open-agreements 0.7.7 → 0.8.0

package/skills/legal-explainers/data-privacy-law-explainer/content/michigan.md

@@ -0,0 +1,175 @@
+---
+jurisdiction: "Michigan"
+slug: michigan
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/michigan
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/michigan · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Michigan Consumer Privacy Law[^about]
+
+Michigan has no comprehensive consumer-privacy act. The operative state laws are sectoral — the Preservation of Personal Privacy Act (a reading-and-viewing-records law with a private right of action and an active class-action docket), the Identity Theft Protection Act's breach-notice duty, and the Michigan Consumer Protection Act — plus the federal overlay (FTC Act § 5, GLBA, HIPAA, COPPA).
+
+
+## At a glance
+
+| Question | Michigan |
+| --- | --- |
+| **Law coverage** | Specific data types only |
+| **Summary** | Michigan has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. What Michigan has instead is a distinctive set of sectoral exposures. The Preservation of Personal Privacy Act bars businesses from disclosing records that identify what a customer bought, rented, or borrowed in books, music, or video without a statutory exception, such as permission, marketing notice and opt-out, ordinary course, or legal process, and it carries a private right of action that has produced an active class-action industry — with $5,000-per-customer statutory damages still in play for disclosures predating its July 31, 2016 amendment. The Identity Theft Protection Act requires breach notice without unreasonable delay, backed by civil fines up to $750,000 per breach. Build the rest of the program to the federal overlay — FTC Act § 5, GLBA, HIPAA, and COPPA — and it auto-upgrades if Michigan later enacts an omnibus law. |
+| **Main law** | Sectoral framework — Preservation of Personal Privacy Act (PPPA), MCL 445.1711–445.1715; Identity Theft Protection Act breach-notice duty, MCL 445.72; Michigan Consumer Protection Act, MCL 445.901 et seq.; Michigan has no comprehensive consumer-privacy law |
+| **Privacy policy required?** | No general website privacy-policy mandate and no state-fixed website contents — but a person obtaining Social Security numbers in the ordinary course of business must create an internal SSN privacy policy, a PPPA-covered business disclosing customer reading or viewing data for marketing may give the required opt-out notice in an online privacy policy, and a policy that misstates practices is deceptive under the MCPA and FTC Act § 5 |
+| **Who does it cover?** | No omnibus thresholds. The PPPA reaches any business selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings; the breach statute reaches any person or agency that owns, licenses, or maintains computerized personal information of Michigan residents |
+| **Can consumers sue?** | Yes |
+| **Privacy policy rule** | Policy required only for specific data |
+| **Consent for sensitive data?** | Only for certain data types |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Yes, under the PPPA — a customer who suffers actual damages may sue (MCL 445.1715), and disclosures predating the July 31, 2016 amendment carry $5,000 statutory damages; the MCPA right of action (MCL 445.911) survives but Smith v. Globe Life's regulated-conduct exemption narrows it; none under the breach statute |
+| **Who enforces it?** | Michigan Attorney General (MCPA enforcement; breach-notice civil fines, which a county prosecuting attorney may also recover), with the FTC behind the federal overlay |
+
+## Which privacy laws apply to your business in Michigan? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive Michigan consumer-privacy law. The state framework is sectoral, and three statutes do the work. The Preservation of Personal Privacy Act (PPPA) prohibits a business that sells, rents, or lends books or other written materials, sound recordings, or video recordings from knowingly disclosing a record that personally identifies a customer as having obtained those materials [^q1-pppa-disclosure]. The Identity Theft Protection Act houses Michigan's data-breach notification duty, which requires notice without unreasonable delay [^q1-itpa-breach]. And the Michigan Consumer Protection Act (MCPA) makes unfair, unconscionable, or deceptive practices in trade or commerce unlawful [^q1-mcpa-unlawful], which is the hook for privacy promises a business makes but does not keep.
+
+Because there is no omnibus statute, Michigan residents have no general state-law rights to access, delete, or correct their personal data, no right to opt out of sale or targeted advertising, and no recognition of universal opt-out signals; businesses face no state notice-at-collection, consent, or data-protection-assessment duties. A comprehensive bill, Senate Bill 359, has been introduced in the current legislative session and would create consumer data rights and controller duties if it were enacted — but it has not been enacted, so the sectoral framework described here is the operative law. The MCPA also contributes a narrow data-minimization rule of its own: with limited exceptions, a business may not require a consumer to disclose a Social Security number as a condition of selling goods or providing a service [^q1-mcpa-ssn]. The rest of a Michigan-facing privacy program rides the federal overlay: Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide [^q1-fed-ftc5], the Gramm-Leach-Bliley Act governs financial institutions, HIPAA governs covered health entities and business associates, and COPPA governs services directed to children under 13. This note is written to stay durable: a program built to the overlay plus the three Michigan statutes upgrades rather than restarts if Michigan later passes an omnibus law.
+
+## Can you share data about what your Michigan customers read, watch, or listen to? {#customer-reading-viewing-records}
+
+**Short answer.** Usually not unless a statutory exception applies. The PPPA — Michigan's most distinctive privacy statute — bars a business that sells, rents, or lends books or other written materials, sound recordings, or video recordings from knowingly disclosing a record that personally identifies a customer as having obtained those materials [^q2-pppa-disclosure]. Disclosure is lawful only through a statutory exception: the listed circumstances include the customer's written permission, a warrant or court order, and collection of payment [^q2-pppa-exceptions]. A marketing disclosure is allowed only with written notice and an opt-out, and once a customer opts out the business must stop disclosing that customer's name for marketing within 30 days [^q2-pppa-optout].
+
+The act's popular shorthand is the Video Rental Privacy Act, but its text reaches reading, listening, and viewing records alike — federal courts have applied it to magazine publishers, not just video services. In the leading line of cases, Michigan subscribers sued a national publisher over the sale of subscriber data to data miners and other third parties [^q2-boelter-magazines]. Two boundaries keep the statute workable. First, it does not apply to records that have been aggregated or processed so they cannot be associated with an identifiable customer [^q2-pppa-aggregated] — so de-identified analytics are outside the prohibition. Second, a 2016 amendment added an exception for disclosures incident to the *ordinary course of business*, which is defined around selling, renting, lending, and advertising in the covered materials [^q2-pppa-ordinary-course-def], but that exception applies only to records created or obtained after the amendment's effective date [^q2-pppa-ordinary-course]. For a business in the covered trades, the practical compliance move is structural: treat customer-title-level data (who bought, rented, or borrowed what) as restricted, route any marketing use through the notice-and-opt-out channel, and de-identify everything else before it leaves your systems.
+
+## What must your Michigan privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No Michigan statute requires a general website privacy policy or fixes general website notice contents. Three Michigan-specific rules nonetheless shape what a policy should say. First, a person that obtains Social Security numbers in the ordinary course of business must create an internal privacy policy covering confidentiality, unlawful disclosure, access limits, disposal, and penalties, and publish it in an employee handbook, procedures manual, or similar document [^q3-ssn-policy]. Second, if a business covered by the PPPA discloses customer information for marketing, it may deliver the required opt-out notice through a clearly and conspicuously disclosed online privacy policy [^q3-pppa-policy-notice] — making the policy a statutory compliance vehicle, not just boilerplate. Third, whatever the policy says must be true: failing to reveal a material fact that tends to mislead the consumer is an unlawful practice under the MCPA [^q3-mcpa-deception], and a policy that misstates data practices is deceptive under Section 5 of the FTC Act [^q3-fed-ftc5].
