MI SB1182

Establishes the "Personal Data Privacy Act" requiring controllers and processors handling personal data of 100,000+ Michigan consumers (or 25,000+ if deriving 50%+ revenue from data sales) to obtain consumer consent before processing personal data and implement security measures.

Grants consumers rights to access, correct, delete, and port their personal data; opt out of targeted advertising, data sales, and profiling; and appeal controller denials within 60 days with attorney general complaint mechanism.

Requires data brokers to register annually with the attorney general starting January 31, 2024, paying registration fees and disclosing their names, addresses, and data collection practices on a public website.

Exempts state agencies, financial institutions, health care entities, institutions of higher education, insurance companies, and information covered by federal privacy laws (HIPAA, FERPA, FCRA, etc.) from the act's requirements.

Authorizes the attorney general to investigate violations and bring civil actions seeking fines up to $7,500 per violation (or $100 daily for unregistered data brokers), with 30-day cure periods before enforcement; allows consumers to sue for actual damages and injunctive relief with similar 30-day notice requirements.