1
2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill enacts provisions related to motor vehicle consumer data protection.
10 Highlighted Provisions:
11 This bill:
12 ▸ defines terms; and
13 ▸ enacts provisions related to storing, sharing, and accessing motor vehicle consumer
14 data.
15 Money Appropriated in this Bill:
16 None
17 Other Special Clauses:
18 None
19 Utah Code Sections Affected:
20 ENACTS:
21 13-70-101, Utah Code Annotated 1953
22 13-70-102, Utah Code Annotated 1953
23 13-70-201, Utah Code Annotated 1953
24 13-70-202, Utah Code Annotated 1953
25 13-70-203, Utah Code Annotated 1953
26
27 Be it enacted by the Legislature of the state of Utah:
28 Section 1. Section 13-70-101 is enacted to read:
29
30
31 13-70-101. Definitions.
32 As used in this chapter:
33 (1) "Authorized integrator" means a third party with whom a franchisee enters into a
34 contract to perform a specific function for a franchisee that allows the third party to access
35 protected dealer data or to write data to a dealer data system, or both, to carry out the specified
36 function.
37 (2) "Consumer data" means non-public personal information defined in 15 U.S.C. Sec.
38 6809(4) as it existed on January 1, 2024.
39 (3) "Cyber ransom" means to encrypt, restrict, or prohibit, or to threaten or attempt to
40 encrypt, restrict, or prohibit a franchisee's or a franchisee's authorized integrator's access to
41 protected dealer data or other dealer data to obtain payment not agreed to by the franchisee or
42 the franchisee's authorized integrator in a written contract for services or goods.
43 (4) (a) "Dealer data system" means a software, hardware, or firmware system that is
44 owned, leased, or licensed by a franchisee, that includes a system of web-based applications,
45 computer software, or computer hardware, whether located at the franchisee's dealership or
46 hosted remotely, and that stores or provides access to protected dealer data.
47 (b) "Dealer data system" means a dealership management system or a consumer
48 relationship management system.
49 (5) "Dealer data vendor" means a third party dealer management system provider,
50 consumer relationship management system provider, or third party vendor providing similar
51 services that store protected dealer data pursuant to a contract with the franchisee.
52 (6) "Dealership" means the same as that term is defined in Section 13-14-102.
53 (7) "Fee" means payment for access to protected dealer data which is in addition to
54 charges written in an executed contract for goods or services.
55 (8) "Franchisee" means the same as that term is defined in Section 13-14-102.
56 (9) "Franchisee program" means a bonus, incentive, rebate, or other payment program
57 that a franchisor offers to a franchisee.
58 (10) "Franchisor" means the same as that term is defined in Section 13-14-102.
59 (11) (a) "Manufacturer" means a manufacturer of new motor vehicles.
60 (b) "Manufacturer" does not include a manufacturer acting in the capacity of a vendor,
61 service provider, dealer data vendor, or an affiliate or subsidiary of a manufacturer operating as
62 a vendor, service provider, or a dealer data vendor.
63 (c) "Manufacturer" does not include a manufacturer that does not have a franchisee in
64 the state.
65 (12) "Other generally accepted standards" means security standards that are at least as
66 comprehensive as STAR standards.
67 (13) "Prior express written consent" means a franchisee's express written consent to
68 protected dealer data sharing that:
69 (a) is in a document separate from any other:
70 (i) consent;
71 (ii) contract;
72 (iii) franchise agreement; or
73 (iv) writing;
74 (b) identifies all parties with whom the protected dealer data may be shared; and
75 (c) contains:
76 (i) all details that the franchisee requires relating to the scope and nature of the
77 protected dealer data to be shared, including the data fields and the duration for which the
78 sharing is authorized; and
79 (ii) all provisions and restrictions that are required under federal law to allow sharing
80 the protected dealer data.
81 (14) (a) "Protected dealer data" means:
82 (i) consumer data that:
83 (A) (I) a consumer provides to a franchisee; or
84 (II) a franchisee otherwise obtains; and
85 (B) is stored in the franchisee's dealer data system;
86 (ii) other data that relates to a franchisee's daily business operations and is stored in the
87 franchisee's dealer data system; and
88 (iii) motor vehicle diagnostic data.
