Michigan security and surveillance regulations: what businesses must know

Michigan's eavesdropping statute, MCL 750.539a et seq., reads strictly: it bars willful use of any device to eavesdrop on a private conversation without consent of all parties. Michigan case law (Sullivan v. Gray, 1981) has held that a participant in a conversation is not eavesdropping on it. The result is a documented gray zone where commercial installs default to all-party-style discipline. MCL 445.72 governs data breach notification including biometric records. The Cannabis Regulatory Agency (CRA) publishes camera coverage and retention rules for licensed marijuana establishments.

Camera-related state law

Michigan's audio-recording statutes are MCL 750.539a-c and 750.539d-j, the eavesdropping and surveillance provisions of the MI Penal Code. MCL 750.539c reads as an all-party consent statute on its face: it bars willful use of any device to eavesdrop upon a private conversation without the consent of all parties to the conversation. The statute defines "private conversation" and "eavesdrop" with reference to the parties' expectation that the communication is not subject to interception.

Michigan case law in Sullivan v. Gray (1981) has held that a party to a conversation is not eavesdropping on it for purposes of the statute. That has been treated by some courts as a functional one-party-consent reading. The result is a documented gray zone. The safer commercial practice is to assume all-party consent: default to video-only on cameras, route audio capture through a separate documented intercom or call-recording workflow, and obtain written all-party consent where audio capture is unavoidable.

MCL 750.539j makes installing or using a device to observe or photograph another person's private affairs in a place where the person has a reasonable expectation of privacy a felony. MCL 750.539d makes surveillance of an individual in a place where the individual has a reasonable expectation of privacy a felony. These provisions put hidden cameras in restrooms, dressing rooms, and hotel guest rooms in criminal territory.

Practical translation. Commercial MI camera installs default to video-only on the cameras. Hidden cameras in spaces where privacy is expected are off the table for the operator and the integrator.

Biometric data and breach notification

Michigan has no standalone biometric privacy statute on the BIPA model with a private right of action. Biometric data is regulated primarily through MCL 445.72, part of the Michigan Identity Theft Protection Act, which includes biometric data within personal information for data breach notification purposes. A breach affecting biometric records triggers MI AG notice obligations.

For commercial security buyers, the practical reach is fingerprint and facial-recognition access control, voice-print authentication, and any AI camera that builds a faceprint template. MI businesses using biometric capture document consent at enrollment, retention, and access controls as a matter of best practice. Michigan's automotive supply chain pulls heavily from Illinois and Indiana, which means BIPA reaches a meaningful portion of MI-employed remote workers and supply-chain partners. Most multi-state employers in MI default to BIPA-grade documentation (written informed consent + retention schedule + destruction process).

The practical retention rule for biometric records in MI is to retain only as long as reasonably necessary for the purpose and to destroy on employee separation or end of lawful purpose.

Privacy in the workplace

Michigan has no single workplace electronic-monitoring statute that requires written notice for general video surveillance. Pure video surveillance of common work areas with posted notice is the routine pattern. Cameras in employee-only spaces with a reasonable expectation of privacy (restrooms, locker rooms, lactation rooms) are off-limits and create exposure under MCL 750.539d and 750.539j.

Audio capture by an employer is regulated by MCL 750.539a et seq. Most MI employers issue a single workplace surveillance notice in the employee handbook covering cameras, badge access, computer monitoring, and call recording together. MI's heavy automotive, food-processing, and healthcare footprint means most plant-floor and warehouse installs default to NDAA-compliant cameras with badge-tied access control. Fingerprint or facial-recognition timeclocks are common on MI plant floors but should carry written informed-consent forms when any employee is a resident of an outside state with a stricter regime (Illinois BIPA in particular, given Detroit-Chicago and SW MI cross-border employment).

Public-place and common-area cameras

For commercial real estate, multi-tenant residential, retail, and hospitality, the practical rule set is consistent. Cameras in lobbies, hallways, exterior, parking, retail floor, and other non-private common areas are lawful with posted notice. Cameras in bathrooms, fitting rooms, hotel guest rooms, and any other space where privacy is reasonably expected are off-limits.

Multi-tenant residential operators in Michigan should review the bylaws and lease covenants. Hotel operators handle guest-room signage at the door and at the front desk and document any guest-area camera coverage in the property security plan. Detroit, Grand Rapids, Lansing, Ann Arbor, and Warren have municipal ordinances that can apply to alarm permits and certain license categories. Detroit's Project Green Light, a public-private camera-sharing program, has its own enrollment and retention requirements that participating businesses agree to as a condition of participation.

