Michigan lawmakers have placed a comprehensive consumer privacy bill back on the agenda. Senate Bill 359 the proposed Personal Data Privacy Act would establish new rights for Michigan residents over their personal information and new obligations for organizations that collect, use, and share it. Although the bill is still advancing through the Legislature, it already sketches a compliance blueprint companies can start following now. For businesses across Southeast Michigan from Detroit tech startups and mobility platforms to healthcare-adjacent vendors and e-commerce retailers the most durable early moves are clear: strengthen your data maps, harden and simplify your opt-out flows (including universal signals), and tighten your vendor data processing agreements. These steps don’t hinge on final rulemaking; they harden your privacy posture, put you on track for multi-state interoperability, and reduce the cost of last-minute compliance fire drills if the bill becomes law one year after enactment.
SB 359 would apply to companies that do business in Michigan or target Michigan residents and either process data about at least 100,000 consumers in a calendar year, or process data about at least 25,000 consumers and derive any revenue from selling personal data. These thresholds are not exotic by modern digital standards; even midsized firms can cross them quickly when web traffic, loyalty programs, and third-party marketing are in the mix. The bill also includes familiar entity-level and sector-specific carve-outs such as for covered entities under HIPAA and certain financial institutions so evaluating scope is a first-order task for legal and product teams.
If enacted, SB 359 would take effect one year after it becomes law. That may sound generous, but “one year” disappears fast when you’re cataloging data flows, updating notices, rebuilding preference architectures, and renegotiating processor contracts across a portfolio of vendors. Start clocking your program against that runway now, rather than waiting for final votes.
The bill creates a familiar set of consumer rights with a few state-specific contours. Individuals would be able to confirm whether a controller processes their data and access it; correct inaccuracies; delete personal data obtained about them; obtain a portable copy of data they provided; and opt out of targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. These rights are the backbone of modern U.S. state privacy regimes, and they directly shape the operational workflows you must build, particularly around authentication, fulfillment, and documentation.
Just as important, SB 359 would standardize how opt-out preferences travel. Michigan’s proposal would require controllers to honor an opt-out preference signal think Global Privacy Control or a similar mechanism when it is sent with a consumer’s consent. This is an explicit nod to the reality that individual, site-by-site toggles are clumsy at scale and that browser-level or device-level signals must be respected. The statute adds guardrails for those signals: they cannot be default-on, must be user-friendly, and must enable controllers to determine whether a request is legitimately from a Michigan resident. For design and engineering teams, that means building detection and routing logic that harmonizes signal handling with your existing preference center, cookies banner, and advertising stack.
The fulfillment clock is also straightforward but stringent. Controllers would generally have 45 days to respond to a request, with one possible 45-day extension when reasonably necessary. If you decline to act, you must explain why and provide a path to appeal. And if the appeal is denied, you must offer a mechanism for the consumer to contact the Michigan Attorney General. These process details turn policy promises into deadlines and logs so your intake portals, case management tooling, and internal playbooks should reflect them now.
One feature that will matter for marketing, analytics, and lead-generation ecosystems is the bill’s creation of a public registry for data brokers entities that knowingly collect and sell or license personal data about consumers with whom they have no direct relationship. Under the proposal, any company meeting the definition in the prior year would need to register annually with the Attorney General beginning February 1, 2026, provide basic contact and practice information, and pay a fee that funds the registry site. The enforcement teeth are specific: a $100-per-day penalty for failing to register and other remedies. The practical takeaway for Michigan-facing businesses is twofold: first, determine whether any of your lines of business qualify as data-brokering, and second, inventory the third parties from whom you buy data and confirm their registration status when (and if) the registry goes live.
SB 359 would be enforced by the Attorney General, with no private right of action. Pre-suit notice and a 30-day cure period would apply for the first 18 months after the effective date, but relying on cure provisions is a risky compliance strategy. Cure windows exist to encourage good-faith remediation, not to underwrite continued noncompliance; penalties can stack quickly, and remediation can be costly under time pressure. Building the programmatic basics now is still the cheaper path.
Start with your data maps but make them living tools rather than shelf documents. At minimum, catalog the categories of personal data you process, the purposes for which you process it, and the systems and vendors involved. For Michigan, ensure your inventory distinguishes between ordinary personal data and “sensitive data,” which includes precise geolocation, biometric identifiers, data about known children, certain health-related data, and more. Sensitive data triggers heightened standards in the bill obtaining consent before processing and limiting collection to what is strictly necessary when the processing ties to specific products or services so your map should explicitly flag where sensitive data enters the environment and why it is needed.
Turn that map into action. Link data elements to the purposes disclosed in your privacy notice; if you process for a new purpose, your teams should know they must make an additional disclosure and, where required, obtain consent before proceeding. Use the map to model retention: the proposal prohibits retaining personal data longer than reasonably necessary for the stated purpose, and imposes even tighter constraints on sensitive data. That pushes organizations toward specific retention schedules rather than open-ended storage. Your map, records schedule, and deletion workflows should move in lockstep so that when a deletion request arrives or when the retention clock runs out you can execute it across active and backup environments without guesswork.
