13-73 - Motor Vehicle Consumer Data Protection
Title 13 > 13-73
Sections (5)
General Provisions
13-73-101 - Definitions.
As used in this chapter:
(1) “Authorized integrator” means a third party with whom a franchisee enters into a contract to perform a specific function for a franchisee that allows the third party to access protected dealer data or to write data to a dealer data system, or both, to carry out the specified function.
(2) “Consumer data” means non-public personal information defined in 15 U.S.C. Sec. 6809(4) as it existed on January 1, 2024.
(3) “Cyber ransom” means to encrypt, restrict, or prohibit, or to threaten or attempt to encrypt, restrict, or prohibit a franchisee’s or a franchisee’s authorized integrator’s access to protected dealer data or other dealer data to obtain payment not agreed to by the franchisee or the franchisee’s authorized integrator in a written contract for services or goods.
(4) “Dealer data system” means a software, hardware, or firmware system that is owned, leased, or licensed by a franchisee, that includes a system of web-based applications, computer software, or computer hardware, whether located at the franchisee’s dealership or hosted remotely, and that stores or provides access to protected dealer data.”Dealer data system” means a dealership management system or a consumer relationship management system.
(5) “Dealer data vendor” means a third party dealer management system provider, consumer relationship management system provider, or third party vendor providing similar services that store protected dealer data pursuant to a contract with the franchisee.
(6) “Dealership” means the same as that term is defined in Section 13-14-102.
(7) “Fee” means payment for access to protected dealer data which is in addition to charges written in an executed contract for goods or services.
(8) “Franchisee” means the same as that term is defined in Section 13-14-102.
(9) “Franchisee program” means a bonus, incentive, rebate, or other payment program that a franchisor offers to a franchisee.
(10) “Franchisor” means the same as that term is defined in Section 13-14-102.
(11) “Manufacturer” means a manufacturer of new motor vehicles.”Manufacturer” does not include a manufacturer acting in the capacity of a vendor, service provider, dealer data vendor, or an affiliate or subsidiary of a manufacturer operating as a vendor, service provider, or a dealer data vendor.”Manufacturer” does not include a manufacturer that does not have a franchisee in the state.
(12) “Other generally accepted standards” means security standards that are at least as comprehensive as STAR standards.
(13) “Prior express written consent” means a franchisee’s express written consent to protected dealer data sharing that:is in a document separate from any other:consent;contract;franchise agreement; orwriting;identifies all parties with whom the protected dealer data may be shared; andcontains:all details that the franchisee requires relating to the scope and nature of the protected dealer data to be shared, including the data fields and the duration for which the sharing is authorized; andall provisions and restrictions that are required under federal law to allow sharing the protected dealer data.
(14) “Protected dealer data” means:consumer data that:a consumer provides to a franchisee; ora franchisee otherwise obtains; andis stored in the franchisee’s dealer data system;other data that relates to a franchisee’s daily business operations and is stored in the franchisee’s dealer data system; andmotor vehicle diagnostic data.”Protected dealer data” does not include data that:is otherwise publicly available; ora franchisor or third party obtains through another source.
(15) “Required manufacturer data” means data that:a manufacturer is required to obtain under federal or state law;is required to complete or verify a transaction between the franchisee and the manufacturer;is motor vehicle diagnostic data; oris reasonably necessary for:a safety notice, recall notice, manufacturer field action, or other legal notice obligation relating to the repair, service, and update of a motor vehicle;the sale and delivery of a new motor vehicle or certified used motor vehicle to a consumer, including necessary data for the vehicle manufacturer to activate services purchased by the consumer;the validation and payment of consumer or franchisee incentives;claims for franchisee-supplied services relating to warranty parts or repairs;the evaluation of franchisee performance, including the evaluation of the franchisee’s monthly financial statements and sales or service, consumer satisfaction with the franchisee through direct consumer contact, or consumer surveys;franchisee and market analytics;the identification of the franchisee that sold or leased a specific motor vehicle and the date of the transaction;marketing purposes designed for the benefit of franchisees, or to direct leads to the franchisee providing the dealer protected data to the franchisor;the development, evaluation, or improvement of the manufacturer’s products or services; orthe daily operational interactions of the franchisee with the manufacturer or other franchisees through applications hosted on the manufacturer’s dealer electronic communications system.”Required manufacturer data” does not include:consumer data on the consumer’s credit application; ora franchisee’s individualized notes about a consumer that are not related to a transaction.
