Chief Sponsor: Chris H. Wilson

House Sponsor: ____________


8     General Description:
9          This bill enacts provisions related to motor vehicle consumer data protection.
10     Highlighted Provisions:
11          This bill:
12          ▸     enacts provisions related to storing, sharing, and accessing motor vehicle consumer
13     data; and
14          ▸     defines terms.
15     Money Appropriated in this Bill:
16          None
17     Other Special Clauses:
18          None
19     Utah Code Sections Affected:
20     ENACTS:
21          13-63-101, Utah Code Annotated 1953
22          13-63-102, Utah Code Annotated 1953
23          13-63-201, Utah Code Annotated 1953
24          13-63-202, Utah Code Annotated 1953
25          13-63-203, Utah Code Annotated 1953

27     Be it enacted by the Legislature of the state of Utah:

28          Section 1. Section 13-63-101 is enacted to read:

Part 1. General Provisons

31          13-63-101. Definitions.
32          As used in this chapter:
33          (1) "Authorized integrator" means a third party with whom a franchisee enters into a
34     contract to perform a specific function for a franchisee that allows the third party to access
35     protected dealer data or to write data to a dealer data system, or both, to carry out the specified
36     function.
37          (2) "Cyber ransom" means to encrypt, restrict, or prohibit or threaten or attempt to
38     encrypt, restrict, or prohibit a franchisee's or a franchisee's authorized integrator's access to
39     protected dealer data for monetary gain.
40          (3) (a) "Dealer data system" means a software, hardware, or firmware system that is
41     owned, leased, or licensed by a franchisee, that includes a system of web-based applications,
42     computer software, or computer hardware, whether located at the franchisee's dealership or
43     hosted remotely, and that stores or provides access to protected dealer data.
44          (b) "Dealer data system" includes dealership management systems and consumer
45     relations management systems.
46          (4) "Dealer data vendor" means a dealer management system provider, consumer
47     relationship management system provider, or other vendor providing similar services that
48     stores protected dealer data pursuant to a contract with the franchisee.
49          (5) "Dealership" means the same as that term is defined in Section 13-14-102.
50          (6) "Fee" means a charge for allowing access to protected dealer data beyond any direct
51     costs incurred by a third party in providing protected dealer data access to an authorized
52     integrator or allowing an authorized integrator to write data to a dealer data system.
53          (7) "Franchisee" means the same as that term is defined in Section 13-14-102.
54          (8) "Franchisee program" means a bonus, incentive, rebate, or other payment program
55     that a franchisor offers to a franchisee.
56          (9) "Franchisor" means the same as that term is defined in Section 13-14-102.
57          (10) "Manufacturer" means a manufacturer of new motor vehicles.
58          (11) "Other generally accepted standards" means security standards that are at least as

59     comprehensive as STAR standards.
60          (12) "Prior express written consent" means a franchisee's express written consent:
61          (a) in a document separate from any other:
62          (i) consent;
63          (ii) contract;
64          (iii) franchise agreement; or
65          (iv) other writing; and
66          (b) that contains:
67          (i) the franchisee's consent to data sharing and identification of all parties with whom
68     the data may be shared;
69          (ii) all details that the franchisee requires relating to the scope and nature of the data to
70     be shared, including the data fields and the duration for which the sharing is authorized; and
71          (iii) all provisions and restrictions that are required under federal law to allow sharing
72     the data.
73          (13) "Protected dealer data" means:
74          (a) personal, financial, or other data relating to a consumer that:
75          (i) (A) a consumer provides to a franchisee; or
76          (B) a franchisee otherwise obtains; and
77          (ii) is stored in the franchisee's dealer data system;
78          (b) motor vehicle diagnostic data that is stored in a dealer data system; and
79          (c) other data that relates to a franchisee's business operations in the franchisee's dealer
80     data system.
81          (14) (a) "Required manufacturer data" means data that:
82          (i) a manufacturer is required to obtain under federal or state law;
83          (ii) is required to complete or verify a transaction between the franchisee and the
84     manufacturer;
85          (iii) is motor vehicle diagnostic data; or
86          (iv) is reasonably necessary for:
87          (A) a safety, recall, or other legal notice obligation;
88          (B) the sale and delivery of a new motor vehicle or certified used motor vehicle to a
89     consumer;

