured in this state for the actual damages caused by any of the following: (a) A method, act, or practice in trade or commerce defined as unlawful under section 3. (b) A method, act, or practice in trade or commerce declared to be unlawful under section 3(1) by a final judgment of the circuit court or an appellate court of this state that is either reported officially or made available for public dissemination pursuant to section 9 by the attorney general not less than 30 days before the method, act, or practice on which the action is based occurs. (c) A method, act, or practice in trade or commerce declared by a circuit court of appeals or the United States Supreme Court to be an unfair or deceptive act or practice within the meaning of section 5(a)(1) of the federal trade commission act, 15 USC 45(a)(1), in a decision that affirms or directs the affirmance of a cease and desist order issued by the Federal Trade Commission if the order is final within the meaning of section 5(g) of the federal trade commission act, 15 USC 45(g), and that is officially reported not less than 30 days before the method, act, or practice on which the action is based occurs. For purposes of this subdivision, a method, act, or practice is not unfair or deceptive within the meaning of section 5(a)(1) of the federal trade commission act, 15 USC 45(a)(1), solely because the method, act, or practice is made unlawful by another federal statute that refers to or incorporates section 5(a)(1) of the federal trade commission act, 15 USC 45(a)(1)." *MCL 445.911(4).* [^q6-mcpa-exemption]: **MCL 445.904(1)(a)** — "This act does not apply to either of the following: (a) A transaction or conduct specifically authorized under laws administered by a regulatory board or officer acting under statutory authority of this state or the United States." *MCL 445.904(1)(a).* [^q6-smith-exemption]: **Smith v. Globe Life Insurance Co., 460 Mich. 446 (1999)** — "Contrary to the ‘common-sense reading’ of this provision by the Court of Appeals, we conclude that the relevant inquiry is not whether the specific misconduct alleged by the plaintiffs is ‘specifically authorized.’ Rather, it is whether the general transaction is specifically authorized by law, regardless of whether the specific misconduct alleged is prohibited." *Smith v. Globe Life Ins. Co., 460 Mich. 446 (1999).* [^q6-mcpa-insurance]: **MCL 445.904(3)** — "This act does not apply to or create a cause of action for an unfair, unconscionable, or deceptive method, act, or practice that is made unlawful by chapter 20 of the insurance code of 1956, 1956 PA 218, MCL 500.2001 to 500.2093, if either of the following is met: (a) The method, act, or practice occurred on or after March 28, 2001." *MCL 445.904(3).* [^q6-itpa-fines]: **MCL 445.72(13)** — "The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section." *MCL 445.72(13).* [^q6-itpa-civil-remedies]: **MCL 445.72(15)** — "Subsections (12) and (13) do not affect the availability of any civil remedy for a violation of state or federal law." *MCL 445.72(15).*