(16) “Service provider” means a person that processes protected dealer data on behalf of a franchisee and that receives, from or on behalf of the franchisee, consumer protected dealer data for a business purpose pursuant to a written contract, if the contract prohibits the person from:selling or sharing the protected dealer data;retaining, using, or disclosing the protected dealer data for any purpose other than for the business purposes specified in the contract for the franchisee, including retaining, using, or disclosing the protected dealer data for a commercial purpose other than the business purposes specified in the contract with the franchisee, or as permitted under this title;retaining, using, or disclosing the protected dealer data outside of the direct business relationship between the service provider and the franchisee; orcombining the protected dealer data that the service provider receives from, or on behalf of, the franchisee with personal information that the service provider receives from, or on behalf of, another person or persons, or collects from the service provider’s own interaction with the consumer.
(17) “STAR standards” means the current, applicable security standards published by the Standards for Technology in Automotive Retail.
(18) “Third party” means a person other than a franchisee.”Third party” includes:a service provider;a vendor, including a dealer data vendor and authorized integrator;a manufacturer acting in the capacity of a vendor, service provider, or dealer data vendor; oran affiliate of a manufacturer described in Subsection (18)(b)(iii).”Third party” does not include:a governmental entity acting pursuant to federal, state, or local law;a person acting pursuant to a valid court order;a manufacturer, not acting in the capacity of a vendor, service provider, or dealer data vendor; oran affiliate of a manufacturer described in Subsection (18)(c)(iii).
(19) “Vendor” means a person to whom a franchisee makes available protected dealer data for a business purpose, pursuant to a written contract with the franchisee, if the contract:prohibits the vendor from:selling or sharing the protected dealer data;retaining, using, or disclosing the protected dealer data for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the protected dealer data for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted under this title;retaining, using, or disclosing the protected dealer data outside of the direct business relationship between the vendor and the franchisee; andcombining the protected dealer data that the vendor receives pursuant to a written contract with the franchisee with personal information that the vendor receives from or on behalf of another person or persons, or collects from the vendor’s own interaction with the consumer;includes a certification made by the vendor that the vendor understands the restrictions in Subsection (19)(a)(i) and will comply with the restrictions; andpermits, subject to agreement with the vendor, the franchisee to monitor the vendor’s compliance with the contract through measures, including ongoing manual reviews, automated scans, regular assessments, audits, or other technical and operational testing at least once every 12 months.
(20) “Unreasonable restriction” means:an unreasonable limitation or condition on the scope or nature of the data that is shared with an authorized integrator;an unreasonable limitation or condition on the ability of an authorized integrator to write data to a dealer data system;an unreasonable limitation or condition on a third party that accesses or shares protected dealer data or that writes data to a dealer data system;requiring unreasonable access to a franchisor’s or a third party’s sensitive, competitive, or other confidential business information as a condition for accessing protected dealer data or sharing protected dealer data with an authorized integrator;prohibiting or limiting a franchisee’s ability to store, copy, securely share, or use protected dealer data outside of the dealer data system in any manner or for any reason; orallowing access to, or accessing protected dealer data without, the franchisee’s prior express written consent.
Enacted by Chapter 212, 2024 General Session
13-73-102 - Applicability.
This chapter does not:
(1) govern, restrict, or apply to data outside of a dealer data system, including data that is generated by a motor vehicle or a device that a consumer connects to a motor vehicle;
(2) authorize a franchisee or third party to use data that the franchisee or third party obtains from a person in a manner that is inconsistent with:an agreement with the person; orthe purposes for which the person provides the data to the franchisee or third party; or
(3) except as is necessary to fulfill a franchisee’s obligation to provide warranty, repair, or service to consumers, grant a franchisee:ownership of motor vehicle diagnostic data; orrights to share or use motor vehicle diagnostic data.
