§17A-6A-15a. Dealer data, obligation of manufacturer, vendors, suppliers and others; consent to access dealership information; unlawful activities; indemnification of dealer.

(a) Except as expressly authorized in this section, a manufacturer or distributor cannot require a motor vehicle dealer to provide its customer information to the manufacturer or distributor unless necessary for the sale and delivery of a new motor vehicle to a consumer, to validate and pay consumer or dealer incentives, for manufacturer’s marketing purposes, for evaluation of dealer performance, for analytics, or to support claims submitted by the new motor vehicle dealer for reimbursement for warranty parts or repairs. Nothing in this section shall limit the manufacturer’s ability to require or use customer information to satisfy any safety or recall notice obligation or other legal obligation.

(b) The dealer is only required to provide the customer information to the extent lawfully permissible, and to the extent the requested information relates solely to specific program requirements or goals associated with the manufacturer’s or distributor’s own vehicle makes. A manufacturer, factory branch, distributor, distributor branch, dealer, data systems vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch or dealer or data systems vendor may not prohibit a dealer from providing a means to regularly and continually monitor, or conduct an audit of, the specific data accessed from or written to the dealer’s data systems and from complying with applicable state and federal laws and any rules or regulations promulgated thereunder. These provisions do not impose an obligation on a manufacturer, factory branch, distributor, distributor branch, dealer, vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, dealer, or data systems vendor to provide that capability.

(c) A manufacturer, factory branch, distributor, distributor branch, dealer, data systems vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch or dealer, or data systems vendor, may not provide access to customer or dealership information maintained in a dealer data systems used by a motor vehicle dealer located in this state, other than a subsidiary or affiliate of the manufacturer factory branch, distributor or distributor branch without first obtaining the dealer’s prior express written consent and agreement, revocable by the dealer upon 10 business days written notice, to provide the access.

(d) Upon a written request from a motor vehicle dealer, the manufacturer, factory branch, distributor, distributor branch, dealer, or data systems vendor, or any third party acting on behalf of or through any manufacturer, factory branch, distributor, distributor branch or dealer data systems vendor shall provide to the dealer a written list of all specific third parties other than a subsidiary or affiliate of the manufacturer, factory branch, distributor or distributor branch to whom any data obtained from the dealer has actually been provided within the 12 month period prior to date of dealer’s written request. If requested by the dealer, the list shall further describe the scope and specific fields of the data provided. The consent does not change the person’s obligations to comply with the terms of this section and any additional state or federal laws, and any rules or regulations promulgated thereunder, applicable to them with respect to the access.

(e) A manufacturer, factory branch, distributor, distributor branch, dealer, data systems vendor, or any third party acting on behalf of or through any dealer, or data systems vendor, having electronic access to customer or motor vehicle dealer data in a dealership data system used by a motor vehicle dealer located in this state shall provide notice in a reasonable timely manner to the dealer of any security breach of dealership or customer data obtained through the access.

(f) A manufacturer or distributor or a third party acting on behalf of a manufacturer or distributor may not require a dealer to provide any customer information: Any individual who is not a customer of such manufacturer’s or distributor’s own vehicle makes; for any purpose other than for reasonable marketing purposes on behalf of that dealer, market research, consumer surveys, market analysis, or dealership performance analysis; if sharing that information would not be permissible under local, state, or federal law; except to the extent the requested information relates solely to specific program requirements or goals associated with such manufacturer’s or distributor’s own vehicle makes; that is general customer information or other information related to the dealer, unless the requested information can be provided in a manner consistent with dealer’s current privacy policies and Gramm-Leach-Bliley Act privacy notice, a dealer may not be required to amend that notice to accommodate data sharing with the manufacturer or distributor.

(g) As used in this section:

(1) “Authorized Integrator” means any third party with whom a dealer has entered into a written contract to perform a specific function for a dealer that permits the third party to access protected dealer data and/or to write data to a dealer data system to carry out the specified function (the “authorized integrator contract”).

(2) “Dealer” means a new motor vehicle dealer as defined by §17A-6A-3(11) of this code and any authorized dealer personnel.

(3) “Dealer data system” means any software, hardware, or firmware used by a dealer in its business operations to store, process, or maintain protected dealer data.

(4) “Dealer data systems vendor” means any dealer management system provider, customer relationship management system provider, or other vendor that permissibly stores protected dealer data pursuant to a written contract with the dealer (“dealer data systems vendor contract”).

