On November 12, 2014, Michigan State Representative Sean McCann (D-60) introduced H.B. 5923, a bill to amend Michigan’s Identity Theft Protection Act with new requirements for entities that own or license data that is included in a database.

Specifically, the bill would prohibit the following actions if taken by an entity that owns or licenses data in a database:

  • fail to permit a consumer the ability to review personal identifying information in the database;
  • fail to display an opt-out notice on the entity’s webpage (as required by the bill); or
  • accept payment from a consumer who demands to review or remove personal identifying information from a database.

For purposes of the bill, personal identifying information means a name, number, or other information that is used for the purpose of identifying a specific person or providing access to a person’s financial accounts. This includes, but is not limited to:

  • a person’s name, address, telephone number, driver license or state personal identification card number, or social security number;
  • place of employment, employee identification number, employer or taxpayer identification number, government passport number, or health insurance identification number;
  • mother’s maiden name;
  • demand deposit account number, savings account number, financial transaction device account number, or the person’s account password;
  • any other account password in combination with sufficient information to identify and access the account;
  • automated electronic signature or biometrics;
  • stock or other security certificate or account number, credit card number; or
  • vital record, or medical records or information.

The bill would require that the opt-out notice be conspicuously posted on an entity’s website. This notice would need to provide “specific and easily understood instructions” for how a consumer may make an opt-out election on the entity’s website that would stop that consumer’s personal identifying information from being shared with, or sold to, a third party.

The bill would exempt federally regulated financial institutions and entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”).10 Violation of the bill would be punishable by fines ranging from $1,000 to $3,000.