Enacted by Chapter 212, 2024 General Session
Data Protection Regulations
13-73-201 - Data submissions to franchisors or third parties.
(1) A franchisor or third party may not require a franchisee to grant to the franchisor, third party, or person acting on behalf of the franchisor or third party, direct or indirect access to the franchisee’s dealer data system.
(2) A franchisee may submit or push data or information to a franchisor or third party through an electronic file format or protocol if the electronic file format or protocol:is widely accepted; andcomplies with:STAR standards; orother generally accepted standards.
Enacted by Chapter 212, 2024 General Session
13-73-202 - Service provider contracts — Franchisors and third parties — Prohibitions — Requirements.
(1) A service provider contract may permit the franchisee to monitor the service provider’s compliance with the contract through ongoing manual reviews, automated scans, regular assessments, audits, or other technical and operational testing, at least once every 12 months.If a service provider or vendor engages another person to assist the service provider or vendor in processing protected dealer data for a business purpose on behalf of the franchisee, or if another person engaged by the service provider or vendor engages a person to assist in processing protected dealer data for that business purpose, the service provider or vendor shall notify the franchisee of that engagement, and the engagement shall be pursuant to a written contract binding the person to observe all the requirements described in Subsection 13-Ch13_73|13-73-101].
(2) A franchisor or third party may not:access, share, sell, copy, use, or transmit protected dealer data without prior express written consent;engage in any act of cyber ransom; ortake action to prohibit or limit a franchisee’s ability to protect, store, copy, share, or use protected dealer data, including:imposing a fee for, or other restriction on, the franchisee or authorized integrator:accessing or sharing protected dealer data;writing data to a dealer data system; orsubmitting or pushing data or information to the third party under Subsection 13-Ch13_73|13-73-201];unreasonably prohibiting a third party or an authorized integrator that satisfies STAR standards or other generally accepted standards from integrating into the franchisee’s dealer data system; orplacing an unreasonable restriction on integration by an authorized integrator or third party.
(3) Notwithstanding Subsection (2)(c)(i)(A), a franchisor or a third party may charge a franchisee the franchisor’s or third party’s actual third party costs, including a reasonable profit margin for providing access to protected dealer data to a franchisee, authorized integrator, or other third party if the franchisor or third party:discloses the charge to the franchisee in writing; andupon written request by the franchisee, provides to the franchisee documentation that the charges were agreed to in writing by the franchisee or provided for in the contract for services or goods.If a third party fails to comply with Subsection (3)(a), a charge described in Subsection (3)(a) is a fee prohibited under Subsection (2)(c)(i).
(4) A franchisee may unilaterally revoke or amend the prior express written consent described in Subsection (2)(a):with 60 days notice without cause; orimmediately for cause.Except as provided in Subsection (4)(b)(ii), a franchisor may not seek or require prior express written consent as a condition of or factor for consideration or eligibility for a:franchisor program;standard or policy; orbenefit to a franchisee.If a franchisor’s program reasonably requires delivery of information that is protected dealer data to qualify for the program and receive franchisor program benefits, a franchisee shall provide the information to participate in the franchisor program.
(5) This section does not:limit a franchisee’s, franchisor’s, or third party’s obligations:as a service provider;under federal, state, or local law, to protect and secure protected dealer data; orregarding required manufacturer data; andrequire a franchisor to pay a benefit to a franchisee if the franchisee refuses to provide data reasonably necessary to participate in the franchisor program.
(6) A franchisor or franchisor’s selected third party may not require a franchisee to pay a fee for sharing required manufacturer data if:the franchisor requires a franchisee to provide required manufacturer data through a specific third party that the franchisor selects;the franchisor does not allow the franchisee to submit the required manufacturer data using the franchisee’s choice of a third party vendor;the franchisee’s data is in a format that is compatible with the format required by the franchisor; andthe third party vendor satisfies the STAR standards or other generally accepted standards.