+
+Federal case law under the PPPA adds a drafting upside worth knowing: in litigation against a video-rental kiosk operator, the court held that the operator's terms of use and privacy policy applied to every rental transaction and supplied the written permission the statute requires [^q3-cain-permission] — so a well-drafted policy can help supply written permission where the policy is incorporated into accepted transaction terms and the disclosure fits the authorized purposes. The reverse is the trap: a policy that promises more privacy than your data flows deliver converts ordinary vendor sharing into both a deception exposure and a PPPA exposure. Where a sectoral regime applies, that regime supplies the contents instead — a HIPAA covered entity must give individuals notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^q3-fed-hipaa-notice], GLBA privacy notices govern financial institutions, and COPPA prescribes notice for child-directed services. For everyone else, follow the overlay-driven best practice — describe the categories collected, the purposes, the third parties, and the choices you offer — and then honor it, because in Michigan the enforceable obligation is consistency between the statement and the conduct.
+
+## What must your contracts with vendors say in Michigan? {#vendor-contracts}
+
+**Short answer.** Michigan has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. The state statutes touch vendors at two specific points. Under the breach statute, a person or agency that maintains a database of data it does not own or license must notify the data's owner or licensor after discovering a breach [^q4-itpa-maintainer]. And for businesses covered by the PPPA, sharing customer reading or viewing records with vendors is lawful only within an exception — the post-2016 *ordinary course of business* exception [^q4-pppa-ordinary-course] or the customer's permission [^q4-pppa-permission].
+
+The PPPA case law shows where the vendor line sits. In the kiosk-operator litigation, the court treated sharing with service vendors for the operator's own functions — receipts, marketing emails, analytics, customer service — as consented internal-purpose use, while emphasizing the statute's outer boundary: the operator could not give or sell customer data to a third party for a use unrelated to its own business [^q4-cain-external]. So vendor contracts for a covered Michigan business should confine the vendor to performing functions for you, bar independent use or resale of customer-title data, and require de-identification where feasible. Where a federal regime is in scope, it supplies the contracting obligations directly: the GLBA Safeguards Rule requires financial institutions to oversee service providers and bind them by contract to maintain appropriate safeguards [^q4-fed-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and subcontractor terms before protected health information changes hands [^q4-fed-hipaa-baa]. Outside those verticals, carry the same protections forward as best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to you, and return or deletion at the end of the engagement — even though no Michigan statute compels them.
+
+## When must you notify people of a data breach in Michigan? {#breach-notification}
+
+**Short answer.** A person or agency that owns or licenses data in a database must notify each Michigan resident whose unencrypted and unredacted personal information was accessed and acquired by an unauthorized person — or whose encrypted data was taken by someone with unauthorized access to the encryption key — unless it determines the breach is not likely to cause substantial loss or injury to, or result in identity theft with respect to, a Michigan resident [^q5-itpa-trigger]. Notice must go out without unreasonable delay [^q5-itpa-timing]. A knowing failure to notify can draw a civil fine of up to $250 per failure, capped at $750,000 for a single breach [^q5-itpa-fines].
+
+*Personal information* means a resident's first name or initial and last name linked to a Social Security number, a driver license or state ID number, or a financial-account or card number with its access code or password [^q5-pi-def] — so encryption and redaction function as practical safe harbors, and the risk-of-harm threshold (judged with the care an ordinarily prudent person would exercise) lets a business close out genuinely harmless incidents without notice. The notice itself must describe the breach in general terms, identify the type of personal information involved, describe protective steps taken, give a phone number for more information, and remind recipients to stay vigilant for fraud and identity theft [^q5-itpa-content]; written or compliant electronic notice is standard, and substitute notice through email, website posting, and statewide media is available when costs exceed $250,000 or more than 500,000 residents are affected [^q5-itpa-methods]. After notifying more than 1,000 residents, the business must also tell the nationwide consumer reporting agencies unless the GLBA exception applies [^q5-itpa-cra]. Two deemed-compliance lanes matter for regulated entities: a financial institution following the federal interagency breach guidance is considered compliant [^q5-itpa-glb], as is a HIPAA-regulated entity complying with the HIPAA rules [^q5-itpa-hipaa]. The section identifies resident, owner/licensor, CRA, GLBA/HIPAA, and public-utility notice paths, but does not include a separate Attorney General notice step. The section applies to breach discovery or notification on or after July 2, 2006 and preempts local breach rules [^q5-itpa-effective-preemption]; bills pending in the current session (Senate Bills 360 through 364) would revise the framework if enacted, but until then the duties above are the operative ones. The Act also prohibits advertisements that misrepresent that a breach has occurred [^q5-itpa-fake-notice] or that mimic a required breach notice [^q5-itpa-mimic].
+
+## Can a consumer sue your business in Michigan over privacy? {#consumer-lawsuit}
+
+**Short answer.** Yes — and the live exposure is the PPPA. A customer who suffers actual damages from a violation may sue and recover actual damages, including damages for emotional distress, plus costs and attorney fees [^q6-pppa-pra]. For conduct predating the statute's 2016 amendment the exposure is larger: the pre-amendment act let a customer recover actual damages or $5,000, whichever was greater [^q6-boelter-5000], and the federal courts to decide the question have held that the amendment — effective July 31, 2016 [^q6-perlin-effective] — does not apply retroactively, so pre-amendment disclosures still carry the $5,000-per-customer remedy [^q6-perlin-retroactivity] [^q6-boelter-retroactivity].
+
+That statutory-damages remedy, multiplied across a subscriber list, is what built the PPPA class-action industry against publishers and media businesses. A 2022 Eastern District of Michigan decision held that a six-year limitations period applies to PPPA claims [^q6-pratt-limitations], which made pre-amendment disclosures economically live for the second wave of cases. The retroactivity holdings come from federal district courts in New York and Michigan [^q6-boelter-retroactivity] [^q6-perlin-retroactivity]; neither the Sixth Circuit nor a Michigan appellate court appears to have squarely resolved the retroactivity or six-year limitations questions, so those points remain district-court law rather than settled appellate law. The MCPA looks like a second consumer-suit engine on paper — a person who suffers loss may sue for actual damages or $250, whichever is greater, with attorney fees [^q6-mcpa-pra], and class actions for actual damages are available [^q6-mcpa-class] — but the Michigan Supreme Court cut its practical reach in *Smith v. Globe Life Insurance Co.* The act exempts a transaction or conduct specifically authorized under laws administered by a state or federal regulatory board or officer [^q6-mcpa-exemption], and *Smith* held that the relevant inquiry is whether the general transaction is specifically authorized by law, regardless of whether the specific misconduct alleged is prohibited [^q6-smith-exemption]. Under that reading, businesses in licensed and regulated lines of business can often invoke the exemption even when the complained-of conduct itself was unlawful — and the Legislature later closed *Smith*'s own pathway, barring MCPA actions over insurance-code conduct occurring on or after March 28, 2001 [^q6-mcpa-insurance]. So an MCPA privacy claim is most viable against an ordinary, unregulated consumer business and weakest against banks, insurers, utilities, and other licensed industries. MCL 445.72 does not create an express consumer damages action for failure to notify: civil fines are recovered by the Attorney General or a prosecuting attorney, and other civil remedies remain outside subsections (12) and (13) [^q6-itpa-fines] [^q6-itpa-civil-remedies], leaving post-breach private suits to common-law theories with their usual standing hurdles.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Michigan. This article synthesizes Michigan primary law and is not legal advice from a Michigan-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^q1-pppa-disclosure]: **MCL 445.1712** — "Subject to subsection (2) and except as provided in section 3 or as otherwise provided by law, a person, or an employee or agent of the person, engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings shall not knowingly disclose to any person, other than the customer, a record or information that personally identifies the customer as having purchased, leased, rented, or borrowed those materials from the person engaged in the business." *MCL 445.1712(1).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-1712>