89 (b) "Protected dealer data" does not include data that:
90 (i) is otherwise publicly available; or
91 (ii) a franchisor or third party obtains through another source.
92 (15) (a) "Required manufacturer data" means data that:
93 (i) a manufacturer is required to obtain under federal or state law;
94 (ii) is required to complete or verify a transaction between the franchisee and the
95 manufacturer;
96 (iii) is motor vehicle diagnostic data; or
97 (iv) is reasonably necessary for:
98 (A) a safety notice, recall notice, manufacturer field action, or other legal notice
99 obligation relating to the repair, service, and update of a motor vehicle;
100 (B) the sale and delivery of a new motor vehicle or certified used motor vehicle to a
101 consumer, including necessary data for the vehicle manufacturer to activate services purchased
102 by the consumer;
103 (C) the validation and payment of consumer or franchisee incentives;
104 (D) claims for franchisee-supplied services relating to warranty parts or repairs;
105 (E) the evaluation of franchisee performance, including the evaluation of the
106 franchisee's monthly financial statements and sales or service, consumer satisfaction with the
107 franchisee through direct consumer contact, or consumer surveys;
108 (F) franchisee and market analytics;
109 (G) the identification of the franchisee that sold or leased a specific motor vehicle and
110 the date of the transaction;
111 (H) marketing purposes designed for the benefit of franchisees, or to direct leads to the
112 franchisee providing the dealer protected data to the franchisor;
113 (I) the development, evaluation, or improvement of the manufacturer's products or
114 services; or
115 (J) the daily operational interactions of the franchisee with the manufacturer or other
116 franchisees through applications hosted on the manufacturer's dealer electronic
117 communications system.
118 (b) "Required manufacturer data" does not include:
119 (i) consumer data on the consumer's credit application; or
120 (ii) a franchisee's individualized notes about a consumer that are not related to a
121 transaction.
122 (16) "Service provider" means a person that processes protected dealer data on behalf
123 of a franchisee and that receives, from or on behalf of the franchisee, consumer protected
124 dealer data for a business purpose pursuant to a written contract, if the contract prohibits the
125 person from:
126 (a) selling or sharing the protected dealer data;
127 (b) retaining, using, or disclosing the protected dealer data for any purpose other than
128 for the business purposes specified in the contract for the franchisee, including retaining, using,
129 or disclosing the protected dealer data for a commercial purpose other than the business
130 purposes specified in the contract with the franchisee, or as permitted under this title;
131 (c) retaining, using, or disclosing the protected dealer data outside of the direct
132 business relationship between the service provider and the franchisee; or
133 (d) combining the protected dealer data that the service provider receives from, or on
134 behalf of, the franchisee with personal information that the service provider receives from, or
135 on behalf of, another person or persons, or collects from the service provider's own interaction
136 with the consumer.
137 (17) "STAR standards" means the current, applicable security standards published by
138 the Standards for Technology in Automotive Retail.
139 (18) (a) "Third party" means a person other than a franchisee.
140 (b) "Third party" includes:
141 (i) a service provider;
142 (ii) a vendor, including a dealer data vendor and authorized integrator;
143 (iii) a manufacturer acting in the capacity of a vendor, service provider, or dealer data
144 vendor; or
145 (iv) an affiliate of a manufacturer described in Subsection (18)(b)(iii).
146 (c) "Third party" does not include:
147 (i) a governmental entity acting pursuant to federal, state, or local law;
148 (ii) a person acting pursuant to a valid court order;
149 (iii) a manufacturer, not acting in the capacity of a vendor, service provider, or dealer
150 data vendor; or
151 (iv) an affiliate of a manufacturer described in Subsection (18)(c)(iii).