90          (C) the validation and payment of consumer or franchisee incentives;
91          (D) claims for franchisee-supplied services relating to warranty parts or repairs;
92          (E) the evaluation of franchisee performance, including without limitation the
93     evaluation of the franchisee's monthly financial statements and sales or service, consumer
94     satisfaction with the franchisee through direct consumer contact or consumer surveys;
95          (F) franchisee and market analytics;
96          (G) the identification of the franchisee that sold or leased a specific motor vehicle and
97     the date of the transaction;
98          (H) marketing purposes designed for the benefit of or to direct leads to franchisees ; or
99          (I) the development, evaluation, or improvement of the manufacturer's products or
100     services.
101          (b) "Required manufacturer data" does not include a consumer's financial information:
102          (i) on the consumer's credit application; or
103          (ii) a franchisee's individualized notes about a consumer that are not related to a
104     transaction.
105          (15) "STAR standards" means the current, applicable security standards published by
106     the Standards for Technology in Automotive Retail.
107          (16) (a) "Third party" means a person other than a franchisee.
108          (b) "Third party" includes:
109          (i) a service provider; and
110          (ii) a vendor, including a dealer data vendor and authorized integrator.
111          (c) "Third party" does not include:
112          (i) a governmental entity acting pursuant to federal, state, or local law;
113          (ii) a person acting pursuant to a valid court order; or
114          (iii) a manufacturer.
115          (17) "Unreasonable restriction" means:
116          (a) an unreasonable limitation or condition on the scope or nature of the data that is
117     shared with an authorized integrator;
118          (b) an unreasonable limitation or condition on the ability of an authorized integrator to
119     write data to a dealer data system;
120          (c) an unreasonable limitation or condition on a third party that accesses or shares

121     protected dealer data or that writes data to a dealer data system;
122          (d) requiring unreasonable access to a third party's sensitive, competitive, or other
123     confidential business information as a condition for accessing protected dealer data or sharing
124     protected dealer data with an authorized integrator;
125          (e) prohibiting or limiting a franchisee's ability to store, copy, securely share, or use
126     protected dealer data outside of the dealer data system in any manner and for any reason;
127          (f) allowing access to or accessing protected dealer data without prior express written
128     consent.
129          Section 2. Section 13-63-102 is enacted to read:
130          13-63-102. Applicability.
131          This chapter does not:
132          (1) govern, restrict, or apply to data outside of a dealer data system, including data that
133     is generated by a motor vehicle or devices that a consumer connects to a motor vehicle;
134          (2) authorize a franchisee or third party to use data that the franchisee or third party
135     obtains from a person in a manner that is inconsistent with:
136          (a) an agreement with the person; or
137          (b) the purposes for which the person provides the data to the franchisee or third party;
138     or
139          (3) except as is necessary to fulfill a franchisee's obligation to provide warranty, repair,
140     or service to consumers, grant a franchisee:
141          (a) ownership of motor vehicle diagnostic data; or
142          (b) rights to share or use motor vehicle diagnostic data.
143          Section 3. Section 13-63-201 is enacted to read:
Part 2. Data Protection Regulations

145          13-63-201. Data submissions to franchisors or third parties.
146          (1) A franchisor or third party may not require a franchisee to grant to the franchisor,
147     third party, or person acting on behalf of the franchisor or third party, direct or indirect access
148     to the franchisee's dealer data system.
149          (2) A franchisee may submit or push data or information to a franchisor or third party
150     through an electronic file format or protocol if the electronic file format or protocol:
151          (a) is widely accepted; and