+
+[^q1-itpa-breach]: **MCL 445.72** — "A person or agency shall provide any notice required under this section without unreasonable delay." *MCL 445.72(4).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>
+
+[^q1-mcpa-unlawful]: **MCL 445.903** — "Unfair, unconscionable, or deceptive methods, acts, or practices in the conduct of trade or commerce are unlawful and are defined as follows:" *MCL 445.903(1).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-903>
+
+[^q1-mcpa-ssn]: **MCL 445.903(1)(hh)** — "Except as provided in subsection (3), requiring a consumer to disclose his or her Social Security number as a condition to selling or leasing goods or providing a service to the consumer, unless any of the following apply:" *MCL 445.903(1)(hh).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-903>
+
+[^q1-fed-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q2-pppa-disclosure]: **MCL 445.1712** — "Subject to subsection (2) and except as provided in section 3 or as otherwise provided by law, a person, or an employee or agent of the person, engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings shall not knowingly disclose to any person, other than the customer, a record or information that personally identifies the customer as having purchased, leased, rented, or borrowed those materials from the person engaged in the business." *MCL 445.1712(1).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-1712>
+
+[^q2-pppa-exceptions]: **MCL 445.1713** — "A record or information described in section 2 may be disclosed only in 1 or more of the following circumstances: (a) With the written permission of the customer. (b) Pursuant to a warrant or court order. (c) To the extent reasonably necessary to collect payment for the materials or the rental of the materials, if the customer has received written notice that the payment is due and has failed to pay or arrange for payment within a reasonable time after notice." *MCL 445.1713.* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-1713>
+
+[^q2-pppa-optout]: **MCL 445.1713(e)** — "(e) If the disclosure is for the purpose of marketing goods and services to customers. All of the following apply for purposes of this subdivision: (i) The person that is disclosing the information shall inform the customer by written notice that the customer may remove his or her name at any time and shall specify the manner or manners by which the customer may remove his or her name. Unless the person's method of communication with customers is by electronic means, the written notice shall include a nonelectronic method that the customer may use to opt out of disclosure. Any of the following methods of notice satisfy the written notice requirements of this subparagraph: (A) Written notice included in or with any materials sold, rented, or lent to the customer under section 2. (B) Written notice provided to the customer at the time he or she orders any of the materials described in section 2 or otherwise provided to the customer in connection with the transaction between the person and customer for the sale, rental, or loan of the materials to the customer. (C) Notice that is included and clearly and conspicuously disclosed in an online privacy policy or similar communication that is posted on the Internet, is maintained by the person that is disclosing the information, and is available to customers or the general public. (ii) A customer may provide notice to the person that is disclosing information under this subdivision that the customer does not want his or her name disclosed. (iii) Beginning 30 days after the person receives the customer's notice, the person shall not knowingly disclose the customer's name to any other person for marketing goods and services." *MCL 445.1713(e).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-1713>
+
+[^q2-boelter-magazines]: **Boelter v. Hearst Communications, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016)** — "Plaintiffs Boelter and Edwards are Michigan citizens who subscribe to Country Living and Good Housekeeping, respectively, two magazines published by Defendant." *Boelter v. Hearst Commc'ns, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016).* <https://www.courtlistener.com/opinion/7320807/boelter-v-hearst-communications-inc/#:~:text=Plaintiffs%20Boelter%20and%20Edwards%20are,two%20magazines%20published%20by%20Defendant.>
+
+[^q2-pppa-aggregated]: **MCL 445.1712(2)** — "This section does not apply to the disclosure of a record or information that has been aggregated or has been processed in a manner designed to prevent its association with an identifiable customer." *MCL 445.1712(2).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-1712>
+
+[^q2-pppa-ordinary-course-def]: **MCL 445.1711(d)** — "means activities related to the sale, rental, or lending of, or advertising in, materials described in section 2." *MCL 445.1711(d).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-1711>
+
+[^q2-pppa-ordinary-course]: **MCL 445.1713(d)** — "To any person if the disclosure is incident to the ordinary course of business of the person that is disclosing the record or information. This subdivision only applies to a record or information that is created or obtained after the effective date of the amendatory act that added this subdivision." *MCL 445.1713(d).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-1713>
+
+[^q3-ssn-policy]: **MCL 445.84** — "(1) Beginning January 1, 2006, a person who obtains 1 or more social security numbers in the ordinary course of business shall create a privacy policy that does at least all of the following concerning the social security numbers the person possesses or obtains: (a) Ensures to the extent practicable the confidentiality of the social security numbers. (b) Prohibits unlawful disclosure of the social security numbers. (c) Limits who has access to information or documents that contain the social security numbers. (d) Describes how to properly dispose of documents that contain the social security numbers. (e) Establishes penalties for violation of the privacy policy. (2) A person that creates a privacy policy under subsection (1) shall publish the privacy policy in an employee handbook, in a procedures manual, or in 1 or more similar documents, which may be made available electronically." *MCL 445.84(1)-(2).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-84>
+
+[^q3-pppa-policy-notice]: **MCL 445.1713(e)** — "Notice that is included and clearly and conspicuously disclosed in an online privacy policy or similar communication that is posted on the Internet, is maintained by the person that is disclosing the information, and is available to customers or the general public." *MCL 445.1713(e)(i)(C).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-1713>
+
+[^q3-mcpa-deception]: **MCL 445.903(1)(s)** — "Failing to reveal a material fact, the omission of which tends to mislead or deceive the consumer, and which fact could not reasonably be known by the consumer." *MCL 445.903(1)(s).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-903>
+
+[^q3-fed-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q3-cain-permission]: **Cain v. Redbox Automated Retail, LLC, 136 F. Supp. 3d 824 (E.D. Mich. 2015)** — "Defendant has shown that its Terms of Use and portions of its Privacy Policy apply to every rental transaction, and that these documents provide the written permission required by the VRPA." *Cain v. Redbox Automated Retail, LLC, 136 F. Supp. 3d 824 (E.D. Mich. 2015).* <https://www.courtlistener.com/opinion/7316121/cain-v-redbox-automated-retail-llc/#:~:text=Defendant%20has%20shown%20that%20its,permission%20required%20by%20the%20VRPA.>
+
+[^q3-fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^q4-itpa-maintainer]: **MCL 445.72(2)** — "Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state, a person or agency that maintains a database that includes data that the person or agency does not own or license that discovers a breach of the security of the database shall provide a notice to the owner or licensor of the information of the security breach." *MCL 445.72(2).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>
+
+[^q4-pppa-ordinary-course]: **MCL 445.1713(d)** — "To any person if the disclosure is incident to the ordinary course of business of the person that is disclosing the record or information. This subdivision only applies to a record or information that is created or obtained after the effective date of the amendatory act that added this subdivision." *MCL 445.1713(d).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-1713>
+
+[^q4-pppa-permission]: **MCL 445.1713(a)** — "(a) With the written permission of the customer." *MCL 445.1713(a).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-1713>
+
+[^q4-cain-external]: **Cain v. Redbox Automated Retail, LLC, 136 F. Supp. 3d 824 (E.D. Mich. 2015)** — "Redbox clearly could not, for example, give or sell any customer data to a third party for a use unrelated to Redbox’s own business." *Cain v. Redbox Automated Retail, LLC, 136 F. Supp. 3d 824 (E.D. Mich. 2015).* <https://www.courtlistener.com/opinion/7316121/cain-v-redbox-automated-retail-llc/#:~:text=Redbox%20clearly%20could%20not%2C%20for,unrelated%20to%20Redbox%E2%80%99s%20own%20business.>
+
+[^q4-fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^q4-fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,with%20respect%20to%20such%20information%3B>
+
