2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill enacts provisions related to motor vehicle consumer data protection.
10 Highlighted Provisions:
11 This bill:
12 ▸ enacts provisions related to storing, sharing, and accessing motor vehicle consumer
13 data; and
14 ▸ defines terms.
15 Money Appropriated in this Bill:
16 None
17 Other Special Clauses:
18 None
19 Utah Code Sections Affected:
20 ENACTS:
21 13-63-101, Utah Code Annotated 1953
22 13-63-102, Utah Code Annotated 1953
23 13-63-201, Utah Code Annotated 1953
24 13-63-202, Utah Code Annotated 1953
25 13-63-203, Utah Code Annotated 1953
26
27 Be it enacted by the Legislature of the state of Utah:
28 Section 1. Section 13-63-101 is enacted to read:
29
30
31 13-63-101. Definitions.
32 As used in this chapter:
33 (1) "Authorized integrator" means a third party with whom a franchisee enters into a
34 contract to perform a specific function for a franchisee that allows the third party to access
35 protected dealer data or to write data to a dealer data system, or both, to carry out the specified
36 function.
37 (2) "Cyber ransom" means to encrypt, restrict, or prohibit or threaten or attempt to
38 encrypt, restrict, or prohibit a franchisee's or a franchisee's authorized integrator's access to
39 protected dealer data for monetary gain.
40 (3) (a) "Dealer data system" means a software, hardware, or firmware system that is
41 owned, leased, or licensed by a franchisee, that includes a system of web-based applications,
42 computer software, or computer hardware, whether located at the franchisee's dealership or
43 hosted remotely, and that stores or provides access to protected dealer data.
44 (b) "Dealer data system" includes dealership management systems and consumer
45 relations management systems.
46 (4) "Dealer data vendor" means a dealer management system provider, consumer
47 relationship management system provider, or other vendor providing similar services that
48 stores protected dealer data pursuant to a contract with the franchisee.
49 (5) "Dealership" means the same as that term is defined in Section 13-14-102.
50 (6) "Fee" means a charge for allowing access to protected dealer data beyond any direct
51 costs incurred by a third party in providing protected dealer data access to an authorized
52 integrator or allowing an authorized integrator to write data to a dealer data system.
53 (7) "Franchisee" means the same as that term is defined in Section 13-14-102.
54 (8) "Franchisee program" means a bonus, incentive, rebate, or other payment program
55 that a franchisor offers to a franchisee.
56 (9) "Franchisor" means the same as that term is defined in Section 13-14-102.
57 (10) "Manufacturer" means a manufacturer of new motor vehicles.
58 (11) "Other generally accepted standards" means security standards that are at least as
59 comprehensive as STAR standards.
60 (12) "Prior express written consent" means a franchisee's express written consent:
61 (a) in a document separate from any other:
62 (i) consent;
63 (ii) contract;
64 (iii) franchise agreement; or
65 (iv) other writing; and
66 (b) that contains:
67 (i) the franchisee's consent to data sharing and identification of all parties with whom
68 the data may be shared;
69 (ii) all details that the franchisee requires relating to the scope and nature of the data to
70 be shared, including the data fields and the duration for which the sharing is authorized; and
71 (iii) all provisions and restrictions that are required under federal law to allow sharing
72 the data.
73 (13) "Protected dealer data" means:
74 (a) personal, financial, or other data relating to a consumer that:
75 (i) (A) a consumer provides to a franchisee; or
76 (B) a franchisee otherwise obtains; and
77 (ii) is stored in the franchisee's dealer data system;
78 (b) motor vehicle diagnostic data that is stored in a dealer data system; and
79 (c) other data that relates to a franchisee's business operations in the franchisee's dealer
80 data system.
81 (14) (a) "Required manufacturer data" means data that:
82 (i) a manufacturer is required to obtain under federal or state law;
83 (ii) is required to complete or verify a transaction between the franchisee and the
84 manufacturer;
85 (iii) is motor vehicle diagnostic data; or
86 (iv) is reasonably necessary for:
87 (A) a safety, recall, or other legal notice obligation;
88 (B) the sale and delivery of a new motor vehicle or certified used motor vehicle to a
89 consumer;
90 (C) the validation and payment of consumer or franchisee incentives;
91 (D) claims for franchisee-supplied services relating to warranty parts or repairs;
92 (E) the evaluation of franchisee performance, including without limitation the
93 evaluation of the franchisee's monthly financial statements and sales or service, consumer
94 satisfaction with the franchisee through direct consumer contact or consumer surveys;
95 (F) franchisee and market analytics;
96 (G) the identification of the franchisee that sold or leased a specific motor vehicle and
97 the date of the transaction;
98 (H) marketing purposes designed for the benefit of or to direct leads to franchisees ; or
99 (I) the development, evaluation, or improvement of the manufacturer's products or
100 services.
101 (b) "Required manufacturer data" does not include a consumer's financial information:
102 (i) on the consumer's credit application; or
103 (ii) a franchisee's individualized notes about a consumer that are not related to a
104 transaction.
105 (15) "STAR standards" means the current, applicable security standards published by
106 the Standards for Technology in Automotive Retail.