152          (b) complies with:
153          (i) STAR standards; or
154          (ii) other generally accepted standards.
155          Section 4. Section 13-63-202 is enacted to read:
156          13-63-202. Franchisors and third parties -- Prohibitions -- Requirements.
157          (1) A franchisor or third party may not:
158          (a) access, share, sell, copy, use, or transmit protected dealer data without prior express
159     written consent;
160          (b) engage in any act of cyber ransom; or
161          (c) take any action to prohibit or limit a franchisee's ability to protect, store, copy,
162     share, or use protected dealer data, including:
163          (i) imposing a fee for, or other restriction on, the franchisee or authorized integrator:
164          (A) accessing or sharing protected dealer data;
165          (B) writing data to a dealer data system;
166          (C) submitting or pushing data or information to the third party as described in
167     Subsection 13-63-201(2);
168          (ii) prohibiting a third party that satisfies STAR standards or other generally accepted
169     standards, or an authorized integrator, from integrating into the franchisee's dealer data system;
170          (iii) prohibiting an authorized integrator from integrating into the franchisee's dealer
171     data system; or
172          (iv) placing an unreasonable restriction on integration by an authorized integrator.
173          (2) (a) Notwithstanding Subsection (1)(c)(i)(A), a third party may charge a franchisee
174     for the direct cost that a third party incurs in providing access to protected dealer data to a
175     franchisee or authorized integrator, if the third party:
176          (i) discloses the charge to the franchisee; and
177          (ii) provides to the franchisee documentation that the charge represents the actual costs
178     of accessing protected dealer data.
179          (b) If a third party fails to comply with Subsection (2)(a), a charge described in
180     Subsection (2)(a) is a fee prohibited under Subsection (1)(c)(i).
181          (3) (a) A franchisee may unilaterally revoke or amend prior express written consent:
182          (i) with 30 day notice without cause; or

183          (ii) immediately for cause.
184          (b) (i) Except as provided in Subsection (3)(b)(ii), a franchisor may not seek or require
185     prior express written consent as a condition of or factor for consideration or eligibility for a:
186          (A) franchisor program;
187          (B) standard or policy; or
188          (C) benefit to a franchisee.
189          (ii) Notwithstanding Subsection (3)(b)(i), if franchisee program requires delivery of
190     information that is protected dealer data to qualify for the program and receive franchisor
191     program benefits, a franchisee shall provide the information to participate in the franchisor
192     program.
193          (4) Nothing in this section:
194          (a) limits a franchisee's, franchisor's, or third party's obligations:
195          (i) as a service provider; or
196          (ii) under federal, state, or local law, to protect and secure protected dealer data; or
197          (b) prevents a franchisee, franchisor, or third party from discharging the obligations
198     described in Subsection (4)(a).
199          (5) (a) A franchisor or franchisor's selected third party may not require a franchisee to
200     pay a fee for sharing required manufacturer data if the franchisor:
201          (i) requires a franchisee to provide required manufacturer data through a specific third
202     party that the franchisor selects; and
203          (ii) subject to Subsection (5)(b), does not allow the franchisee to submit the required
204     manufacturer data using the franchisee's choice of a third party vendor.
205          (b) Subsection (5)(a)(ii) applies if:
206          (i) the franchisee's data is in a format that is compatible with the format required by the
207     franchisor; and
208          (ii) the third party vendor satisfies the STAR standards or other generally accepted
209     standards.
210          (6) A franchisor may not access, sell, copy, use or transmit, or require a franchisee to
211     share or provide access to protected dealer data, unless:
212          (a) the protected dealer data is required manufacturer data; or
213          (b) the franchisee provides prior express written consent.