+[^q5-itpa-trigger]: **MCL 445.72(1)** — "Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state, a person or agency that owns or licenses data that are included in a database that discovers a security breach, or receives notice of a security breach under subsection (2), shall provide a notice of the security breach to each resident of this state who meets 1 or more of the following: (a) That resident's unencrypted and unredacted personal information was accessed and acquired by an unauthorized person. (b) That resident's personal information was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key." *MCL 445.72(1).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>
+
+[^q5-itpa-timing]: **MCL 445.72(4)** — "A person or agency shall provide any notice required under this section without unreasonable delay. A person or agency may delay providing notice without violating this subsection if either of the following is met: (a) A delay is necessary in order for the person or agency to take any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database. However, the agency or person shall provide the notice required under this subsection without unreasonable delay after the person or agency completes the measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database. (b) A law enforcement agency determines and advises the agency or person that providing a notice will impede a criminal or civil investigation or jeopardize homeland or national security. However, the agency or person shall provide the notice required under this section without unreasonable delay after the law enforcement agency determines that providing the notice will no longer impede the investigation or jeopardize homeland or national security." *MCL 445.72(4).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>
+
+[^q5-itpa-fines]: **MCL 445.72(13)-(14)** — "Subject to subsection (14), a person that knowingly fails to provide any notice of a security breach required under this section may be ordered to pay a civil fine of not more than $250.00 for each failure to provide notice. The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section. (14) The aggregate liability of a person for civil fines under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not exceed $750,000.00." *MCL 445.72(13)-(14).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>
+
+[^q5-pi-def]: **MCL 445.63** — "‘Personal information’ means the first name or first initial and last name linked to 1 or more of the following data elements of a resident of this state: (i) Social security number. (ii) Driver license number or state personal identification card number. (iii) Demand deposit or other financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident's financial accounts." *MCL 445.63(r).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-63>
+
+[^q5-itpa-content]: **MCL 445.72(6)** — "(6) A notice under this section shall do all of the following: (a) For a notice provided under subsection (5)(a) or (b), be written in a clear and conspicuous manner and contain the content required under subdivisions (c) to (g). (b) For a notice provided under subsection (5)(c), clearly communicate the content required under subdivisions (c) to (g) to the recipient of the telephone call. (c) Describe the security breach in general terms. (d) Describe the type of personal information that is the subject of the unauthorized access or use. (e) If applicable, generally describe what the agency or person providing the notice has done to protect data from further security breaches. (f) Include a telephone number where a notice recipient may obtain assistance or additional information. (g) Remind notice recipients of the need to remain vigilant for incidents of fraud and identity theft." *MCL 445.72(6).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>
+
+[^q5-itpa-methods]: **MCL 445.72(5)** — "(5) Except as provided in subsection (11), an agency or person shall provide any notice required under this section by providing 1 or more of the following to the recipient: (a) Written notice sent to the recipient at the recipient's postal address in the records of the agency or person. (b) Written notice sent electronically to the recipient if any of the following are met: (i) The recipient has expressly consented to receive electronic notice. (ii) The person or agency has an existing business relationship with the recipient that includes periodic electronic mail communications and based on those communications the person or agency reasonably believes that it has the recipient's current electronic mail address. (iii) The person or agency conducts its business primarily through internet account transactions or on the internet. (c) If not otherwise prohibited by state or federal law, notice given by telephone by an individual who represents the person or agency if all of the following are met: (i) The notice is not given in whole or in part by use of a recorded message. (ii) The recipient has expressly consented to receive notice by telephone, or if the recipient has not expressly consented to receive notice by telephone, the person or agency also provides notice under subdivision (a) or (b) if the notice by telephone does not result in a live conversation between the individual representing the person or agency and the recipient within 3 business days after the initial attempt to provide telephonic notice. (d) Substitute notice, if the person or agency demonstrates that the cost of providing notice under subdivision (a), (b), or (c) will exceed $250,000.00 or that the person or agency has to provide notice to more than 500,000 residents of this state. A person or agency provides substitute notice under this subdivision by doing all of the following: (i) If the person or agency has electronic mail addresses for any of the residents of this state who are entitled to receive the notice, providing electronic notice to those residents. (ii) If the person or agency maintains a website, conspicuously posting the notice on that website. (iii) Notifying major statewide media. A notification under this subparagraph shall include a telephone number or a website address that a person may use to obtain additional assistance and information." *MCL 445.72(5).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>
+
+[^q5-itpa-cra]: **MCL 445.72(8)** — "Except as provided in this subsection, after a person or agency provides a notice under this section, the person or agency shall notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as defined in 15 USC 1681a(p), of the security breach without unreasonable delay. A notification under this subsection shall include the number of notices that the person or agency provided to residents of this state and the timing of those notices. This subsection does not apply if either of the following is met: (a) The person or agency is required under this section to provide notice of a security breach to 1,000 or fewer residents of this state. (b) The person or agency is subject to 15 USC 6801 to 6809." *MCL 445.72(8).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>
+
+[^q5-itpa-glb]: **MCL 445.72(9)** — "A financial institution that is subject to, and has notification procedures in place that are subject to examination by the financial institution's appropriate regulator for compliance with, the interagency guidance on response programs for unauthorized access to customer information and customer notice prescribed by the board of governors of the federal reserve system and the other federal bank and thrift regulatory agencies, or similar guidance prescribed and adopted by the national credit union administration, and its affiliates, is considered to be in compliance with this section." *MCL 445.72(9).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>
+
+[^q5-itpa-hipaa]: **MCL 445.72(10)** — "A person or agency that is subject to and complies with the health insurance portability and accountability act of 1996, Public Law 104-191, and with regulations promulgated under that act, 45 CFR parts 160 and 164, for the prevention of unauthorized access to customer information and customer notice is considered to be in compliance with this section." *MCL 445.72(10).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>
+
+[^q5-itpa-effective-preemption]: **MCL 445.72(16), (18)** — "(16) This section applies to the discovery or notification of a breach of the security of a database that occurs on or after July 2, 2006. (17) This section does not apply to the access or acquisition by a person or agency of federal, state, or local government records or documents lawfully made available to the general public. (18) This section deals with subject matter that is of statewide concern, and any charter, ordinance, resolution, regulation, rule, or other action by a municipal corporation or other political subdivision of this state to regulate, directly or indirectly, any matter expressly set forth in this section is preempted." *MCL 445.72(16), (18).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>
+
+[^q5-itpa-fake-notice]: **MCL 445.72b** — "A person shall not distribute an advertisement or make any other solicitation that misrepresents to the recipient that a security breach has occurred that may affect the recipient." *MCL 445.72b(1).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72b>
+
+[^q5-itpa-mimic]: **MCL 445.72b(2)** — "(2) A person shall not distribute an advertisement or make any other solicitation that is substantially similar to a notice required under section 12(5) or by federal law, if the form of that notice is prescribed by state or federal law, rule, or regulation." *MCL 445.72b(2).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72b>
+