(7) A franchisor may not access, sell, copy, use, transmit, or require a franchisee to share or provide access to protected dealer data, unless:the protected dealer data is required manufacturer data; orthe franchisee provides prior express written consent.
(8) A franchisor may only use required manufacturer data that the franchisor obtains from a dealer data system for the purposes described in Subsection 13-Ch13_73|13-73-101].
(9) A franchisor, authorized integrator, or other third party shall indemnify a franchisee for any claims or damages if:the claims or damages directly result from a violation of this section by the party from whom the franchisee is seeking indemnification;the claims or damages directly result from a violation of this section by:a vendor or contractor as an agent acting on behalf of the party from whom the franchisee is seeking indemnification; ora vendor or other service provider who the party from whom the franchisee is seeking indemnification required the franchisee to use; andthe claims or damages result from a violation of this section for:accessing or providing access to protected dealer data;using protected dealer data; ordisclosing protected dealer data.A franchisee bringing a cause of action against a franchisor, authorized integrator, or other third party for a violation of this section has the burden of proof.
(10) Notwithstanding Subsection (6), this chapter does not restrict or limit a franchisor’s right to:access or obtain required manufacturer data;use, share, copy, or transmit required manufacturer data for the purposes described in Subsection 13-Ch13_73|13-73-101]; oruse or control data that is:proprietary to the franchisor;created by the franchisor;obtained from a source other than the franchisee; orpublic information.
Enacted by Chapter 212, 2024 General Session
13-73-203 - Dealer data vendors — Authorized integrators — Requirements.
(1) A dealer data vendor shall adopt and make available to a franchisee and authorized integrator in a standardized framework:the exchange, integration, and sharing of data between a dealer data system and an authorized integrator; andthe retrieval of data by an authorized integrator.The standardized framework described in Subsection (1)(a) shall comply with STAR standards or other generally accepted standards.
(2) Except as provided in Subsection (2)(b), a dealer data vendor shall provide to an authorized integrator access to open application programming interfaces for the standardized framework described in Subsection (1) that meet the reasonable commercial or technical standard for secure data integration.If the open application interfaces described in Subsection (2)(a) do not meet the reasonable commercial or technical standard for secure data integration, a dealer data vendor may provide to an authorized integrator a similar open access integration method that:provides the same or better access to an authorized integrator as an application programming interface; anduses the standardized framework described in Subsection (1).
(3) A dealer data vendor and an authorized integrator:may access, use, store, or share protected dealer data or any other data from a dealer data system only to the extent allowed in the written agreement with the franchisee;shall, upon a franchisee’s request, provide the franchisee with a list of all persons:with whom the dealer data vendor or authorized integrator is sharing, or has shared, protected dealer data; orto whom the dealer data vendor or authorized integrator has allowed or is allowing access to protected dealer data; andshall allow a franchisee to audit the dealer data vendor’s or authorized integrator’s access to and use of protected dealer data.
(4) A franchisee may terminate an agreement between a dealer data vendor or authorized integrator and the franchisee relating to access to, sharing of, selling of, copying, using, or transmitting protected dealer data upon 90 days’ notice.
(5) If a dealer data vendor or authorized integrator receives a franchisee’s notice described in Subsection (4), the dealer data vendor or authorized integrator shall ensure a secure transition of all protected dealer data to a successor dealer data vendor or successor authorized integrator.In fulfilling the dealer data vendor’s or authorized integrator’s duties under Subsection (5)(a), a dealer data vendor or authorized integrator shall:provide access to or an electronic copy of all protected dealer data and all other data stored in the dealer data system in:a commercially reasonable time; anda format that the successor dealer data vendor or successor authorized integrator can access and use; andbefore the agreement terminates, delete or return to the franchisee all protected dealer data pursuant to the franchisee’s written directions.
Enacted by Chapter 212, 2024 General Session