(5) “Data access overcharge” means any charge to a dealer or authorized integrator for integration beyond reimbursement for any direct costs incurred by the dealer data systems vendor for such Integration. If a dealer data systems vendor chooses to seek reimbursement from any dealer or authorized integrator for such direct costs, the direct costs must be disclosed to the dealer, and justified by documentary evidence of the costs associated with such Integration or it will be considered a data access overcharge.

(6) “Integration” means access to protected dealer data in a dealer’s dealer data system by an authorized integrator, or an authorized integrator writing data to a dealer’s dealer data system. Integration does not require access to any copyrighted material but must allow for access to all protected dealer data. Integration may be accomplished by any commercially reasonable means that do not violate this section, but all dealer data vendors must include an option to integrate via a secure open application programming interface (API), which must be made available to dealers and authorized integrators. In the event that APIs are no longer the reasonable commercial or technical standard for secure data integration, a similar open access integration method may be provided, to the extent it provides the same or better secure access to dealers and authorized Integrators as an API.

(7) “Prior express written consent” means written consent provided by the dealer that is contained in a document separate from any other consent, contract, franchise agreement, or other writing that specifically outlines the dealer’s consent for the authorized Integrator to obtain the dealer data, as well as the scope and duration of that consent. This consent may be unilaterally revoked by the dealer: (A) without cause, upon 30 days’ notice, and (B) immediately for cause.

(8) “Protected dealer data” means any of the following data that is stored in a dealer data system:

(A) Personal, financial, or other data pertaining to a consumer, or a consumer’s vehicle that is provided to a dealer by a consumer or otherwise obtained by a dealer: Provided, That this subdivision does not give a new motor vehicle dealer any ownership or rights to share or use the motor vehicle diagnostic data beyond what is necessary to fulfill a dealer’s obligation to provide warranty, repair, or service work to its customers; or

(B) Any other data regarding a dealer’s business operations in that dealer’s dealer data system:

(9) “Secure open API” means an application programming interface that allows authorized integrators to integrate with dealer data systems remotely and securely. The APIs must be “open” in that all required information to Integrate via the API (software development toolkit and any other necessary technical or other information) must be made available by a dealer data systems vendor to any authorized integrator upon request by a dealer. The secure open API must include all relevant endpoints to allow for access to all protected dealer data, or as are needed to integrate with protected dealer data, and must provide granularity and control necessary for dealers and authorized integrators to Integrate the data necessary under the authorized integrator contract. “Open” does not mean that the API must be available publicly or at no cost to an authorized integrator, however no data access overcharge may be assessed in connection with a secure open API.

(10) “Third party” includes service providers, vendors, including dealer data systems vendors and authorized integrators, and any other individual or entity other than the dealer. Third party does not include any manufacturer, factory branch, distributor, distributor branch or governmental entity acting pursuant to federal, state, or local law, or any third party acting pursuant to a valid court order.

(h) Prohibited Action

 1. A third party may not:

(A) Access, share, sell, copy, use, or transmit protected dealer data from a dealer data system without the express written consent of a dealer;

(B) Take any action, by contract, by technical means, or otherwise, that would prohibit or limit a dealer’s ability to protect, store, copy, share, or use any protected dealer data. This includes, but is not limited to:

(i) Imposing any data access overcharges or other restrictions of any kind on the dealer or any authorized integrator for integration;

(ii) Prohibiting any third party that the dealer has identified as one of its authorized integrators from integrating with that dealer’s dealer data system;

(iii) Place unreasonable restrictions on integration by any authorized integrator or other third party that the dealer wishes to be an authorized integrator. Examples of unreasonable restrictions include, but are not limited to:

(I) Unreasonable restrictions on the scope or nature of the data shared with an authorized integrator;

(II) Unreasonable restrictions on the ability of the authorized integrator to write data to a dealer data system;

(III) Unreasonable restrictions or conditions on a third party accessing or sharing protected dealer data, or writing data to a dealer data system; and

(IV) Requiring unreasonable access to sensitive, competitive, or other confidential business information of a third party as a condition for access to protected dealer data or sharing protected dealer data with an authorized integrator;

(iv) Prohibiting or limiting a dealer’s ability to store, copy, securely share or use protected dealer data outside the dealer data system in any manner and for any reason; or

(v) Permitting access to or accessing protected dealer data without express written consent by the dealer.