+[^q6-pppa-pra]: **MCL 445.1715** — "Regardless of any criminal prosecution for the violation, a person that violates this act may be liable in a civil action for damages to a customer under subsection (2). (2) A customer described in subsection (1) who suffers actual damages as a result of a violation of this act may bring a civil action against the person that violated this act and may recover both of the following: (a) The customer's actual damages, including damages for emotional distress. (b) Reasonable costs and attorney fees." *MCL 445.1715.* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-1715>
+
+[^q6-boelter-5000]: **Boelter v. Hearst Communications, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016)** — "may bring a civil action to recover ‘actual damages, including damages for emotional distress, or $5,000.00, whichever is greater,’ as well as costs and attorneys’ fees" *Boelter v. Hearst Commc'ns, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016).* <https://www.courtlistener.com/opinion/7320807/boelter-v-hearst-communications-inc/#:~:text=may%20bring%20a%20civil%20action,as%20costs%20and%20attorneys%E2%80%99%20fees>
+
+[^q6-perlin-effective]: **Perlin v. Time Inc., 237 F. Supp. 3d 623 (E.D. Mich. 2017)** — "Senate Bill 490 became effective on July 31, 2016." *Perlin v. Time Inc., 237 F. Supp. 3d 623 (E.D. Mich. 2017).* <https://www.courtlistener.com/opinion/7324387/perlin-v-time-inc/#:~:text=Senate%20Bill%20490%20became%20effective%20on%20July%2031%2C%202016.>
+
+[^q6-perlin-retroactivity]: **Perlin v. Time Inc., 237 F. Supp. 3d 623 (E.D. Mich. 2017)** — "Based on the first, third, and fourth retroactivity principles, the Court concludes that Senate Bill 490 is not retroactive." *Perlin v. Time Inc., 237 F. Supp. 3d 623 (E.D. Mich. 2017).* <https://www.courtlistener.com/opinion/7324387/perlin-v-time-inc/#:~:text=Based%20on%20the%20first%2C%20third%2C,Bill%20490%20is%20not%20retroactive.>
+
+[^q6-boelter-retroactivity]: **Boelter v. Hearst Communications, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016)** — "The parties dispute whether the amended law retroactively applies to Plaintiffs’ claims. For the reasons stated below, the Court finds that it does not." *Boelter v. Hearst Commc'ns, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016).* <https://www.courtlistener.com/opinion/7320807/boelter-v-hearst-communications-inc/#:~:text=The%20parties%20dispute%20whether%20the,finds%20that%20it%20does%20not.>
+
+[^q6-pratt-limitations]: **Pratt v. KSE Sportsman Media, Inc., 586 F. Supp. 3d 666 (E.D. Mich. 2022)** — "A six-year statute of limitations applies to PPPA claims. Mich. Comp. Laws §§ 445.1711 et seq., 600.5813." *Pratt v. KSE Sportsman Media, Inc., 586 F. Supp. 3d 666 (E.D. Mich. 2022).* <https://caselaw.findlaw.com/court/us-dis-crt-e-d-mic-nor-div/2162951.html>
+
+[^q6-mcpa-pra]: **MCL 445.911** — "Except in a class action or as otherwise provided in subsection (3), a person who suffers loss as a result of a violation of this act may bring an action to recover actual damages or $250.00, whichever is greater, together with reasonable attorney fees." *MCL 445.911(2).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-911>
+
+[^q6-mcpa-class]: **MCL 445.911(4)** — "(4) A person who suffers loss as a result of a violation of this act may bring a class action on behalf of persons residing or injured in this state for the actual damages caused by any of the following: (a) A method, act, or practice in trade or commerce defined as unlawful under section 3. (b) A method, act, or practice in trade or commerce declared to be unlawful under section 3(1) by a final judgment of the circuit court or an appellate court of this state that is either reported officially or made available for public dissemination pursuant to section 9 by the attorney general not less than 30 days before the method, act, or practice on which the action is based occurs. (c) A method, act, or practice in trade or commerce declared by a circuit court of appeals or the United States Supreme Court to be an unfair or deceptive act or practice within the meaning of section 5(a)(1) of the federal trade commission act, 15 USC 45(a)(1), in a decision that affirms or directs the affirmance of a cease and desist order issued by the Federal Trade Commission if the order is final within the meaning of section 5(g) of the federal trade commission act, 15 USC 45(g), and that is officially reported not less than 30 days before the method, act, or practice on which the action is based occurs. For purposes of this subdivision, a method, act, or practice is not unfair or deceptive within the meaning of section 5(a)(1) of the federal trade commission act, 15 USC 45(a)(1), solely because the method, act, or practice is made unlawful by another federal statute that refers to or incorporates section 5(a)(1) of the federal trade commission act, 15 USC 45(a)(1)." *MCL 445.911(4).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-911>
+
+[^q6-mcpa-exemption]: **MCL 445.904(1)(a)** — "This act does not apply to either of the following: (a) A transaction or conduct specifically authorized under laws administered by a regulatory board or officer acting under statutory authority of this state or the United States." *MCL 445.904(1)(a).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-904>
+
+[^q6-smith-exemption]: **Smith v. Globe Life Insurance Co., 460 Mich. 446 (1999)** — "Contrary to the ‘common-sense reading’ of this provision by the Court of Appeals, we conclude that the relevant inquiry is not whether the specific misconduct alleged by the plaintiffs is ‘specifically authorized.’ Rather, it is whether the general transaction is specifically authorized by law, regardless of whether the specific misconduct alleged is prohibited." *Smith v. Globe Life Ins. Co., 460 Mich. 446 (1999).* <https://www.courtlistener.com/opinion/1693300/smith-v-globe-life-insurance/#:~:text=Contrary%20to%20the%20%E2%80%9Ccommon%2Dsense%20reading%E2%80%9D,specific%20misconduct%20alleged%20is%20prohibited.>
+
+[^q6-mcpa-insurance]: **MCL 445.904(3)** — "This act does not apply to or create a cause of action for an unfair, unconscionable, or deceptive method, act, or practice that is made unlawful by chapter 20 of the insurance code of 1956, 1956 PA 218, MCL 500.2001 to 500.2093, if either of the following is met: (a) The method, act, or practice occurred on or after March 28, 2001." *MCL 445.904(3).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-904>
+
+[^q6-itpa-fines]: **MCL 445.72(13)** — "The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section." *MCL 445.72(13).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>
+
+[^q6-itpa-civil-remedies]: **MCL 445.72(15)** — "Subsections (12) and (13) do not affect the availability of any civil remedy for a violation of state or federal law." *MCL 445.72(15).* <https://legislature.mi.gov/Laws/MCL?objectName=mcl-445-72>

package/skills/legal-explainers/data-privacy-law-explainer/content/minnesota.md

@@ -0,0 +1,93 @@
+---
+jurisdiction: "Minnesota"
+slug: minnesota
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-06"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/minnesota
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/minnesota · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Minnesota Consumer Privacy Law (MCDPA)[^about]
+
+The Minnesota Consumer Data Privacy Act gives Minnesota consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds. Built on the Virginia model but distinctively stricter — it lets consumers demand a list of the specific third parties their data was disclosed to, grants profiling-reevaluation rights, has no general nonprofit exemption, and its right to cure has already sunset. Enforced exclusively by the Attorney General with no private right of action.
+
+
+## At a glance
+
+| Question | Minnesota |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If you control or process the data of 100,000+ Minnesota consumers (or 25,000+ plus over 25% of revenue from data sales), the MCDPA requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — plus a uniquely strict list-of-third-parties right and profiling-reevaluation rights. The Attorney General enforces it; there are no consumer lawsuits, and the 30-day cure period has already expired. |
+| **Main law** | Minn. Stat. §§ 325M.10–325M.21 (Minnesota Consumer Data Privacy Act), effective July 31, 2025 |
+| **Privacy policy required?** | Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents |
+| **Who does it cover?** | Legal entities doing business in Minnesota (or targeting residents) that control or process the data of 100,000+ consumers a year (excluding payment-only data), or 25,000+ while deriving over 25% of gross revenue from selling data — no general nonprofit exemption; small businesses exempt except they still cannot sell sensitive data without consent |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Must be honored |
+| **Lawsuit detail** | No — enforcement is exclusively the Attorney General's |
+| **Who enforces it?** | Minnesota Attorney General (exclusive) |
+
+## Does the Minnesota Consumer Data Privacy Act apply to your business? {#does-mcdpa-apply}
+
+**Short answer.** It turns on how much consumer data you handle. The MCDPA applies to entities that do business in Minnesota or target its residents and that, in a calendar year, control or process the personal data of at least 100,000 consumers (excluding data used only to complete a payment), or at least 25,000 consumers while deriving over 25% of gross revenue from selling personal data [^stat-12-scope]. A consumer means a Minnesota resident acting in an individual or household context, not someone acting in a commercial or employment role.
