It is important for people who engage online to have confidence that their personal data will be handled with care. When personal and financial data is misused or hacked, consumers can suffer significant harms. Criminals can use personal data to commit fraud, such as identify theft. Private data can be sold to advertisers or other parties without users’ consent. Data breaches can also limit free expression if they enable governments or online platforms to monitor and censor people’s activities and speech on the internet.
In response to growing concerns about data privacy, many states, including Michigan, are considering or have enacted new data privacy laws. Several Michigan lawmakers introduced the Personal Data Privacy Act in November 2023. Lawmakers in other states have passed similar bills with bipartisan support.
While these state privacy laws address legitimate concerns about consumers’ data, they raise several serious issues. When each state has its own privacy law, that creates a patchwork of inconsistent and sometimes conflicting standards, which is problematic for companies operating across state lines. They must incur significant legal expenses to comply with these laws, which do little to help consumers but may expose companies to expensive class action lawsuits. Some of the laws undermine people’s data privacy rights by giving governments easier access to some personal data without first obtaining a warrant.
The proposed Michigan Personal Data Privacy Act, unfortunately, suffers from all these concerns.
A national data privacy law is also before the current U.S. Congress. If the American Privacy Rights Act were enacted, it would establish a national data privacy and security standard and preempt most state data privacy laws. It addresses some of the issues created by new state privacy laws, although other serious concerns would remain. Michigan’s proposed law would be mostly or entirely unenforceable if the federal bill were enacted. It appears that Congress has a good chance of enacting a national data privacy law, and if this occurs, there would be no reason for Michigan lawmakers to enact the state’s flawed privacy bill.
Recent state-level data privacy laws
As people become more dependent on the internet for purchases, other financial transactions, and sharing personal data with medical professionals, the importance of data privacy has increased. Websites, apps and social media companies collect and store increasing amounts of personal data about users, which they use to provide better services. But some apps, websites and platforms may be overly aggressive in collecting data or may not safeguard it as much as consumers expect.
The current wave of legislative activity started with the California Consumer Privacy Act of 2018, which was amended in 2020 when California voters approved Proposition 24. Fifteen other states have enacted new data privacy laws since 2018.
These state data privacy laws fall into two broad categories: comprehensive and targeted. Comprehensive laws cover all varieties of private data and apply broadly to nearly all companies, although exemptions for some small businesses are common. Targeted laws address specific types of data privacy concerns. Some targeted data privacy laws limit the collection and retention of biometric data, such as fingerprints or retinal measurements. Others create protections specifically for children or apply only to certain industries. The proposed Michigan data privacy law and the proposed federal law are both comprehensive.
Legislative responses to data privacy concerns are not new. Anyone who has visited a doctor’s office is familiar with the Health Insurance Portability and Accountability Act of 1996, or HIPAA, which governs how medical professionals handle personal health care data. In 2012 Michigan passed the Internet Privacy Protection Act, which prohibits employees or job applicants from having to give employers access to their personal social media, email, or other internet accounts. The law also applies to educational institutions. Michigan also has the Identify Theft Protection Act, passed in 2004, that requires companies to notify their customers of data breaches without unreasonable delay.
The more recent state data privacy laws create various requirements of companies and other entities using online personal data. They must tell consumers what personal data is collected and give them a certain level of control over their own data, such as the right to tell companies not to sell it. These proposals tend to attract bipartisan support, as their protections are usually perceived as being politically popular.
Problems with state privacy laws
While state data privacy laws intend to address consumers' legitimate concerns about keeping their private data protected, they raise several serious concerns.
A patchwork of requirements
Each state privacy law is unique. Having 16 new data privacy laws since 2018 makes it difficult to understand consumers’ rights. It also creates huge compliance costs for companies as they try to keep up with new legal requirements. Even more states are considering new data privacy bills in their current legislative sessions, which would increase these problems.
Costly risk assessments mandates
Most comprehensive state privacy laws, including Michigan’s proposed Personal Data Privacy Act, create specific risk assessment requirements that are often costly to produce. These risk assessments do little to protect consumers, however.
If the goal is to protect consumers’ privacy, laws should encourage companies to comply with the best practices established by the National Institute of Standards and Technology, writes Logan Kolas of the Buckeye Institute. Companies could then meet their legal obligations to protect consumer data by demonstrating adherence to the latest industry standards for the use of private data. This is preferable to making them carry out costly risk assessments.
