Senate Engrossed House Bill
State of Arizona
House of Representatives
First Regular Session
HOUSE BILL 2418
amending title 28, chapter 10, Arizona Revised Statutes, by adding article 10; relating to motor vehicle dealers.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it enacted by the Legislature of the State of Arizona:
Section 1. Title 28, chapter 10, Arizona Revised Statutes, is amended by adding article 10, to read:
ARTICLE 10. PROTECTED DATA
In this article, unless the context otherwise requires:
1. "Authorized Integrator” means a Third Party with whom a Dealer enters into a contractual relationship to perform a specific function for a Dealer that allows the Third Party to access Protected Dealer Data or to write data to a Dealer Data System, or both, to carry out the specified function.
2. "Cyber ransom" means to encrypt, restrict or prohibit or threaten or attempt to encrypt, restrict or prohibit a dealer's or a dealer's authorized integrator's access to protected Dealer Data for monetary gain.
3. "Dealer Data System":
(a) means a software, hardware or firmware system that is owned, leased or licensed by a dealer, that includes a system of web‑based applications, computer software or computer hardware, whether located at the motor vehicle dealership or hosted remotely, and that stores or provides access to protected dealer data.
(b) Includes dealership management systems and consumer relations management systems.
4. "Dealer data vendor" means a dealer management system provider, consumer relationship management system provider or other vendor providing similar services that permissibly stores protected dealer data pursuant to a contract with the dealer.
5. "Fee" means a charge for allowing access to Protected Dealer Data beyond any direct costs incurred by the Dealer Data Vendor in providing Protected Dealer Data access to an Authorized Integrator or allowing an Authorized Integrator to write data to a Dealer Data System.
6. "Prior Express Written Consent" means the dealer's express written consent that is contained in a document separate from any other consent, contract, franchise agreement or other writing and that contains:
(a) the Dealer's consent to the data sharing and identification of all parties with whom the data may be shared.
(b) all details that the Dealer requires relating to the scope and nature of the data to be shared, including the data fields and the duration for which the sharing is authorized.
(c) All provisions and restrictions that are required under federal law to allow the sharing.
7. "Protected Dealer Data" means any:
(a) Personal, financial or other data relating to a consumer that a consumer provides to a Dealer or that a Dealer otherwise obtains and that is stored in the Dealer's Dealer Data System.
(b) motor vehicle diagnostic data that is stored in a Dealer Data System. This subdivision does not give a dealer any ownership or rights to share or use the motor vehicle diagnostic data beyond what is necessary to fulfill a dealer's obligation to provide warranty, repair or service work to its consumers.
(c) Other data that relates to a Dealer's business operations in the Dealer's Dealer Data System.
8. "Required Manufacturer Data":
(a) Means data that is required to be obtained by the Manufacturer under federal or state law or to complete or verify a transaction between the Dealer and the Manufacturer.
(b) Includes information that is reasonably necessary for any of the following:
(i) A safety, recall or other legal notice obligation.
(ii) The sale and delivery of a new motor vehicle or a certified used motor vehicle to a consumer.
(iii) The validation and payment of consumer or dealer incentives.
(iv) Claims for dealer supplied services relating to warranty parts or repairs.
(v) The evaluation of dealer performance, including without limitation the evaluation of the dealer's monthly financial statements and sales or service, consumer satisfaction with the dealer through direct consumer contact or consumer surveys.
(vi) Dealer and market analytics.
(vii) The identification of the dealer that sold or leased a specific motor vehicle and the date of the transaction.
(viii) Marketing purposes designed for the benefit of or to direct leads to dealers but does not include a consumer's financial information on the consumer's credit application or a dealer's individualized notes about a consumer which are not related to a transaction.
(ix) Motor vehicle diagnostic data.
(x) The development, evaluation or improvement of the manufacturer's products or services.
9. "Star standards" means the current, applicable security standards published by the standards for technology in automotive retail.
10. "Third Party":
(a) Includes a Service provider, vendor, including a Dealer Data Vendor and Authorized Integrator, and any other person other than the Dealer.
(b) Does not include a governmental entity acting pursuant to federal, state or local law, a third party acting pursuant to a valid court order or a manufacturer.
28-4652. Dealer; data submission to manufacturers or third parties
A manufacturer or a third party may not require a dealer to grant the manufacturer, the third party or any person acting on behalf of the manufacturer or third party direct or indirect access to the dealer's dealer data system. Instead of providing a manufacturer or third party with access to the dealer's data system, a Dealer may submit or push data or information to a manufacturer or Third Party through any widely acceptable electronic file format or protocol that complies with the star standards or other generally accepted standards that are at least as comprehensive as the star standards.
28-4653. Manufacturers and third parties; prohibitions; requirements
A. A Third Party may not do any of the following:
1. Access, share, sell, copy, use or transmit Protected Dealer Data without prior express written consent.
2. Engage in any act of Cyber Ransom.
3. Take any action by contract, technical means or otherwise to prohibit or limit a Dealer's ability to protect, store, copy, share or use protected Dealer Data, including all of the following:
(a) Imposing any Fee or other restriction on the Dealer or an Authorized Integrator for accessing or sharing Protected Dealer Data or for writing data to a Dealer Data System, including any Fee on a Dealer that chooses to submit or push data or information to the Third Party as prescribed in section 28‑4652. A third party must disclose a charge to the dealer and justify the charge by documentary evidence of the costs associated with access or the charge will be deemed to be a Fee pursuant to this subdivision.