+
+Minnesota followed the Virginia template that much of the country copied, but it diverges in ways that matter for triage. There is no general carve-out for nonprofit organizations — most peer states exempt them outright, but here the only nonprofit relief is for organizations established to detect and prevent insurance fraud. Small businesses are excluded from the general framework, yet they remain on the hook for one rule: they may not sell a consumer's sensitive data without prior consent [^stat-17-smallbiz]. The exclusion list otherwise tracks the familiar pattern — government entities, federally recognized tribes, HIPAA, GLBA, FCRA, and FERPA data among them.
+
+## What must your Minnesota privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purposes for processing, how consumers exercise and appeal their rights, the categories of data sold or shared and the categories of third parties involved, the controller's contact information, its retention policies, and the date the notice was last updated [^stat-16-notice]. Minnesota also makes you document your compliance program internally — including naming a privacy lead and keeping a data inventory [^stat-18-policies].
+
+For a template privacy policy, section 325M.16 is the content checklist, and it is more prescriptive than many peer laws — note the explicit retention-policy and last-updated-date line items. If you sell personal data, run targeted advertising, or profile in ways that produce legal or significant effects, you must disclose that and provide a clear opt-out method outside the notice itself. Separately, section 325M.18 adds an internal-governance layer most states leave implicit: you must document the policies and procedures you adopted to comply, identify who is responsible, and conduct data privacy and protection assessments for higher-risk processing. The notice the policy presents should match the data practices the controller actually carries out.
+
+## What must your contracts with processors say? {#vendor-contracts}
+
+**Short answer.** A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice [^stat-13-contract]. That contract has to be binding and spell out the processing instructions, the nature and purpose of processing, the type of data, the duration, and each side's rights and obligations.
+
+Section 325M.13 then specifies the required terms: a duty of confidentiality for everyone handling the data and subcontractor flow-down only after the controller has a chance to object [^stat-13-contract], plus deletion or return of data at the end of the engagement, the information needed to demonstrate compliance, and cooperation with assessments and inspections [^stat-13-terms]. As an alternative to direct inspections, a processor may arrange its own qualified independent assessor at least annually and at its own expense [^stat-13-terms]. A compliant template DPA tracks each of these, and no contract can sign away a party's statutory liability [^stat-13-liability].
+
+## Do you need consent to process sensitive data? {#sensitive-data}
+
+**Short answer.** Yes. Except as the Act otherwise allows, a controller may not process a consumer's sensitive data without obtaining consent, and for a known child it must instead follow the federal Children's Online Privacy Protection Act [^stat-16-consent]. Sensitive data includes personal data revealing race or ethnicity, religious beliefs, a mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; biometric or genetic information used to uniquely identify someone; the data of a known child; and specific geolocation data [^stat-11-sensitive].
+
+This is the opt-in model shared by most of the newer state laws — sensitive data is walled off until the consumer affirmatively agrees, and consent obtained through a dark pattern does not count. Minnesota also requires an easy way to revoke consent, with processing stopping within 15 days, and it bars selling or running targeted advertising on the data of consumers the controller knows to be between 13 and 16 without consent. A multi-state template generally has to support universal opt-out signals to stay compliant across jurisdictions, and Minnesota recognizes those signals too.
+
+## Can a consumer sue your business under the MCDPA? {#consumer-lawsuit}
+
+**Short answer.** No. Nothing in the MCDPA creates a private right of action, so consumers cannot sue under it — the Minnesota Attorney General enforces the law [^stat-20-no-pra]. And unlike several peer states, Minnesota's right to cure was time-limited: the warning-letter-and-30-day-cure provision expired January 31, 2026, so the Attorney General can now bring an enforcement action without first offering a window to fix the problem [^stat-20-cure].
+
+This makes Minnesota's posture stricter than the states whose cure periods are permanent. An uncured violation exposes a controller or processor to an injunction and a civil penalty of up to $7,500 per violation, and the state may also recover its litigation expenses. Because the grace period is gone, the practical move is to stand up the notice, consent, and contracting controls before the Attorney General comes calling rather than counting on a chance to remediate after a complaint.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-06. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Minnesota. This article synthesizes Minnesota primary law and is not legal advice from a Minnesota-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^stat-12-scope]: **Minn. Stat. § 325M.12** — "Sections 325M.10 to 325M.21 apply to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds: (1) during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more." *Minn. Stat. § 325M.12, subd. 1(a).* <https://www.revisor.mn.gov/statutes/cite/325M.12>
+
+[^stat-17-smallbiz]: **Minn. Stat. § 325M.17** — "A small business, as defined by the United States Small Business Administration under Code of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota, must not sell a consumer's sensitive data without the consumer's prior consent." *Minn. Stat. § 325M.17(a).* <https://www.revisor.mn.gov/statutes/cite/325M.17>
+
+[^stat-16-notice]: **Minn. Stat. § 325M.16** — "Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (1) the categories of personal data processed by the controller; (2) the purposes for which the categories of personal data are processed;" *Minn. Stat. § 325M.16, subd. 1(a).* <https://www.revisor.mn.gov/statutes/cite/325M.16>
+
+[^stat-18-policies]: **Minn. Stat. § 325M.18** — "A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with sections 325M.10 to 325M.21 ." *Minn. Stat. § 325M.18(a).* <https://www.revisor.mn.gov/statutes/cite/325M.18>
+
+[^stat-13-contract]: **Minn. Stat. § 325M.13** — "A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor: (1) ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and (2) engage a subcontractor only (i) after providing the controller with an opportunity to object, and (ii) pursuant to a written contract in accordance with paragraph (e) that requires the subcontractor to meet the obligations of the processor with respect to the personal data." *Minn. Stat. § 325M.13(c).* <https://www.revisor.mn.gov/statutes/cite/325M.13>
+
+[^stat-13-terms]: **Minn. Stat. § 325M.13** — "(e) Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements: (1) at the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (2) upon a reasonable request from the controller, the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in sections 325M.10 to 325M.21 ; and (3) the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under sections 325M.10 to 325M.21 . The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request." *Minn. Stat. § 325M.13(e).* <https://www.revisor.mn.gov/statutes/cite/325M.13>
+
+[^stat-13-liability]: **Minn. Stat. § 325M.13** — "(f) In no event shall any contract relieve a controller or a processor from the liabilities imposed on a controller or processor by virtue of the controller's or processor's roles in the processing relationship under sections 325M.10 to 325M.21 ." *Minn. Stat. § 325M.13(f).* <https://www.revisor.mn.gov/statutes/cite/325M.13>
+
+[^stat-16-consent]: **Minn. Stat. § 325M.16** — "a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act" *Minn. Stat. § 325M.16, subd. 2(d).* <https://www.revisor.mn.gov/statutes/cite/325M.16>
+
+[^stat-11-sensitive]: **Minn. Stat. § 325M.11** — "Sensitive data is a form of personal data. ‘Sensitive data’ means: (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of biometric data or genetic information for the purpose of uniquely identifying an individual; (3) the personal data of a known child; or (4) specific geolocation data." *Minn. Stat. § 325M.11(v).* <https://www.revisor.mn.gov/statutes/cite/325M.11>
+
+[^stat-20-no-pra]: **Minn. Stat. § 325M.20** — "Nothing in sections 325M.10 to 325M.21 establishes a private right of action, including under section 8.31, subdivision 3a , for a violation of sections 325M.10 to 325M.21 or any other law." *Minn. Stat. § 325M.20(d).* <https://www.revisor.mn.gov/statutes/cite/325M.20>
+
+[^stat-20-cure]: **Minn. Stat. § 325M.20** — "If, after 30 days of issuance of the warning letter, the attorney general believes the controller or processor has failed to cure any alleged violation, the attorney general may bring an enforcement action under paragraph (b). This paragraph expires January 31, 2026." *Minn. Stat. § 325M.20(a).* <https://www.revisor.mn.gov/statutes/cite/325M.20>

package/skills/legal-explainers/data-privacy-law-explainer/content/mississippi.md

@@ -0,0 +1,132 @@
+---
+jurisdiction: "Mississippi"
+slug: mississippi
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-12"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/mississippi
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/mississippi · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Mississippi Consumer Privacy Law[^about]
+
+Mississippi has no comprehensive consumer-privacy statute. The operative framework is Miss. Code Ann. § 75-24-29 for breach notification, plus the consumer-protection deceptive-practices statute and its narrow individual private remedy.
