Sec. 4. (1) Except as otherwise provided in subsection (2), an employer shall not use an automated decisions tool to make an employment-related decision. (2) An employer may use an automated decisions tool to screen large volumes of job applications to do either of the following: (a) Identify candidates who meet a set hiring criteria. (b) Assess candidates based on job skills.

Sec. 5. (1) Except as provided in this act, an employer shall not use an electronic monitoring tool or automated decisions tool to collect a covered individual's data. (2) An employer may use an electronic monitoring tool for only the following purposes: (a) To allow an employee to accomplish or facilitate an essential job function. (b) To monitor production processes or quality. (c) To periodically assess an employee's performance. (d) To ensure or facilitate compliance with state or federal labor or employment law. (e) To protect the health, safety, or security of covered individuals. (f) To administer wages and benefits, if it can be determined that the electronic monitoring system uses only data regarding the city where the covered individual works and the costs of living in that area. (g) To accomplish any other purpose that enables business operations as determined by the department.

(3) An employer that uses an electronic monitoring tool or automated decisions tool must do all of the following: (a) Provide written notice that the employer is using an electronic monitoring tool or automated decisions tool to all covered individuals who are subject to the tool. (b) Obtain written consent from each covered individual to electronically monitor or use an automated decisions tool on the covered individual in accordance with this act. (c) Ensure that data collected through the electronic monitoring tool or automated decisions tool is accurate and up to date. (d) Allow a covered individual to correct inaccurate data about that covered individual.

(e) Use the tool in a narrowly tailored manner to accomplish a purpose described in subsection (2) or section 4(2). (f) Use the tool through the least invasive means possible for the covered individual whom the tool monitors. (g) Ensure the tool applies to the smallest number of covered individuals, collects the least amount of data, and is used no more frequently than necessary to accomplish a purpose described in subsection (2) or section 4(2). (h) Ensure that the tool does not collect any data of an employee when the employee is off duty.

(4) An employer that uses an electronic monitoring tool for a purpose described in subsection (2) or an automated decisions tool for a purpose described in section 4(2) shall not do any of the following: (a) Collect any of the following data of a covered individual: (i) Health, medical, lifestyle, and wellness information, including, but not limited to, the covered individual's medical history, physical or mental condition, diet or physical activity patterns, heart rate, medical treatment or diagnosis by a health care professional, health insurance policy number, subscriber identification number, or other unique identifier used to identify the covered individual. (ii) A qualified characteristic. (iii) Information related to workplace activities, including, but not limited, all of the following: (A) Human resources information, including contents of a covered individual's personnel file or performance evaluations. (B) Work process information, such as productivity and efficiency information. (C) Information that captures workplace communications and interactions, including emails, texts, internal message boards, and customer interaction and ratings. (D) Device usage, including calls placed or geolocation information. (E) Audio-video information and other information collected from sensors, including movement tracking, thermal sensors, voiceprints, or facial, emotion, and gait recognition. (F) Inputs of or outputs generated by an automated decisions tool that are linked to a covered individual. (G) Online information, including a covered individual's internet protocol address, private social media activity, or other digital sources or unique identifiers associated with a covered individual. (b) Identify, punish, or obtain data about a covered individual who engages in an activity that is protected under state or federal labor or employment law. (c) Monitor bathrooms or other similar private areas, including, but not limited to, locker rooms, changing areas, breakrooms, smoking areas, employee cafeterias, lounges, areas designated to express breast milk, or areas designated for prayer or other religious activity. The prohibition under this subdivision includes data collection on the frequency of use of those private areas and conducting audio or visual monitoring of a workplace in an employee's residence, an employee's personal vehicle, or property owned or leased by an employee.

(5) An employer shall not use an electronic monitoring tool or automated decisions tool that is equipped with facial, gait, voice, or emotion recognition technology.