152 (19) "Vendor" means a person to whom a franchisee makes available protected dealer
153 data for a business purpose, pursuant to a written contract with the franchisee, if the contract:
154 (a) prohibits the vendor from:
155 (i) selling or sharing the protected dealer data;
156 (ii) retaining, using, or disclosing the protected dealer data for any purpose other than
157 for the business purposes specified in the contract, including retaining, using, or disclosing the
158 protected dealer data for a commercial purpose other than the business purposes specified in
159 the contract, or as otherwise permitted under this title;
160 (iii) retaining, using, or disclosing the protected dealer data outside of the direct
161 business relationship between the vendor and the franchisee; and
162 (iv) combining the protected dealer data that the vendor receives pursuant to a written
163 contract with the franchisee with personal information that the vendor receives from or on
164 behalf of another person or persons, or collects from the vendor's own interaction with the
165 consumer;
166 (b) includes a certification made by the vendor that the vendor understands the
167 restrictions in Subsection (19)(a)(i) and will comply with the restrictions; and
168 (c) permits, subject to agreement with the vendor, the franchisee to monitor the
169 vendor's compliance with the contract through measures, including ongoing manual reviews,
170 automated scans, regular assessments, audits, or other technical and operational testing at least
171 once every 12 months.
172 (20) "Unreasonable restriction" means:
173 (a) an unreasonable limitation or condition on the scope or nature of the data that is
174 shared with an authorized integrator;
175 (b) an unreasonable limitation or condition on the ability of an authorized integrator to
176 write data to a dealer data system;
177 (c) an unreasonable limitation or condition on a third party that accesses or shares
178 protected dealer data or that writes data to a dealer data system;
179 (d) requiring unreasonable access to a franchisor's or a third party's sensitive,
180 competitive, or other confidential business information as a condition for accessing protected
181 dealer data or sharing protected dealer data with an authorized integrator;
182 (e) prohibiting or limiting a franchisee's ability to store, copy, securely share, or use
183 protected dealer data outside of the dealer data system in any manner or for any reason; or
184 (f) allowing access to, or accessing protected dealer data without, the franchisee's prior
185 express written consent.
186 Section 2. Section 13-70-102 is enacted to read:
187 13-70-102. Applicability.
188 This chapter does not:
189 (1) govern, restrict, or apply to data outside of a dealer data system, including data that
190 is generated by a motor vehicle or a device that a consumer connects to a motor vehicle;
191 (2) authorize a franchisee or third party to use data that the franchisee or third party
192 obtains from a person in a manner that is inconsistent with:
193 (a) an agreement with the person; or
194 (b) the purposes for which the person provides the data to the franchisee or third party;
195 or
196 (3) except as is necessary to fulfill a franchisee's obligation to provide warranty, repair,
197 or service to consumers, grant a franchisee:
198 (a) ownership of motor vehicle diagnostic data; or
199 (b) rights to share or use motor vehicle diagnostic data.
200 Section 3. Section 13-70-201 is enacted to read:
201
202 13-70-201. Data submissions to franchisors or third parties.
203 (1) A franchisor or third party may not require a franchisee to grant to the franchisor,
204 third party, or person acting on behalf of the franchisor or third party, direct or indirect access
205 to the franchisee's dealer data system.
206 (2) A franchisee may submit or push data or information to a franchisor or third party
207 through an electronic file format or protocol if the electronic file format or protocol:
208 (a) is widely accepted; and
209 (b) complies with:
210 (i) STAR standards; or
211 (ii) other generally accepted standards.
212 Section 4. Section 13-70-202 is enacted to read:
213 13-70-202. Service provider contracts -- Franchisors and third parties --
214 Prohibitions -- Requirements.
215 (1) (a) A service provider contract may permit the franchisee to monitor the service
216 provider's compliance with the contract through ongoing manual reviews, automated scans,
217 regular assessments, audits, or other technical and operational testing, at least once every 12
218 months.
219 (b) If a service provider or vendor engages another person to assist the service provider
220 or vendor in processing protected dealer data for a business purpose on behalf of the franchisee,
221 or if another person engaged by the service provider or vendor engages a person to assist in
222 processing protected dealer data for that business purpose, the service provider or vendor shall
223 notify the franchisee of that engagement, and the engagement shall be pursuant to a written
224 contract binding the person to observe all the requirements described in Subsection
225 13-70-101(16).