214          (7) A franchisor may only use required manufacturer data that the franchisor obtains
215     from a dealer data system for the purposes listed in Subsection 13-63-101(14).
216          (8) (a) A franchisor shall indemnify a franchisee for any claims or damages if:
217          (i) the claims or damages arise from, in violation of this section:
218          (A) accessing or providing access to protected dealer data;
219          (B) using protected dealer data; or
220          (C) disclosing protected dealer data; and
221          (ii) the violation described in Subsection (8)(a)(i) is committed by:
222          (A) the franchisor; or
223          (B) a third party:
224          (I) acting on behalf of the franchisor; and
225          (II) to whom the franchisor has provided the protected dealer data.
226          (b) A franchisee bringing a cause of action against a franchisor for a violation of this
227     section has the burden of proof.
228          (9) Notwithstanding Subsection (6), and except as provided in Section , this chapter
229     does not restrict or limit a franchisor's right to:
230          (a) obtain required manufacturer data;
231          (b) use required manufacturer data for the purposes described in Subsection
232     13-63-101(14); or
233          (c) use or control data that is:
234          (i) proprietary to the franchisor;
235          (ii) created by the franchisor;
236          (iii) obtained from a source other than the franchisee; or
237          (iv) public information.
238          Section 5. Section 13-63-203 is enacted to read:
239          13-63-203. Dealer data vendors -- Authorized integrators -- Requirements.
240          (1) (a) A dealer data vendor shall adopt and make available to a franchisee and
241     authorized integrator a standardized framework for:
242          (i) the exchange, integration, and sharing of data between a dealer data system and an
243     authorized integrator; and
244          (ii) the retrieval of data by an authorized integrator.

245          (b) The standardized framework described in Subsection (1)(a) shall comply with
246     STAR standards or other generally accepted standards.
247          (2) (a) Except as provided in Subsection (2)(b), a dealer data vendor shall provide to an
248     authorized integrator access to open application programming interfaces for the standardized
249     framework described in Subsection (1) that are the reasonable commercial or technical
250     standard for secure data integration.
251          (b) If the open application interfaces described in Subsection (2)(a) are not the
252     reasonable commercial or technical standard for secure data integration, a dealer data vendor
253     may provide to an authorized integrator a similar open access integration method that:
254          (i) provides the same or better access to an authorized integrator as an application
255     programming interface; and
256          (ii) uses the standardized framework described in Subsection (1).
257          (3) A dealer data vendor and an authorized integrator:
258          (a) may access, use, store, or share protected dealer data or any other data from a dealer
259     data system only to the extent allowed in the written agreement with the franchisee;
260          (b) shall, upon a franchisee's request, provide the franchisee with a list of all persons:
261          (i) with whom the dealer data vendor or authorized integrator is sharing, or has shared,
262     protected dealer data; or
263          (ii) to whom the dealer data vendor or authorized integrator has allowed or is allowing
264     access to protected dealer data; and
265          (c) shall allow a franchisee to audit the dealer data vendor's or authorized integrator's
266     access to and use of protected dealer data.
267          (4) A franchisee may terminate an agreement between a dealer data vendor or
268     authorized integrator and a franchisee relating to access to, sharing of, selling of, copying,
269     using, or transmitting protected dealer data upon 90 days' notice.
270          (5) (a) If a dealer data vendor or authorized integrator receives a franchisee's notice
271     described in Subsection (4), the dealer data vendor or authorized integrator shall ensure a
272     secure transition of all protected dealer data to a successor dealer data vendor or successor
273     authorized integrator.
274          (b) In carrying out the dealer data vendor's or authorized integrator's duties under
275     Subsection (5)(a), a dealer data vendor or authorized integrator shall:

276          (i) provide access to or an electronic copy of all protected dealer data and all other data
277     stored in the dealer data system in a:
278          (A) commercially reasonable time; and
279          (B) format that the successor dealer data vendor or successor authorized integrator can
280     access and use;
281          (ii) before the agreement terminates, delete or return to the franchisee all protected
282     dealer data pursuant to the franchisee's written directions.