Sec. 7. (1) An employer that collects a covered individual's data shall retain the data for not more than 3 years after the date on which the purpose for using the electronic monitoring tool or automated decisions tool is achieved, unless otherwise specified by a collective bargaining agreement. If the employer does not use any specific data of a covered individual, the employer must delete that data immediately. (2) An employer shall not sell or license a covered individual's data, including, but not limited to, data that is deidentified or aggregated. (3) An employer shall not share data collected under section 4 or 5 with this state or a local unit of government unless otherwise necessary to do any of the following: (a) Provide information to the department. (b) Comply with the requirements of federal, state, or local law. (c) Comply with a court-issued subpoena, warrant, or order.

Sec. 9. (1) Before an employer uses an automated decisions tool under section 4 or an electronic monitoring tool under section 5, the employer shall conduct an impact assessment of the tool that meets all of the following requirements: (a) Evaluates the tool's objectives, algorithms, data, cybersecurity vulnerabilities, and potential biases, including, but not limited to, discriminatory outcomes based on race, gender, or disability. (b) Is conducted 1 year before the tool is implemented, or, for a tool already in use on the effective date of this act, not more than 6 months after the effective date of this act. (c) Is conducted by an independent and impartial third party with no financial or legal conflicts of interests related to the use of the tool. (d) Identifies and describes the attributes and modeling techniques that the tool uses to produce outputs. (e) Evaluates whether the attributes and modeling techniques described in subdivision (d) are a scientifically valid means of evaluating a covered individual's performance or ability to perform the essential functions of a role, and whether those attributes may function as a proxy for belonging to a protected class under the Elliot-Larsen civil rights act, 1976 PA 453, MCL 37.2101 to 37.2804. (f) Considers, identifies, and describes both of the following that may result in a disparate impact on a covered individual based on the covered individual's qualified characteristic, and what actions may be taken by the employer to reduce or remedy any disparate impact. (i) Any disparities in the data used to train or develop the tool. (ii) Any outputs produced by the tool. (g) Evaluates whether the use of the tool may limit accessibility for covered individuals with disabilities, or for covered individuals with any specific disability, and what actions may be taken by the employer to reduce or remedy the limit on accessibility. (h) Considers and describes potential sources of adverse impact against covered individuals or groups based on a qualified characteristic that may arise after the tool is implemented. (i) Identifies and describes any other assessment of risks of discrimination or a disparate impact of the tool on covered individuals or groups based on a qualified characteristic, and what actions may be taken to reduce or remedy that risk. (j) For any finding of a disparate impact or limit on accessibility, evaluates whether the data set, attribute, or feature of the tool at issue is the least discriminatory method of assessing a covered individual's performance or ability to perform job functions. (k) Considers and describes any other ways in which the tool could result in a violation of applicable law and, for any finding that a violation of law may occur, any necessary or appropriate steps to prevent a violation. (l) Considers and describes whether use of the tool may negatively affect a covered individual's privacy or job quality, including wages, hours, and working conditions. (2) Not more than 60 days after an employer completes an assessment, the employer shall do both of the following: (a) Submit the assessment in its entirety or in an accessible summary form to the department for the department to include in a public registry of impact assessments. (b) Distribute the assessment to covered individuals who may be subject to the tool. (3) An employer shall conduct or commission subsequent impact assessments each year in which the electronic monitoring tool or automated decisions tool is in use. Subsequent impact assessments must comply with the requirements of subsection (1), as applicable, and must assess and describe any change in the validity or disparate impact of the tool.

(4) An employer shall retain all documentation pertaining to the design, development, use, and data of an electronic monitoring tool or automated decisions tool that may be necessary to conduct an impact assessment. The documentation includes, but is not limited to, the source of the data used to develop the tool, the technical specifications of the tool, individuals involved in the development of the tool, historical use data for the tool, and a historical record of the versions of the tool the employer uses. (5) A service provider that contracts with an employer to provide electronic monitoring or automated decisions shall allow the employer access to the documentation described in subsection (4). (6) An employer shall share the documentation described in subsection (4) with a labor organization as required under law or as required by a court or agency in connection with any employment or labor litigation to which the employer is a party. (7) The documentation described in subsection (4) must be stored in manner as prescribed by the director. The director shall prescribe the manner so that the documentation is legible and accessible to the party that conducts an impact assessment of the tool.