+
+
+## At a glance
+
+| Question | Mississippi |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | Mississippi has not enacted an omnibus consumer-privacy law, so there are no general state-law access, deletion, correction, sale opt-out, targeted-advertising opt-out, controller, processor, or privacy-notice duties. The state-law privacy program is breach notice, vendor notice-up, and truthfulness of consumer-facing privacy promises. |
+| **Main law** | Miss. Code Ann. § 75-24-29 (data-breach notification), plus Miss. Code Ann. §§ 75-24-5 and 75-24-15 for unfair or deceptive trade practices and individual consumer remedies — Mississippi has no comprehensive consumer-privacy statute |
+| **Privacy policy required?** | No Mississippi statute generally requires a consumer privacy policy or fixes its contents; a policy that misstates actual practices is reachable as a deceptive-practices risk under Miss. Code Ann. § 75-24-5 and FTC Act § 5, with GLBA, HIPAA, COPPA, and other sectoral laws supplying notices where they apply |
+| **Who does it cover?** | The breach-notification statute applies to any person conducting business in Mississippi that, in the ordinary course of business, owns, licenses, or maintains personal information of a Mississippi resident; the deceptive-practices statute reaches unfair methods of competition and unfair or deceptive trade practices in or affecting commerce |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | No private right of action under the breach-notification section; § 75-24-15 gives an individual purchaser or lessee who suffers ascertainable loss a private action for prohibited practices, but class actions are barred |
+| **Who enforces it?** | Mississippi Attorney General |
+
+## Which privacy laws apply to your business in Mississippi? {#which-privacy-laws-apply}
+
+**Short answer.** Mississippi has no comprehensive consumer-privacy law. The generally applicable state privacy framework is two-part: the breach-notification statute, which applies to any person conducting business in Mississippi that owns, licenses, or maintains personal information of Mississippi residents in the ordinary course of business [^ms-breach-scope], and the consumer-protection prohibition on unfair methods of competition and unfair or deceptive trade practices in or affecting commerce [^ms-deceptive-practices].
+
+That means Mississippi residents do not have general state-law rights to access, delete, correct, or port their personal data; businesses do not have Mississippi-specific duties to honor sale opt-outs, targeted-advertising opt-outs, or universal opt-out signals; and there is no general Mississippi controller, processor, data-protection-assessment, or privacy-notice statute. The breach law governs incident response. The deceptive-practices law governs what a business tells consumers.
+
+The rest of a Mississippi-facing privacy program comes from the federal and sectoral overlay: FTC Act § 5 for deceptive or unfair practices, GLBA for financial institutions, HIPAA for covered health entities and business associates, COPPA for child-directed services, and other states' comprehensive privacy laws when a Mississippi business reaches their residents and thresholds.
+
+## What must your Mississippi privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No Mississippi statute generally requires a consumer privacy policy or fixes its contents. The binding state-law rule is truthfulness: unfair or deceptive trade practices in or affecting commerce are prohibited [^q2-ms-deceptive]. A privacy policy that misstates how the business collects, uses, shares, secures, or retains data is therefore a deceptive-practices risk under Mississippi law and independently under FTC Act § 5 [^q2-ftc5].
+
+Where a sectoral regime applies, that regime supplies the notice contents. A GLBA financial institution may not disclose nonpublic personal information to nonaffiliated third parties unless it has provided the consumer a compliant privacy notice [^q2-glba-notice]. A HIPAA covered entity must give individuals notice of protected-health-information uses and disclosures, rights, and legal duties [^q2-hipaa-notice]. COPPA bars covered operators from collecting children's personal information in violation of the FTC's notice and parental-consent regulations [^q2-coppa-notice].
+
+For everyone else, the practical Mississippi drafting rule is: say what you do, and do what you say. A multistate policy should still describe data categories, purposes, third-party disclosures, retention, security, consumer choices, and contact methods because other states may require those elements. But Mississippi itself does not create a standalone policy checklist.
+
+> [!NOTE]
+> **Practice note.**
+>
+> Do not describe Mississippi as an opt-out or consumer-rights state. The Mississippi sources captured here support breach notice and deceptive-practices exposure, not general access, deletion, correction, or sale opt-out rights [^q2-ms-deceptive].
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** Mississippi has no general data-processing-agreement statute. It does not prescribe controller-to-processor instructions, deletion clauses, audit rights, or subprocessor flow-downs. The Mississippi-specific vendor rule is breach-response flow-up: a person conducting business in Mississippi that maintains computerized personal information it does not own or license must notify the owner or licensee as soon as practicable after discovery of a breach, if the personal information was or is reasonably believed to have been acquired by an unauthorized person for fraudulent purposes [^q3-vendor-notice].
+
+Write that flow-up duty into vendor contracts. The statute gives the duty but leaves the operational details open, so the contract should specify the notice channel, what counts as discovery, required incident facts, forensic cooperation, timing for updates, responsibility for resident notice, and cost allocation. Because Mississippi's resident notice is due without unreasonable delay, a vendor's slow notice can consume the owner's response window.
+
+Federal regimes add fuller terms where they apply. The GLBA Safeguards Rule requires financial institutions to oversee service providers, including by requiring safeguards by contract and reassessing providers over time [^q3-glba-safeguards]. HIPAA requires a written business-associate agreement establishing permitted uses and disclosures before protected health information is shared [^q3-hipaa-baa]. Outside those regimes, carry the standard multistate protections anyway: processing limited to documented instructions, confidentiality, reasonable security, breach notice back to your business on a fixed clock, cooperation, and return or deletion at the end of the engagement.
+
+## When must you notify people of a data breach in Mississippi? {#breach-notification}
+
+**Short answer.** Mississippi requires notice to all affected individuals without unreasonable delay after a covered breach, subject to completing an investigation, identifying affected individuals, restoring system integrity, and any law-enforcement or national-security delay [^q4-resident-notice]. There is no fixed day-count deadline in the captured statute. Individual notice is not required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to affected individuals [^q4-harm-offramp].
+
+The trigger is acquisition-based and narrower than access-only statutes. A breach of security means unauthorized acquisition of electronic files, media, databases, or computerized data containing personal information when access to that personal information has not been secured by encryption or another method or technology rendering it unreadable or unusable [^q4-breach-def]. An affected individual is a Mississippi resident whose personal information was, or is reasonably believed to have been, intentionally acquired by an unauthorized person through a breach [^q4-affected-individual].
+
+Mississippi's personal-information definition is the traditional identity-theft trio: first name or first initial and last name plus Social Security number, driver's license/state ID/tribal ID number, or financial-account/payment-card number with a required security code, access code, or password that would permit access to the financial account [^q4-pi-def]. Publicly available information from government records or widely distributed media is excluded.
+
+Notice may be written, telephone, or electronic if electronic communication is the primary communication method with affected individuals or E-SIGN-consistent. Substitute notice is available if notice cost would exceed $5,000, the affected class exceeds 5,000 individuals, or sufficient contact information is unavailable, and it requires email where available, conspicuous website posting where the person maintains a website, and notice to major statewide media including newspapers, radio, and television [^q4-notice-methods].