Video retention requirements

Michigan has no single statewide video retention statute that applies to all commercial cameras. Retention is set by the regime that governs the industry.

Cannabis. The Cannabis Regulatory Agency publishes camera coverage and retention rules for licensed marijuana establishments under MI Admin Code R 420. Pull the current rules before designing the install.
Healthcare. HIPAA Security Rule (45 CFR Part 164) governs PHI-touching footage. Retention is typically 30 to 90 days at the facility, longer when an investigation is open. MI has a large hospital-system footprint (Beaumont/Corewell, Henry Ford, Trinity, Spectrum) where camera retention is part of the facility security plan.
Retail and hospitality with card data. PCI-DSS Requirement 9 specifies camera coverage of the cardholder data environment with 90-day retention.
Banks and financial institutions. Federal banking regulators set surveillance and retention expectations through bank examination. MI Department of Insurance and Financial Services supervises state-chartered institutions.
Automotive supply chain. OEM customer requirements from Detroit Three and tier-one suppliers often impose camera coverage, retention, and access-control expectations through supplier security manuals.
Schools. FERPA reach for K-12 districts and higher education. MI district board policies typically set 14 to 30 days retention.
Federal contractors and grantees. NDAA Section 889 controls vendor selection. CMMC 2.0 reaches MI defense contractors. Retention is contractor-driven through the SSP or grant award terms.

Default retention for MI commercial systems with no specific industry rule is 30 days. Operators in higher-risk industries set longer retention with explicit written retention policies in the WISP, facility security plan, or CRA SOP.

Notable enforcement examples

MI enforcement against businesses for camera, biometric, and data-handling issues runs through several channels. The Michigan Attorney General brings consumer protection actions under the MI Consumer Protection Act and the Identity Theft Protection Act against businesses with documented data security failures. The MI Cannabis Regulatory Agency has issued sanctions against marijuana licensees for surveillance and retention failures.

Federal HIPAA settlements have reached MI-based defendants where physical safeguards (facility access control, camera coverage of PHI areas) were a documented part of the breach. PCI assessor findings have triggered card brand penalties at MI retailers where camera coverage of the cardholder data environment was inadequate or retention was below 90 days. Real settlements are searchable on the MI AG, CRA, and HHS OCR enforcement pages.

What Tec-Tel does to comply with Michigan regulations

Tec-Tel installs across Michigan for retail, manufacturing, automotive supply chain, healthcare, multi-tenant residential, financial, hospitality, and licensed cannabis customers. The default install pattern for an MI commercial site:

Video-only on cameras unless audio is documented with all-party consent. This is the safer reading of MCL 750.539a-c given the Sullivan v. Gray gray zone.
Posted surveillance notice at every public entrance.
No cameras in restrooms, locker rooms, fitting rooms, hotel guest rooms, or other spaces where privacy is reasonably expected (MCL 750.539d, 750.539j).
Written informed-consent forms with a documented retention schedule for any biometric capture (fingerprint timeclocks, facial-recognition access, voiceprint authentication), defaulted to BIPA-grade documentation given Illinois and Indiana cross-border employment.
Retention configured to the regime that governs the industry (HIPAA, PCI, CRA, OEM supplier manuals, NDAA, CMMC), with the facility's written retention policy attached.
NDAA Section 889-compliant vendor selection on any federal-touching install. No Hikvision, Dahua, Hytera, Huawei, ZTE, or covered OEM relabels.
Multi-vendor architecture so the customer is not locked into one camera or VMS line as state and federal rules evolve.

This is a buyer-facing reference, not legal advice. For a specific MI regulatory question, work with your privacy counsel.

Security service in Michigan

Tec-Tel deploys AI-era security across Michigan with one accountable project manager owning design, install, and service to one standard. The cities below have local service detail, deal sizing, and a free consultation. Don't see yours? We cover the whole state.

Or browse the full city directory and nationwide coverage map.

Frequent buyer questions

Is Michigan a one-party or two-party consent state for audio recording?

It depends on who is asking. Michigan's eavesdropping statute, MCL 750.539a-c, reads as an all-party consent statute on its face: it bars use of any device to eavesdrop on a private conversation without consent of all parties. Michigan case law in Sullivan v. Gray (1981) has held that a participant in a conversation is not eavesdropping on it, which has been treated by some courts as a one-party-consent gloss. The safer commercial practice is to assume all-party consent: video-only on cameras, audio capture only with documented all-party consent. That defaults the install to the strictest reading of the statute and avoids litigation.