107 (16) (a) "Third party" means a person other than a franchisee.
108 (b) "Third party" includes:
109 (i) a service provider; and
110 (ii) a vendor, including a dealer data vendor and authorized integrator.
111 (c) "Third party" does not include:
112 (i) a governmental entity acting pursuant to federal, state, or local law;
113 (ii) a person acting pursuant to a valid court order; or
114 (iii) a manufacturer.
115 (17) "Unreasonable restriction" means:
116 (a) an unreasonable limitation or condition on the scope or nature of the data that is
117 shared with an authorized integrator;
118 (b) an unreasonable limitation or condition on the ability of an authorized integrator to
119 write data to a dealer data system;
120 (c) an unreasonable limitation or condition on a third party that accesses or shares
121 protected dealer data or that writes data to a dealer data system;
122 (d) requiring unreasonable access to a third party's sensitive, competitive, or other
123 confidential business information as a condition for accessing protected dealer data or sharing
124 protected dealer data with an authorized integrator;
125 (e) prohibiting or limiting a franchisee's ability to store, copy, securely share, or use
126 protected dealer data outside of the dealer data system in any manner and for any reason;
127 (f) allowing access to or accessing protected dealer data without prior express written
128 consent.
129 Section 2. Section 13-63-102 is enacted to read:
130 13-63-102. Applicability.
131 This chapter does not:
132 (1) govern, restrict, or apply to data outside of a dealer data system, including data that
133 is generated by a motor vehicle or devices that a consumer connects to a motor vehicle;
134 (2) authorize a franchisee or third party to use data that the franchisee or third party
135 obtains from a person in a manner that is inconsistent with:
136 (a) an agreement with the person; or
137 (b) the purposes for which the person provides the data to the franchisee or third party;
138 or
139 (3) except as is necessary to fulfill a franchisee's obligation to provide warranty, repair,
140 or service to consumers, grant a franchisee:
141 (a) ownership of motor vehicle diagnostic data; or
142 (b) rights to share or use motor vehicle diagnostic data.
143 Section 3. Section 13-63-201 is enacted to read:
144
145 13-63-201. Data submissions to franchisors or third parties.
146 (1) A franchisor or third party may not require a franchisee to grant to the franchisor,
147 third party, or person acting on behalf of the franchisor or third party, direct or indirect access
148 to the franchisee's dealer data system.
149 (2) A franchisee may submit or push data or information to a franchisor or third party
150 through an electronic file format or protocol if the electronic file format or protocol:
151 (a) is widely accepted; and
152 (b) complies with:
153 (i) STAR standards; or
154 (ii) other generally accepted standards.
155 Section 4. Section 13-63-202 is enacted to read:
156 13-63-202. Franchisors and third parties -- Prohibitions -- Requirements.
157 (1) A franchisor or third party may not:
158 (a) access, share, sell, copy, use, or transmit protected dealer data without prior express
159 written consent;
160 (b) engage in any act of cyber ransom; or
161 (c) take any action to prohibit or limit a franchisee's ability to protect, store, copy,
162 share, or use protected dealer data, including:
163 (i) imposing a fee for, or other restriction on, the franchisee or authorized integrator:
164 (A) accessing or sharing protected dealer data;
165 (B) writing data to a dealer data system;
166 (C) submitting or pushing data or information to the third party as described in
167 Subsection 13-63-201(2);
168 (ii) prohibiting a third party that satisfies STAR standards or other generally accepted
169 standards, or an authorized integrator, from integrating into the franchisee's dealer data system;
170 (iii) prohibiting an authorized integrator from integrating into the franchisee's dealer
171 data system; or
172 (iv) placing an unreasonable restriction on integration by an authorized integrator.
173 (2) (a) Notwithstanding Subsection (1)(c)(i)(A), a third party may charge a franchisee
174 for the direct cost that a third party incurs in providing access to protected dealer data to a
175 franchisee or authorized integrator, if the third party:
176 (i) discloses the charge to the franchisee; and
177 (ii) provides to the franchisee documentation that the charge represents the actual costs
178 of accessing protected dealer data.
179 (b) If a third party fails to comply with Subsection (2)(a), a charge described in
180 Subsection (2)(a) is a fee prohibited under Subsection (1)(c)(i).
181 (3) (a) A franchisee may unilaterally revoke or amend prior express written consent:
182 (i) with 30 day notice without cause; or
183 (ii) immediately for cause.
184 (b) (i) Except as provided in Subsection (3)(b)(ii), a franchisor may not seek or require
185 prior express written consent as a condition of or factor for consideration or eligibility for a:
186 (A) franchisor program;
187 (B) standard or policy; or
188 (C) benefit to a franchisee.
189 (ii) Notwithstanding Subsection (3)(b)(i), if franchisee program requires delivery of
190 information that is protected dealer data to qualify for the program and receive franchisor
191 program benefits, a franchisee shall provide the information to participate in the franchisor
192 program.
