28-4653 - Manufacturers and third parties; prohibitions; requirements

28-4653. Manufacturers and third parties; prohibitions; requirements

A. A third party may not do any of the following:

1. Access, share, sell, copy, use or transmit protected dealer data without prior express written consent.

2. Engage in any act of cyber ransom.

3. Take any action by contract, technical means or otherwise to prohibit or limit a dealer's ability to protect, store, copy, share or use protected dealer data, including all of the following:

(a) Imposing any fee or other restriction on the dealer or an authorized integrator for accessing or sharing protected dealer data or for writing data to a dealer data system, including any fee on a dealer that chooses to submit or push data or information to the third party as prescribed in section 28-4652. A third party must disclose a charge to the dealer and justify the charge by documentary evidence of the costs associated with access or the charge will be deemed to be a fee pursuant to this subdivision.

(b) Prohibiting a third party that has satisfied or is compliant with the star standards or other generally accepted standards that are at least as comprehensive as the star standards and that the dealer has identified as one of its authorized integrators from integrating into the dealer's dealer data system or placing an unreasonable restriction on integration by an authorized integrator or other third party that the dealer wishes to be an authorized integrator. For the purposes of this subdivision, "unreasonable restriction" includes:

(i) An unreasonable limitation or condition on the scope or nature of the data that is shared with an authorized integrator.

(ii) An unreasonable limitation or condition on the ability of the authorized integrator to write data to a dealer data system.

(iii) An unreasonable limitation or condition on a third party that accesses or shares protected dealer data or that writes data to a dealer data system.

(iv) Requiring unreasonable access to a third party's sensitive, competitive or other confidential business information as a condition for accessing protected dealer data or sharing protected dealer data with an authorized integrator.

(v) Prohibiting or limiting a dealer's ability to store, copy, securely share or use protected dealer data outside of the dealer data system in any manner and for any reason.

(vi) Allowing access to or accessing protected dealer data without prior express written consent.

B. Prior express written consent may:

1. Be unilaterally revoked or amended by the dealer with thirty days' notice without cause and immediately for cause.

2. Not be sought or required as a condition of or factor for consideration or eligibility for any manufacturer program, standard or policy, including those that offer or relate to a bonus, incentive, rebate or other payment or benefit to a dealer, except that if the bonus, incentive, rebate or other payment program requires the delivery of the information that is protected dealer data to qualify for the program and receive the program benefits, a dealer must supply the information to participate in the program.

C. This section does not prevent a dealer, manufacturer or third party from discharging its obligations as a service provider or otherwise under federal, state or local law to protect and secure protected dealer data or to otherwise limit those responsibilities.

D. Unless a dealer gives prior written consent, a manufacturer may not access, share, sell, copy, use or transmit or require a dealer to share or provide access to protected dealer data beyond the required manufacturer data and may use any required manufacturer data obtained from a dealer data system for the purposes listed in section 28-4651, paragraph 8.

E. A manufacturer may not engage in an act of cyber ransom or take an action by contract, technical means or otherwise to prohibit or limit a dealer's ability to protect, store, copy, share or use protected dealer data, including actions described in subsection A, paragraph 3, subdivision (b) of this section. A manufacturer or a manufacturer's selected third party may not require a dealer to pay a fee for the sharing of required manufacturer data if the manufacturer both:

1. Requires a dealer to provide required manufacturer data through a specific third party that the manufacturer selects.

2. Does not allow the dealer to submit the data using the dealer's choice of a third-party vendor and both of the following apply:

(a) The data is in a format that is compatible with the file format required by the manufacturer.

(b) The third-party vendor satisfies or is in compliance with the star standards or other generally accepted standards that are at least as comprehensive as the star standards.

F. A manufacturer shall indemnify a dealer for any third-party claims asserted against or damages incurred by the dealer to the extent caused by access to, use of or disclosure of protected dealer data in violation of this section by the manufacturer or a third party acting on behalf of a manufacturer to whom the manufacturer has provided the protected dealer data. A dealer bringing a cause of action against a manufacturer for a violation of this section has the burden of proof.

G. Notwithstanding subsection D of this section and except as provided in section 28-4655, this article does not restrict or limit a manufacturer's right to obtain required manufacturer data, use required manufacturer data for the purposes prescribed by subsection D of this section or use or control data that is proprietary to the manufacturer, created by the manufacturer, obtained from a source other than the dealer or that is public information.