(b) Prohibiting a Third Party that has satisfied or is compliant with the star standards or other generally accepted standards that are at least as comprehensive as the star standards and that the Dealer has identified as one of its Authorized Integrators from integrating into the Dealer's Dealer Data System or placing an unreasonable restriction on integration by an Authorized Integrator or other Third Party that the Dealer wishes to be an Authorized Integrator. For the purposes of this SUBDIVISION, "Unreasonable restriction" includes:
(i) An unreasonable limitation or condition on the scope or nature of the data that is shared with an Authorized Integrator.
(ii) An unreasonable limitation or condition on the ability of the Authorized Integrator to write data to a Dealer Data System.
(iii) An unreasonable limitation or condition on a Third Party that accesses or shares Protected Dealer Data or that writes data to a Dealer Data System.
(iv) Requiring unreasonable access to a third party's sensitive, competitive or other confidential business information as a condition for accessing Protected Dealer Data or sharing Protected Dealer Data with an Authorized Integrator.
(v) Prohibiting or limiting a Dealer's ability to store, copy, securely share or use Protected Dealer Data outside of the Dealer Data System in any manner and for any reason.
(vi) Allowing access to or accessing Protected Dealer Data without prior express written consent.
B. Prior express written consent may:
1. Be unilaterally revoked or amended by the Dealer with thirty days' notice without cause and immediately for cause.
2. Not be sought or required as a condition of or factor for consideration or eligibility for any Manufacturer program, standard or policy, including those that offer or relate to a bonus, incentive, rebate or other payment or benefit to a Dealer, except that if the bonus, incentive, rebate or other payment program requires the delivery of the information that is protected dealer data to qualify for the program and receive the program benefits, a dealer must supply the information to participate in the program.
C. This Section does not prevent a Dealer, manufacturer or Third Party from discharging its obligations as a service provider or otherwise under federal, state or local law to protect and secure Protected Dealer Data or to otherwise limit those responsibilities.
D. Unless a dealer gives prior written consent, a manufacturer may not access, share, sell, copy, use or transmit or require a dealer to share or provide access to protected dealer data beyond the required manufacturer data and may use any required manufacturer data obtained from a dealer data system for the purposes listed in section 28‑4651, paragraph 8.
E. A manufacturer may not engage in an act of cyber ransom or take an action by contract, technical means or otherwise to prohibit or limit a dealer's ability to protect, store, copy, share or use protected dealer data, including actions described in subsection A, paragraph 3, subdivision (b) of this section. A manufacturer or a manufacturer's selected third party may not require a dealer to pay a fee FOR the sharing of required manufacturer data If the manufacturer both:
1. Requires a dealer to provide required manufacturer data through a specific third party that the manufacturer selects.
2. Does not allow the dealer to submit the data using the dealer's choice of a third-party vendor and both of the following apply:
(a) The data is in a format that is compatible with the file format required by the manufacturer.
(b) The third-party vendor SATISFIES or is in compliance with the star standards or other generally accepted standards that are at least as comprehensive as the star standards.
F. A manufacturer shall indemnify a dealer for any third‑party claims asserted against or damages incurred by the dealer to the extent caused by access to, use of or disclosure of protected dealer data in violation of this section by the manufacturer or a third party acting on behalf of a manufacturer to whom the manufacturer has provided the protected dealer data. A dealer bringing a cause of action against a manufacturer for a violation of this section has the burden of proof.
G. Notwithstanding subsection D of this section and except as provided in section 28‑4655, this article does not restrict or limit a manufacturer's right to obtain required manufacturer data, use required manufacturer data for the purposes prescribed by subsection D of this section or use or control data that is proprietary to the manufacturer, created by the manufacturer, obtained from a source other than the DEALER or that is public INFORMATION.
28-4654. Dealer data vendors; authorized integrators; requirements
A. A Dealer Data Vendor shall:
1. Adopt and make available a standardized framework for the exchange, integration and sharing of data from Dealer Data Systems with Authorized Integrators and the retrieval of data by Authorized Integrators using the star standards or a standard that is compatible with the star Standards.
2. Provide access to open application programming interfaces to Authorized Integrators. If the application programming interfaces are not the reasonable commercial or technical standard for secure data integration, the dealer data vendor may provide a similar open access integration method if that method provides the same or better access to Authorized Integrators as an Application programming interface and uses the required standardized framework.
B. A Dealer Data Vendor and Authorized Integrator:
1. May access, use, store or share Protected Dealer Data or any other data from a Dealer Data System only to the extent allowed in the written agreement with the Dealer.
2. Must make any agreement relating to access to, sharing or selling of, copying, using or transmitting Protected Dealer Data terminable on ninety days' notice from the Dealer.
3. On notice of the Dealer's intent to terminate the agreement, in order to prevent any risk of consumer harm or inconvenience, Must work to ensure a secure transition of all Protected Dealer Data to a successor Dealer Data Vendor or Authorized Integrator, including:
(a) Providing access to or an ELECTRONIC copy of all Protected Dealer Data and all other data stored in the Dealer Data System in a commercially reasonable time and format that a successor Dealer Data Vendor or Authorized Integrator can access and use.
(b) Deleting or returning to the Dealer all Protected Dealer Data before the contract terminates pursuant to the dealer's written directions.
4. On a dealer's request, Must provide the Dealer with a listing of all entities with whom it is sharing Protected Dealer Data or with whom it has allowed access to Protected Dealer Data.
5. Must allow a Dealer to audit the Dealer Data Vendor or Authorized Integrator's access to and use of any Protected Dealer Data.
This article does not:
1. Govern, restrict or apply to data that exists outside of a dealer data system, including data that is generated by a motor vehicle or devices that a consumer connects to a motor vehicle.
2. Authorize a dealer or third party to use data that is obtained from a person in a manner that is inconsistent with either:
(a) An agreement with the person.
(b) The purposes for which the person provided the data to the dealer or third party.