Data mapping is also the backbone of deletion and portability fulfillment. Under the bill, you must be able to permanently and completely delete personal data in response to a validated request unless a law requires retention, with a narrow allowance for delay if the data is in archived systems until they are restored or accessed. You also must be able to provide a portable copy of data a consumer provided, in a readily usable format. Neither requirement is new in the U.S. privacy ecosystem, but both are heavy lifts if your map does not tell you precisely where data resides and how it is structured.
Opt-out is where consumer trust often lives or dies. Michigan’s bill would require recognizing a universal opt-out preference signal for targeted advertising and the sale of personal data when it is sent with the consumer’s consent. That means your web and mobile properties must be able to detect and honor the signal, resolve it against the consumer’s identity if you can do so with commercially reasonable effort, and reconcile it against any existing program participation such as loyalty benefits. The text contemplates that conflict: if a signal clashes with a consumer’s explicit, controller-specific setting or participation in a bona fide loyalty or premium feature program, you may honor the signal while also notifying the consumer and offering a choice to confirm their program preference. Designing that dialog requires careful copy and ethics-minded UX so consumers understand the tradeoffs without coercion or “dark patterns.”
Your intake should never force account creation to exercise rights, although using an existing account can be required, and you must provide at least one secure and reliable method to submit requests. You will also need an appeals channel with response deadlines and a handoff to the Attorney General if an appeal is denied. Treat these obligations as service-level commitments: define a standard of care for authentication, fraud detection for opt-out signals, and escalation paths when identity cannot be verified. For teams that still rely on scattered webforms and unmanaged inboxes, this is the right moment to centralize case handling.
Finally, test how opt-outs cascade. If a consumer opts out, the controller must notify processors and third parties to whom it sold or disclosed the data. That obligation forces you to know, at a granular level, which vendors receive which categories of data for which purposes and to have operational hooks contractual and technical to propagate revocations promptly. Your data map and your vendor governance system should be able to generate that notification list automatically.
Controllers cannot meet their obligations if their processors are not contractually bound to deliver. SB 359 is precise about processor assistance and contract content. A processor must help you respond to consumer requests, assist with security and breach notification obligations, and provide information needed to conduct data protection impact assessments. Your contract must set clear instructions for processing, define the nature and purpose of processing, identify the types of data and duration, and delineate the parties’ obligations. It must ensure confidentiality by everyone who handles the data; require deletion or return of data at the end of services unless law requires retention; obligate the processor to make compliance information available; and either permit and cooperate with reasonable assessments by you or your designated assessor or require the processor to retain an independent assessor and share the resulting report upon request. Subprocessor engagements must be in writing and must mirror the same obligations down the chain, with notice to you when new subprocessors are engaged.
In practice, that means running a DPA gap analysis across your vendor stack. Identify contracts that lack deletion-on-termination language, do not address subprocessor obligations explicitly, or depend on outdated audit mechanisms. For high-risk services cloud data platforms, marketing clouds, contact centers, behavioral analytics press vendors now for standardized addenda that satisfy Michigan’s proposed requirements and will travel well for other states. Where your procurement process still depends on redlines in inboxes, adopt a centralized DPA template and playbook and require evidence of compliance assessments rather than bare attestations.
Michigan’s proposal lays out explicit content for privacy notices: categories of data processed; purposes; a description of rights and how to exercise them, including appeals; categories of data sold and third parties receiving it; the controller’s contact method; retention durations or criteria; disclosures about profiling with legal or similarly significant effects and how it is used; and the date the policy was last updated. If you sell data or process for targeted advertising or certain profiling, the bill expects a conspicuous opt-out method outside the notice itself. Pay special attention to version control and “material change” notifications: if you materially change your notice, you must make a reasonable effort to notify affected consumers before implementing the change, and ensure your changes align with your data-minimization and purpose-limitation duties. Accessibility and language requirements are also front-of-mind the notice must be available in each language you use for the product or service and accessible to people with disabilities.
SB 359 would require controllers to conduct and document data protection impact assessments for targeted advertising, the sale of personal data, sensitive data processing, profiling that presents reasonably foreseeable risks like unfair treatment or substantial injury, and any processing that presents a heightened risk of harm. The assessment must weigh benefits against risks, consider consumer expectations and the processing context, and document the safeguards that reduce risk. The Attorney General may request relevant DPIAs in an investigation; those submissions would be confidential and not waive privilege. If you already complete assessments for other regimes say, Colorado or Connecticut Michigan allows leveraging comparable DPIAs to satisfy its requirement. A good DPIA is not a checkbox; it is a structured forum to ask uncomfortable questions about necessity, proportionality, and alternatives, and to commit to concrete mitigations and metrics. Treat them as design documents for privacy risk rather than perfunctory memos.