(i) Nothing in this section shall be interpreted to prevent any dealer or third party from discharging its obligations as a service provider under an agreement or otherwise under federal, state, or local law to protect and secure protected dealer data, or to otherwise limit those responsibilities.

(j) A dealer data systems vendor or authorized integrator is not responsible for any action taken directly by the dealer, or for any action it takes in appropriately following the written instructions of the dealer, to the extent that such action prevents it from meeting any legal obligation regarding the protection of protected dealer data or results in any liability as a consequence of such actions by the dealer.

(k) A dealer is not responsible for any action taken directly by any of its dealer data systems vendors or authorized integrators, or for any action it takes in appropriately following the written instructions of any of its dealer data systems vendors or authorized integrators, to the extent that such action prevents it from meeting any legal obligation regarding the protection of protected dealer data or results in any liability as a consequence of such actions by the dealer data systems vendor or authorized integrator.

(l) Additional responsibilities and restrictions

(1) All dealer data systems vendors must adopt and make available a standardized Integration framework (use of the STAR Standards or a standard compatible with the STAR standards shall be deemed to be in compliance with this requirement) and allow for integration via secure open APIs to authorized integrators. In the event that APIs are no longer the reasonable commercial or technical standard for secure data integration, a similar open access integration method may be provided, to the extent it provides the same or better secure Integration to dealers and authorized integrators as a secure open API.

(2) All dealer data systems vendors and authorized integrators:

(A) May Integrate, or otherwise access, use, store, or share protected dealer data, only as outlined in, and to the extent permitted by their dealer data systems vendor contract or authorized integrator contract;

(B) Must make any dealer data systems vendor contract or authorized integrator contract terminable upon no more than 90 days notice from the dealer;

(C) Must, upon notice of the dealer’s intent to terminate its dealer data systems vendor contract or authorized integrator contract, in order to prevent any risk of consumer harm or inconvenience, work to ensure a secure transition of all protected dealer data to a successor dealer data systems vendor or authorized integrator. This includes, but is not limited to:

(i) Providing unrestricted access to all protected dealer data and all other data stored in the dealer data system in a commercially reasonable time and format that a successor dealer data systems vendor or authorized integrator can access and use; and

(ii) Deleting or returning to the dealer all protected dealer data prior to termination of the contract pursuant to any written directions of the dealer;

(iii) Providing a dealer, upon request, with a listing of all entities with whom it is sharing or has shared protected dealer data, or with whom it has allowed access to protected dealer data; and

(iv) Allowing a dealer to audit the dealer data systems vendor or authorized integrator’s access to and use of any protected dealer data.

(m) Notwithstanding the terms or conditions of any consent, authorization, release, novation, franchise, or other contract or agreement, every manufacturer, factory branch, distributor, distributor branch, dealer, data systems vendor, or any third party acting on behalf of or through a manufacturer, factory branch, distributor, distributor branch or dealer, data systems vendor shall fully indemnify, defend, and hold harmless any dealer or manufacturer, factory branch, distributor or distributor branch from all damages, attorney fees, and costs, other costs and expenses incurred by the dealer from complaints, claims, or actions arising out of manufacturer’s, factory’s branch, distributor’s, distributor’s branch, dealer data systems vendors, or any third party for its willful, negligent, or impermissible use or disclosure of dealer data or customer data or other sensitive information in the dealer’s data system. The indemnification includes, but is not limited to, judgments, settlements, fines, penalties, litigation costs, defense costs, court costs, costs related to the disclosure of security breaches, and attorneys’ fees arising out of complaints, claims, civil, or administrative actions.

(n) The rights conferred on motor vehicle dealers in this section are not waivable and may not be reduced or otherwise modified by any contract or agreement.

(o) This section applies to contracts entered into after the effective date of this section.

(p) If any provision of this section or its application to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of this section which can be given effect without the invalid provision or application, and to this end the provisions of this section are severable.

(q) A manufacturer, factory branch, distributor, distributor branch, dealer, data management computer systems vendor, or any third party acting on behalf of itself, or through a manufacturer, factory branch, distributor, distributor branch, or dealer data management computer system vendor shall not take an act prejudicial against a new motor vehicle dealer because of a new motor vehicle dealer exercising its rights under this section.