226 (2) A franchisor or third party may not:
227 (a) access, share, sell, copy, use, or transmit protected dealer data without prior express
228 written consent;
229 (b) engage in any act of cyber ransom; or
230 (c) take action to prohibit or limit a franchisee's ability to protect, store, copy, share, or
231 use protected dealer data, including:
232 (i) imposing a fee for, or other restriction on, the franchisee or authorized integrator:
233 (A) accessing or sharing protected dealer data;
234 (B) writing data to a dealer data system; or
235 (C) submitting or pushing data or information to the third party under Subsection
236 13-70-201(2);
237 (ii) unreasonably prohibiting a third party or an authorized integrator that satisfies
238 STAR standards or other generally accepted standards from integrating into the franchisee's
239 dealer data system; or
240 (iii) placing an unreasonable restriction on integration by an authorized integrator or
241 third party.
242 (3) (a) Notwithstanding Subsection (2)(c)(i)(A), a franchisor or a third party may
243 charge a franchisee the franchisor's or third party's actual third party costs, including a
244 reasonable profit margin for providing access to protected dealer data to a franchisee,
245 authorized integrator, or other the third party if the franchisor or third party:
246 (i) discloses the charge to the franchisee in writing; and
247 (ii) upon written request by the franchisee, provides to the franchisee documentation
248 that the charges were agreed to in writing by the franchisee or provided for in the contract for
249 services or goods.
250 (b) If a third party fails to comply with Subsection (3)(a), a charge described in
251 Subsection (3)(a) is a fee prohibited under Subsection (2)(c)(i).
252 (4) (a) A franchisee may unilaterally revoke or amend the prior express written consent
253 described in Subsection (2)(a):
254 (i) with 60 days notice without cause; or
255 (ii) immediately for cause.
256 (b) (i) Except as provided in Subsection (4)(b)(ii), a franchisor may not seek or require
257 prior express written consent as a condition of or factor for consideration or eligibility for a:
258 (A) franchisor program;
259 (B) standard or policy; or
260 (C) benefit to a franchisee.
261 (ii) If a franchisor's program reasonably requires delivery of information that is
262 protected dealer data to qualify for the program and receive franchisor program benefits, a
263 franchisee shall provide the information to participate in the franchisor program.
264 (5) This section does not:
265 (a) limit a franchisee's, franchisor's, or third party's obligations:
266 (i) as a service provider;
267 (ii) under federal, state, or local law, to protect and secure protected dealer data; or
268 (iii) regarding required manufacturer data; and
269 (b) require a franchisor to pay a benefit to a franchisee if the franchisee refuses to
270 provide data reasonably necessary to participate in the franchisor program.
271 (6) A franchisor or franchisor's selected third party may not require a franchisee to pay
272 a fee for sharing required manufacturer data if:
273 (a) the franchisor requires a franchisee to provide required manufacturer data through a
274 specific third party that the franchisor selects;
275 (b) the franchisor does not allow the franchisee to submit the required manufacturer
276 data using the franchisee's choice of a third party vendor;
277 (c) the franchisee's data is in a format that is compatible with the format required by the
278 franchisor; and
279 (d) the third party vendor satisfies the STAR standards or other generally accepted
280 standards.
281 (7) A franchisor may not access, sell, copy, use, transmit, or require a franchisee to
282 share or provide access to protected dealer data, unless:
283 (a) the protected dealer data is required manufacturer data; or
284 (b) the franchisee provides prior express written consent.
285 (8) A franchisor may only use required manufacturer data that the franchisor obtains
286 from a dealer data system for the purposes described in Subsection 13-70-101(14).