The bill also includes a targeted geofencing prohibition: you may not use a geofence within 1,750 feet of mental health facilities or reproductive or sexual health facilities to identify, track, or collect data from a consumer for purposes related to consumer health data, including sending notifications. Location-based marketing teams and any business running in-store beacons or location-triggered push campaigns should review their playbooks now; this is a line Michigan draws clearly. Separately, if you process children’s data, align your consent flows with COPPA and Michigan’s heightened expectations for sensitive data.
Southeast Michigan’s technology landscape makes these requirements especially salient. Mobility and smart-vehicle startups handle telemetry and precise geolocation, which the bill treats as sensitive. E-commerce and fintech innovators process identity, behavioral, and payment-adjacent data that fuel targeted advertising and sale-like disclosures. Health-tech and wellness platforms often sit just outside HIPAA but still handle “consumer health data” that triggers heightened duties. And research-heavy corridors anchored by universities (which are exempt as institutions of higher education) still include many private-sector partners that are fully covered. The common denominator is the same: document what you do, anchor it to a lawful purpose, minimize what you collect, and be able to prove you can stop when a consumer tells you to.
Every program succeeds or fails on execution. Begin by mapping owners to each obligation: who authenticates and fulfills access, correction, deletion, and portability requests; who receives and validates universal opt-out signals; who owns the retention schedule and deletion jobs; who manages privacy notices and material change messaging; who runs DPIAs and gates high-risk launches; who drives DPA negotiations and monitors subprocessors; and who escalates appeals and Attorney General inquiries. Train frontline staff to recognize rights requests in any channel, and publish a short internal guide that turns statutory language into the exact steps your teams should follow. Then test yourself: file your own rights requests through the public portal, flip on a browser-level opt-out preference signal and observe the downstream effect, and request your major processors’ assessment reports. The point is not to “check the box,” but to surface the seams where policy and reality diverge while the cost of fixing them is still low.
Legislation evolves. Definitions can tighten or broaden, opt-out scoping can change, and enforcement priorities can shift. But the core disciplines at the heart of SB 359 knowing your data, honoring purpose and retention limits, making opt-outs automatic and universal-signal-aware, assessing high-risk processing, and governing vendors with auditable contracts are now table stakes across U.S. state privacy regimes. Doing the work once, carefully, with portability in mind, gives you leverage in every other state that follows a similar pattern. And if Michigan’s bill becomes law, you will already be moving inside the compliance window rather than sprinting to catch up.
Treat the next quarter as a sprint to resilience. Begin by refreshing your data map with a sensitive-data overlay and tagging every vendor that touches those fields. Rewrite your deletion playbooks to account for archived systems and to document how you will handle “delete but retain minimal data to honor future deletes” scenarios that the statute contemplates. Stand up opt-out signal detection in your web and app stacks and record how conflicts with loyalty programs will be communicated. Put your DPA template on the table with procurement and require either assessment cooperation or third-party assessment reports from processors especially for analytics, advertising, and customer support platforms. Wrap it up by writing a crisp DPIA procedure and running it on one targeted-ads use case and one profiling use case; nothing clarifies expectations better than a well-run pilot.
Michigan’s Personal Data Privacy Act would demand serious work, but it does not ask you to invent unfamiliar capabilities. It asks you to institutionalize what privacy-mature companies already do: tell people what you collect and why, collect only what you need, stop when they say stop, secure what you keep, and manage your vendors like extensions of your own system. If your teams build those muscles now through accurate data maps, trusted opt-out experiences, and enforceable DPAs you’ll be ready for whatever final form SB 359 takes, and you’ll be stronger in every other state where your customers live.
Contact Tishkoff
Tishkoff PLC specializes in business law and litigation. For inquiries, contact us at www.tish.law/contact/. & check out Tishkoff PLC’s Website (www.Tish.Law/), eBooks (www.Tish.Law/e-books), Blogs (www.Tish.Law/blog) and References (www.Tish.Law/resources).
Sources
- Michigan Legislature, Senate Bill 359 (2025–2026), Personal Data Privacy Act, Introduced Bill Text (June 5, 2025). https://legislature.mi.gov/Bills/Bill?ObjectName=2025-SB-0359
- Michigan Legislature Bill History and Documents for SB 359 (2025–2026 Session). https://legislature.mi.gov/Bills/Bill?ObjectName=2025-SB-0359
- TrackBill, Michigan SB 359 – Consumer protection: privacy; personal data privacy act; create (2025–2026 Session). https://fastdemocracy.com/bill-search/mi/2025-2026/bills/MIB00026983/
- Michigan Chamber of Commerce, Problematic data privacy, breach proposals advance in the Michigan Senate (Advocacy News, June 12, 2025). https://www.michamber.com/news/problematic-data-privacy-breach-proposals-advance-in-the-michigan-senate/https://www.uschamber.com/technology/sb-359-the-personal-data-privacy-act