193 (4) Nothing in this section:
194 (a) limits a franchisee's, franchisor's, or third party's obligations:
195 (i) as a service provider; or
196 (ii) under federal, state, or local law, to protect and secure protected dealer data; or
197 (b) prevents a franchisee, franchisor, or third party from discharging the obligations
198 described in Subsection (4)(a).
199 (5) (a) A franchisor or franchisor's selected third party may not require a franchisee to
200 pay a fee for sharing required manufacturer data if the franchisor:
201 (i) requires a franchisee to provide required manufacturer data through a specific third
202 party that the franchisor selects; and
203 (ii) subject to Subsection (5)(b), does not allow the franchisee to submit the required
204 manufacturer data using the franchisee's choice of a third party vendor.
205 (b) Subsection (5)(a)(ii) applies if:
206 (i) the franchisee's data is in a format that is compatible with the format required by the
207 franchisor; and
208 (ii) the third party vendor satisfies the STAR standards or other generally accepted
209 standards.
210 (6) A franchisor may not access, sell, copy, use or transmit, or require a franchisee to
211 share or provide access to protected dealer data, unless:
212 (a) the protected dealer data is required manufacturer data; or
213 (b) the franchisee provides prior express written consent.
214 (7) A franchisor may only use required manufacturer data that the franchisor obtains
215 from a dealer data system for the purposes listed in Subsection 13-63-101(14).
216 (8) (a) A franchisor shall indemnify a franchisee for any claims or damages if:
217 (i) the claims or damages arise from, in violation of this section:
218 (A) accessing or providing access to protected dealer data;
219 (B) using protected dealer data; or
220 (C) disclosing protected dealer data; and
221 (ii) the violation described in Subsection (8)(a)(i) is committed by:
222 (A) the franchisor; or
223 (B) a third party:
224 (I) acting on behalf of the franchisor; and
225 (II) to whom the franchisor has provided the protected dealer data.
226 (b) A franchisee bringing a cause of action against a franchisor for a violation of this
227 section has the burden of proof.
228 (9) Notwithstanding Subsection (6), and except as provided in Section , this chapter
229 does not restrict or limit a franchisor's right to:
230 (a) obtain required manufacturer data;
231 (b) use required manufacturer data for the purposes described in Subsection
232 13-63-101(14); or
233 (c) use or control data that is:
234 (i) proprietary to the franchisor;
235 (ii) created by the franchisor;
236 (iii) obtained from a source other than the franchisee; or
237 (iv) public information.
238 Section 5. Section 13-63-203 is enacted to read:
239 13-63-203. Dealer data vendors -- Authorized integrators -- Requirements.
240 (1) (a) A dealer data vendor shall adopt and make available to a franchisee and
241 authorized integrator a standardized framework for:
242 (i) the exchange, integration, and sharing of data between a dealer data system and an
243 authorized integrator; and
244 (ii) the retrieval of data by an authorized integrator.
245 (b) The standardized framework described in Subsection (1)(a) shall comply with
246 STAR standards or other generally accepted standards.
247 (2) (a) Except as provided in Subsection (2)(b), a dealer data vendor shall provide to an
248 authorized integrator access to open application programming interfaces for the standardized
249 framework described in Subsection (1) that are the reasonable commercial or technical
250 standard for secure data integration.
251 (b) If the open application interfaces described in Subsection (2)(a) are not the
252 reasonable commercial or technical standard for secure data integration, a dealer data vendor
253 may provide to an authorized integrator a similar open access integration method that:
254 (i) provides the same or better access to an authorized integrator as an application
255 programming interface; and
256 (ii) uses the standardized framework described in Subsection (1).
257 (3) A dealer data vendor and an authorized integrator:
258 (a) may access, use, store, or share protected dealer data or any other data from a dealer
259 data system only to the extent allowed in the written agreement with the franchisee;
260 (b) shall, upon a franchisee's request, provide the franchisee with a list of all persons:
261 (i) with whom the dealer data vendor or authorized integrator is sharing, or has shared,
262 protected dealer data; or
263 (ii) to whom the dealer data vendor or authorized integrator has allowed or is allowing
264 access to protected dealer data; and
265 (c) shall allow a franchisee to audit the dealer data vendor's or authorized integrator's
266 access to and use of protected dealer data.
267 (4) A franchisee may terminate an agreement between a dealer data vendor or
268 authorized integrator and a franchisee relating to access to, sharing of, selling of, copying,
269 using, or transmitting protected dealer data upon 90 days' notice.
270 (5) (a) If a dealer data vendor or authorized integrator receives a franchisee's notice
271 described in Subsection (4), the dealer data vendor or authorized integrator shall ensure a
272 secure transition of all protected dealer data to a successor dealer data vendor or successor
273 authorized integrator.
274 (b) In carrying out the dealer data vendor's or authorized integrator's duties under
275 Subsection (5)(a), a dealer data vendor or authorized integrator shall:
276 (i) provide access to or an electronic copy of all protected dealer data and all other data
277 stored in the dealer data system in a:
278 (A) commercially reasonable time; and
279 (B) format that the successor dealer data vendor or successor authorized integrator can
280 access and use;
281 (ii) before the agreement terminates, delete or return to the franchisee all protected
282 dealer data pursuant to the franchisee's written directions.