287 (9) (a) A franchisor, authorized integrator, or other third party shall indemnify a
288 franchisee for any claims or damages if:
289 (i) the claims or damages directly result from a violation of this section by the party
290 from whom the franchisee is seeking indemnification;
291 (ii) the claims or damages directly result from a violation of this section by:
292 (A) a vendor or contractor as an agent acting on behalf of the party from whom the
293 franchisee is seeking indemnification; or
294 (B) a vendor or other service provider who the party from whom the franchisee is
295 seeking indemnification required the franchisee to use; and
296 (iii) the claims or damages result from a violation of this section for:
297 (A) accessing or providing access to protected dealer data;
298 (B) using protected dealer data; or
299 (C) disclosing protected dealer data.
300 (b) A franchisee bringing a cause of action against a franchisor, authorized integrator,
301 or other third party for a violation of this section has the burden of proof.
302 (10) Notwithstanding Subsection (6), this chapter does not restrict or limit a
303 franchisor's right to:
304 (a) access or obtain required manufacturer data;
305 (b) use, share, copy, or transmit required manufacturer data for the purposes described
306 in Subsection 13-70-101(15); or
307 (c) use or control data that is:
308 (i) proprietary to the franchisor;
309 (ii) created by the franchisor;
310 (iii) obtained from a source other than the franchisee; or
311 (iv) public information.
312 Section 5. Section 13-70-203 is enacted to read:
313 13-70-203. Dealer data vendors -- Authorized integrators -- Requirements.
314 (1) (a) A dealer data vendor shall adopt and make available to a franchisee and
315 authorized integrator in a standardized framework:
316 (i) the exchange, integration, and sharing of data between a dealer data system and an
317 authorized integrator; and
318 (ii) the retrieval of data by an authorized integrator.
319 (b) The standardized framework described in Subsection (1)(a) shall comply with
320 STAR standards or other generally accepted standards.
321 (2) (a) Except as provided in Subsection (2)(b), a dealer data vendor shall provide to an
322 authorized integrator access to open application programming interfaces for the standardized
323 framework described in Subsection (1) that meet the reasonable commercial or technical
324 standard for secure data integration.
325 (b) If the open application interfaces described in Subsection (2)(a) do not meet the
326 reasonable commercial or technical standard for secure data integration, a dealer data vendor
327 may provide to an authorized integrator a similar open access integration method that:
328 (i) provides the same or better access to an authorized integrator as an application
329 programming interface; and
330 (ii) uses the standardized framework described in Subsection (1).
331 (3) A dealer data vendor and an authorized integrator:
332 (a) may access, use, store, or share protected dealer data or any other data from a dealer
333 data system only to the extent allowed in the written agreement with the franchisee;
334 (b) shall, upon a franchisee's request, provide the franchisee with a list of all persons:
335 (i) with whom the dealer data vendor or authorized integrator is sharing, or has shared,
336 protected dealer data; or
337 (ii) to whom the dealer data vendor or authorized integrator has allowed or is allowing
338 access to protected dealer data; and
339 (c) shall allow a franchisee to audit the dealer data vendor's or authorized integrator's
340 access to and use of protected dealer data.
341 (4) A franchisee may terminate an agreement between a dealer data vendor or
342 authorized integrator and the franchisee relating to access to, sharing of, selling of, copying,
343 using, or transmitting protected dealer data upon 90 days' notice.
344 (5) (a) If a dealer data vendor or authorized integrator receives a franchisee's notice
345 described in Subsection (4), the dealer data vendor or authorized integrator shall ensure a
346 secure transition of all protected dealer data to a successor dealer data vendor or successor
347 authorized integrator.
348 (b) In fulfilling the dealer data vendor's or authorized integrator's duties under
349 Subsection (5)(a), a dealer data vendor or authorized integrator shall:
350 (i) provide access to or an electronic copy of all protected dealer data and all other data
351 stored in the dealer data system in:
352 (A) a commercially reasonable time; and
353 (B) a format that the successor dealer data vendor or successor authorized integrator
354 can access and use; and
355 (ii) before the agreement terminates, delete or return to the franchisee all protected
356 dealer data pursuant to the franchisee's written directions.
357 Section 6. Effective date.
358 This bill takes effect on May 1, 2024.