+
+There is no general Attorney General breach-notice threshold in § 75-24-29. Instead, failure to comply is itself an unfair trade practice enforced by the Attorney General, and the section expressly says it does not create a private right of action [^q4-enforcement].
+
+## Can a consumer sue your business in Mississippi over privacy? {#consumer-lawsuit}
+
+**Short answer.** Not under the breach-notification section itself: § 75-24-29 expressly says it does not create a private right of action [^q5-no-breach-pra]. The available private route is narrower: an individual who purchases or leases goods or services primarily for personal, family, or household purposes and suffers an ascertainable loss from a practice prohibited by § 75-24-5 may bring an action or assert the loss as a setoff or counterclaim [^q5-individual-action].
+
+That consumer-protection remedy is not a general privacy class-action statute. A private plaintiff must first make a reasonable attempt to resolve the claim through an informal dispute-settlement program approved by the Attorney General [^q5-informal-dispute]. And Mississippi bars class actions under the chapter: every private action must be maintained in the name and for the sole use and benefit of the individual person [^q5-class-bar].
+
+For privacy disputes, the practical distinction is this: a missed breach-notice duty belongs to the Attorney General under § 75-24-29, while a consumer-facing privacy misrepresentation may fit § 75-24-5 and § 75-24-15 only if the plaintiff can satisfy the statute's purchase-or-lease, personal/family/household-purpose, ascertainable-loss, and procedural requirements.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-12. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Mississippi. This article synthesizes Mississippi primary law and is not legal advice from a Mississippi-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^ms-breach-scope]: **Miss. Code Ann. § 75-24-29** — "This section applies to any person who conducts business in this state and who, in the ordinary course of the person’s business functions, owns, licenses or maintains personal information of any resident of this state." *Miss. Code Ann. § 75-24-29(1).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627R-MSW3-GXJ9-31CB-00008-00>
+
+[^ms-deceptive-practices]: **Miss. Code Ann. § 75-24-5** — "Unfair methods of competition affecting commerce and unfair or deceptive trade practices in or affecting commerce are prohibited." *Miss. Code Ann. § 75-24-5(1).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A6FD9-SMJ3-SD6B-V4MW-00008-00>
+
+[^q2-ms-deceptive]: **Miss. Code Ann. § 75-24-5** — "Unfair methods of competition affecting commerce and unfair or deceptive trade practices in or affecting commerce are prohibited." *Miss. Code Ann. § 75-24-5(1).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A6FD9-SMJ3-SD6B-V4MW-00008-00>
+
+[^q2-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^q2-glba-notice]: **GLBA privacy notice** — "a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=a%20financial%20institution%20may%20not%2C,section%206803%20of%20this%20title.>
+
+[^q2-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^q2-coppa-notice]: **COPPA** — "It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b)." *15 U.S.C. § 6502(a)(1).* <https://www.law.cornell.edu/uscode/text/15/6502#:~:text=It%20is%20unlawful%20for%20an,regulations%20prescribed%20under%20subsection%20(b).>
+
+[^q3-vendor-notice]: **Miss. Code Ann. § 75-24-29** — "Any person who conducts business in this state that maintains computerized data which includes personal information that the person does not own or license shall notify the owner or licensee of the information of any breach of the security of the data as soon as practicable following its discovery" *Miss. Code Ann. § 75-24-29(4).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627R-MSW3-GXJ9-31CB-00008-00>
+
+[^q3-glba-safeguards]: **GLBA Safeguards Rule** — "Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards." *16 C.F.R. § 314.4(f).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Oversee%20service%20providers%2C%20by%3A%20(1),continued%20adequacy%20of%20their%20safeguards.>
+
+[^q3-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate." *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,information%20by%20the%20business%20associate.>
+
+[^q4-resident-notice]: **Miss. Code Ann. § 75-24-29** — "A person who conducts business in this state shall disclose any breach of security to all affected individuals. The disclosure shall be made without unreasonable delay, subject to the provisions of subsections (4) and (5) of this section and the completion of an investigation by the person to determine the nature and scope of the incident, to identify the affected individuals, or to restore the reasonable integrity of the data system." *Miss. Code Ann. § 75-24-29(3).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627R-MSW3-GXJ9-31CB-00008-00>
+
+[^q4-harm-offramp]: **Miss. Code Ann. § 75-24-29** — "Notification shall not be required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the affected individuals." *Miss. Code Ann. § 75-24-29(3).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627R-MSW3-GXJ9-31CB-00008-00>
+
+[^q4-breach-def]: **Miss. Code Ann. § 75-24-29** — "‘Breach of security’ means unauthorized acquisition of electronic files, media, databases or computerized data containing personal information of any resident of this state when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable" *Miss. Code Ann. § 75-24-29(2)(a).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627R-MSW3-GXJ9-31CB-00008-00>
+
+[^q4-affected-individual]: **Miss. Code Ann. § 75-24-29** — "‘Affected individual’ means any individual who is a resident of this state whose personal information was, or is reasonably believed to have been, intentionally acquired by an unauthorized person through a breach of security." *Miss. Code Ann. § 75-24-29(2)(b)(iv).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627R-MSW3-GXJ9-31CB-00008-00>
+
+[^q4-pi-def]: **Miss. Code Ann. § 75-24-29** — "‘Personal information’ means an individual’s first name or first initial and last name in combination with any one or more of the following data elements:" *Miss. Code Ann. § 75-24-29(2)(b).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627R-MSW3-GXJ9-31CB-00008-00>
+
+[^q4-notice-methods]: **Miss. Code Ann. § 75-24-29** — "substitute notice, provided the person demonstrates that the cost of providing notice in accordance with paragraph (a), (b) or (c) of this subsection would exceed Five Thousand Dollars ($5,000.00), that the affected class of subject persons to be notified exceeds five thousand (5,000) individuals or the person does not have sufficient contact information." *Miss. Code Ann. § 75-24-29(6).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627R-MSW3-GXJ9-31CB-00008-00>
+
+[^q4-enforcement]: **Miss. Code Ann. § 75-24-29** — "Failure to comply with the requirements of this section shall constitute an unfair trade practice and shall be enforced by the Attorney General; however, nothing in this section may be construed to create a private right of action." *Miss. Code Ann. § 75-24-29(8).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627R-MSW3-GXJ9-31CB-00008-00>
+
+[^q5-no-breach-pra]: **Miss. Code Ann. § 75-24-29** — "Failure to comply with the requirements of this section shall constitute an unfair trade practice and shall be enforced by the Attorney General; however, nothing in this section may be construed to create a private right of action." *Miss. Code Ann. § 75-24-29(8).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627R-MSW3-GXJ9-31CB-00008-00>
+
+[^q5-individual-action]: **Miss. Code Ann. § 75-24-15** — "any person who purchases or leases goods or services primarily for personal, family or household purposes and thereby suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by the seller, lessor, manufacturer or producer of a method, act or practice prohibited by Section 75-24-5 may bring an action at law" *Miss. Code Ann. § 75-24-15(1).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627H-RXF3-GXJ9-31SS-00008-00>
+
+[^q5-informal-dispute]: **Miss. Code Ann. § 75-24-15** — "In any private action brought under this chapter, the plaintiff must have first made a reasonable attempt to resolve any claim through an informal dispute settlement program approved by the Attorney General." *Miss. Code Ann. § 75-24-15(2).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627H-RXF3-GXJ9-31SS-00008-00>
+
+[^q5-class-bar]: **Miss. Code Ann. § 75-24-15** — "Nothing in this chapter shall be construed to permit any class action or suit, but every private action must be maintained in the name of and for the sole use and benefit of the individual person." *Miss. Code Ann. § 75-24-15(4).* <https://advance.lexis.com/document/?pdmfid=1000516&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A627H-RXF3-GXJ9-31SS-00008-00>