What's the data breach notification rule in Michigan?

MCL 445.72, part of the Michigan Identity Theft Protection Act, requires notice to MI residents whose personal information was acquired by an unauthorized person. Personal information includes name combined with a sensitive identifier (Social Security number, driver's license, financial account, biometric data when used for unique identification). Notice is required without unreasonable delay. The MI Attorney General's office takes consumer complaints and brings actions under the MI Consumer Protection Act for documented data security failures. Notice to the AG and to nationwide consumer reporting agencies applies for breaches above the statutory threshold.

Does Michigan have a biometric privacy law like Illinois BIPA?

Not a standalone BIPA-style statute with a private right of action. MI regulates biometric data primarily through MCL 445.72, which includes biometric data within personal information for breach notification purposes. MI businesses using fingerprint or facial recognition document consent at enrollment, retention, and access controls as a matter of best practice. Out-of-state employee data rules can apply: BIPA reaches Illinois-resident remote workers, and Michigan's automotive supply chain pulls heavily from Illinois and Indiana, which makes BIPA-grade documentation common across MI plants.

Can I put cameras in employee break rooms or restrooms in Michigan?

Restrooms, locker rooms, and changing rooms are off-limits. Michigan has not codified a Labor Code 435-style ban, but MCL 750.539j (installing or using a device for surveillance in a private place) and MCL 750.539d (surveillance in a place where privacy is reasonably expected) combine to make camera coverage of those spaces prohibited and prosecutable. Common-area break rooms with posted notice are generally treated like other common work areas. Most MI employers leave break rooms unwatched and concentrate cameras at the entrance and food-prep area instead.

What's the video retention requirement for Michigan cannabis retailers?

The Michigan Cannabis Regulatory Agency (CRA), formerly the Marijuana Regulatory Agency, publishes camera coverage and retention rules for licensed marijuana establishments under MI Admin Code R 420. The standing requirement has been a minimum of thirty days of footage retention with continuous recording in specified areas (entry, exit, point of sale, vault, cultivation), but operators should pull the current CRA rules before designing the install because the rules have been revised over time. Most MI licensed operators retain the CRA minimum and configure VMS retention with a buffer.

Are there special rules for cameras in Michigan schools?

MI public schools follow federal FERPA (20 U.S.C. 1232g) for identifiable student footage, which can qualify as an education record. School district board policies set retention and access rules, often 14 to 30 days. SVPP and NSGP grant-funded camera projects at MI schools carry NDAA Section 889 procurement requirements. The MI Department of Education and the Office of School Safety provide school safety guidance, and the OK2SAY tip program is a reporting backbone many MI districts integrate with. Higher-education campuses follow FERPA plus institution-level policy.

Are there notable Michigan enforcement examples for surveillance or privacy issues?

The Michigan Attorney General has brought consumer protection actions under the MI Consumer Protection Act and the Identity Theft Protection Act against businesses with documented data security failures. The MI Cannabis Regulatory Agency has issued sanctions against marijuana licensees for surveillance and retention failures. Federal HIPAA settlements have reached MI-based defendants where physical safeguards (facility access control, camera coverage of PHI areas) were a documented part of the breach. Real settlements are searchable on the MI AG, CRA, and HHS OCR enforcement pages.

Can a property owner or employer review camera footage without a warrant in Michigan?

A property owner or employer can review their own footage of their own property under their own access-control policy. Disclosure to outside parties is regulated. Police and prosecutors generally need a warrant or subpoena for an involuntary disclosure of footage from a private system. Voluntary disclosure to law enforcement is allowed but creates exposure if the footage was retained or captured outside the property's posted policy. Document the chain of custody on every export.

Start with a free consultation.

Tell us what you're protecting and what's already in place. The Tec-Tel team reviews it and comes back with a written plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Book a free consultation 855-577-0400

Michigan security and surveillance regulations: what businesses must know

Camera-related state law

Biometric data and breach notification

Privacy in the workplace

Public-place and common-area cameras

Video retention requirements

Notable enforcement examples

What Tec-Tel does to comply with Michigan regulations

Security service in Michigan

Frequent buyer questions

Compliance reference

NDAA Section 889

Illinois regulations

Ohio regulations

Manufacturing security

Start with a free consultation.

How can we help?