Sec. 11. (1) If an employer has a security breach of data collected through an electronic monitoring tool or automated decisions tool, the employer must do all of the following: (a) Promptly secure the electronic monitoring systems or automated decisions tools, mitigate harm, and certify that corrective steps were taken. (b) Not more than 48 hours after the discovery of the security breach, provide notice of the security breach to all of the covered individuals whose data is affected by the security breach. The notice must include all of the following: (i) A summary of how the breach occurred. (ii) The specific data that was compromised, if known. (iii) How the employer is responding to the security breach. (iv) Information on any necessary steps the employee can take to help secure the employee's data or apply for employer-covered protections under subdivision (c). (c) Provide all of the following to the covered individuals whose data is affected by the security breach: (i) Ten years of paid premium identity theft protection and insurance, including, but not limited to, an insurance policy of not less than $5,000,000.00 that covers financial loss, expense reimbursement, and legal fees for each affected covered individual. (ii) Comprehensive credit monitoring that also covers a covered individual's dependents if the dependents' data is compromised. (iii) Dark web monitoring. (iv) Account breach alerts. (v) A 3-bureau credit freeze. (vi) Expert fraud remediation that is based in the United States. (vii) Social Security number monitoring and the cost of reissuance. (viii) Bank fraud and financial transaction monitoring. (d) Provide notice of the security breach to the department and the attorney general. (2) After a security breach has occurred as described in subsection (1), the employer must contract with a third party to perform an audit of the electronic monitoring tool or automated decisions tool to ensure that any vulnerabilities have been fixed.

Sec. 13. (1) If an employer uses an electronic monitoring tool or automated decisions tool, the employer must display a poster at the employer's place of business, in a conspicuous place accessible to the employer's employees, that includes, but is not limited to, notice of the use of an electronic monitoring tool or automated decisions tool. (2) Not less than 30 days before an employer implements an electronic monitoring tool or automated decisions tool, the employer shall provide notice, in writing, of the tool's use to all of the employer's employees. The employer shall also include the notice in every job posting, post the notice on the employer's website, provide the notice directly to every applicant, and make the notice available in accessible formats that account for the applicant's first language, if it is not English, and any disability the applicant may have. The notice must provide a covered individual with the ability to opt out of the electronic monitoring tool or automated decisions tool. (3) If a covered individual opts out of the use of an electronic monitoring tool or automated decisions tool under subsection (2), the employer shall not use the electronic monitoring tool or automated decisions tool to make any employment-related decisions for that covered individual.

Sec. 17. (1) This act provides minimum standards for the use of an electronic monitoring or automated decisions tool and must not be construed to preempt, diminish, or interfere with the right of employees to collectively bargain under section 30 of 1939 PA 176, MCL 423.30 or section 15 of 1947 PA 336, MCL 423.215, over the terms and conditions of employment, including, but not limited to, protections against surveillance-based wage discrimination. (2) If an employer's employees are covered by a collective bargaining act in effect on the effective date of this act and the employer intends to use an electronic monitoring tool or automated decisions tool, the employer must provide notice of the use in accordance with section 13 and an opportunity to bargain over the intended use of the tool to set or influence employee wages or other terms and conditions of employment. (3) If an employer's employees are covered by a collective bargaining agreement in effect on the effective date of this act, not less than 30 days before the start of any collective bargaining, the employer must provide the employees' bargaining representative with necessary information for bargaining, including, but not limited to, data collected, impact assessments, and data breaches that have occurred. (4) Any rights or protections negotiated through a collective bargaining agreement that exceed the requirements of this act are fully enforceable and must not be considered waived or precluded by compliance with this act. (5) This act does not diminish an employer's obligation to provide advance notice to and to engage in good-faith negotiations with a labor organization that represents any portion of the employer's employees before the employer implements an electronic monitoring tool or automated decisions tool.