Frivolous lawsuits
When states mandate risk assessments and create overly specific compliance requirements, they expose businesses to frivolous lawsuits. Some state privacy statutes, and the proposed Michigan law, create a private right of action by which individuals may sue without having to prove they were injured by the use of their private data. These laws invite class action lawsuits that may win millions of dollars for plaintiffs’ attorneys but only nominal awards for individuals.
This concern is grounded in experience from the 1991 Telephone Consumer Protection Act. This federal law was supposed to limit the number of automated marketing calls made to cellphone numbers. While it may have limited some robocalls to cellphones, it led to a wave of class action lawsuits. The average attorneys' fee in these lawsuits was $2.4 million per case, while the individual consumers in the class received an average of just $4.12.
Dangerous government exemptions
State data privacy laws typically exempt government entities, because they are subject to the Freedom of Information Act and other public transparency laws. Theoretically, people or companies could request private data kept by governments through these public transparency tools, which would defeat the purpose of data protection laws. Further, allowing people to demand that governments delete the personal data they store might interfere with police investigations, government regulatory activities and other government functions.
This problem is further complicated by the existence of government entities that directly compete with private businesses. Examples include government-run cable and internet systems, electric utilities, trash collection departments and universities. Allowing these entities broad exemptions from data privacy laws gives them an unfair advantage over the private businesses they compete with, harming consumers by reducing market competition.
Giving governments access to private data
Some state data privacy laws, including the proposed Michigan law, allow government agencies to collect personal data from companies without a warrant. This is permitted to ensure compliance with mandated risk assessments and other provisions in the statute. Ironically, these laws may undermine the very data privacy rights they claim to protect by giving governments easier access to personal data. This problem might be addressed by explicitly prohibiting government agencies from collecting consumer and personal data from companies without a warrant.
The Proposed American Privacy Rights Act
Congress is currently considering the American Privacy Rights Act, which appears to have a good chance of passing in 2024. The bill has bipartisan support, and its lead sponsors are Rep. Cathy McMorris Rodgers, R-Washington, and Sen. Maria Cantwell, D-Washington. The proposed law is a comprehensive data privacy bill applying to most companies, with some exceptions, such as for companies with less than $40 million in annual revenues. The bill would create a national standard for data privacy and security. It would also preempt most state data privacy laws, although in its current form, it explicitly does not preempt the California and Illinois data privacy laws.
While this federal legislation is not necessarily better for addressing many of the systemic problems with state data privacy laws, it will at least largely eliminate the patchwork problem. Like state privacy laws, the proposed federal law lacks focus on protecting consumers and compensating them for harm. It instead creates liability for companies failing to comply with the legal requirements that may be only somewhat related to the stated purpose of the law. For example, the federal legislation creates a private right of action that will encourage class action lawsuits that mostly benefit attorneys, not the consumers who were allegedly harmed. The proposed law also mandates risk assessments every two years, which will be costly and do little to protect consumers’ private data.
A federal data privacy law that preempts state privacy laws does not have to undermine the protections consumers already have in states with their own data privacy laws. The main benefit would be to address the growing patchwork of state privacy laws that create inconsistent and conflicting standards. National standards would allow businesses to meet their obligations and consumers to understand their rights better. It would also encourage businesses to develop compliance programs that protect consumers across multiple states.
Michigan lawmakers should wait before moving forward with the current data privacy proposal in Lansing. If Congress passes the American Privacy Rights Act, there will be no reason for the state to pass a similar law, especially given these concerns.
Permission to reprint this blog post in whole or in part is hereby granted, provided that the author (or authors) and the Mackinac Center for Public Policy are properly cited.
Get insightful commentary and the most reliable research on Michigan issues sent straight to your inbox.
The Mackinac Center for Public Policy is a nonprofit research and educational institute that advances the principles of free markets and limited government. Through our research and education programs, we challenge government overreach and advocate for a free-market approach to public policy that frees people to realize their potential and dreams.
Please consider contributing to our work to advance a freer and more prosperous state.
Donate | About | Blog | Pressroom | Publications | Careers | Site Map | Email Signup | Contact