Section 13-73-101 - DefinitionsAs used in this chapter:
(1) "Authorized integrator" means a third party with whom a franchisee enters into a contract to perform a specific function for a franchisee that allows the third party to access protected dealer data or to write data to a dealer data system, or both, to carry out the specified function.(2) "Consumer data" means non-public personal information defined in 15 U.S.C. Sec. 6809(4) as it existed on January 1, 2024.(3) "Cyber ransom" means to encrypt, restrict, or prohibit, or to threaten or attempt to encrypt, restrict, or prohibit a franchisee's or a franchisee's authorized integrator's access to protected dealer data or other dealer data to obtain payment not agreed to by the franchisee or the franchisee's authorized integrator in a written contract for services or goods.(4)(a) "Dealer data system" means a software, hardware, or firmware system that is owned, leased, or licensed by a franchisee, that includes a system of web-based applications, computer software, or computer hardware, whether located at the franchisee's dealership or hosted remotely, and that stores or provides access to protected dealer data.(b) "Dealer data system" means a dealership management system or a consumer relationship management system.(5) "Dealer data vendor" means a third party dealer management system provider, consumer relationship management system provider, or third party vendor providing similar services that store protected dealer data pursuant to a contract with the franchisee.(6) "Dealership" means the same as that term is defined in Section 13-14-102.(7) "Fee" means payment for access to protected dealer data which is in addition to charges written in an executed contract for goods or services.(8) "Franchisee" means the same as that term is defined in Section 13-14-102.(9) "Franchisee program" means a bonus, incentive, rebate, or other payment program that a franchisor offers to a franchisee.(10) "Franchisor" means the same as that term is defined in Section 13-14-102.(11)(a) "Manufacturer" means a manufacturer of new motor vehicles.(b) "Manufacturer" does not include a manufacturer acting in the capacity of a vendor, service provider, dealer data vendor, or an affiliate or subsidiary of a manufacturer operating as a vendor, service provider, or a dealer data vendor.(c) "Manufacturer" does not include a manufacturer that does not have a franchisee in the state.(12) "Other generally accepted standards" means security standards that are at least as comprehensive as STAR standards.(13) "Prior express written consent" means a franchisee's express written consent to protected dealer data sharing that:(a) is in a document separate from any other:(iii) franchise agreement; or(b) identifies all parties with whom the protected dealer data may be shared; and(c) contains: (i) all details that the franchisee requires relating to the scope and nature of the protected dealer data to be shared, including the data fields and the duration for which the sharing is authorized; and(ii) all provisions and restrictions that are required under federal law to allow sharing the protected dealer data.(14)(a) "Protected dealer data" means:(i) consumer data that:(A)(I) a consumer provides to a franchisee; or(II) a franchisee otherwise obtains; and(B) is stored in the franchisee's dealer data system;(ii) other data that relates to a franchisee's daily business operations and is stored in the franchisee's dealer data system; and(iii) motor vehicle diagnostic data.(b) "Protected dealer data" does not include data that:(i) is otherwise publicly available; or(ii) a franchisor or third party obtains through another source.(15)(a) "Required manufacturer data" means data that: (i) a manufacturer is required to obtain under federal or state law;(ii) is required to complete or verify a transaction between the franchisee and the manufacturer;(iii) is motor vehicle diagnostic data; or(iv) is reasonably necessary for:(A) a safety notice, recall notice, manufacturer field action, or other legal notice obligation relating to the repair, service, and update of a motor vehicle;(B) the sale and delivery of a new motor vehicle or certified used motor vehicle to a consumer, including necessary data for the vehicle manufacturer to activate services purchased by the consumer;(C) the validation and payment of consumer or franchisee incentives;(D) claims for franchisee-supplied services relating to warranty parts or repairs;(E) the evaluation of franchisee performance, including the evaluation of the franchisee's monthly financial statements and sales or service, consumer satisfaction with the franchisee through direct consumer contact, or consumer surveys;(F) franchisee and market analytics;(G) the identification of the franchisee that sold or leased a specific motor vehicle and the date of the transaction;(H) marketing purposes designed for the benefit of franchisees, or to direct leads to the franchisee providing the dealer protected data to the franchisor;(I) the development, evaluation, or improvement of the manufacturer's products or services; or(J) the daily operational interactions of the franchisee with the manufacturer or other franchisees through applications hosted on the manufacturer's dealer electronic communications system.(b) "Required manufacturer data" does not include:(i) consumer data on the consumer's credit application; or(ii) a franchisee's individualized notes about a consumer that are not related to a transaction.(16) "Service provider" means a person that processes protected dealer data on behalf of a franchisee and that receives, from or on behalf of the franchisee, consumer protected dealer data for a business purpose pursuant to a written contract, if the contract prohibits the person from:(a) selling or sharing the protected dealer data;(b) retaining, using, or disclosing the protected dealer data for any purpose other than for the business purposes specified in the contract for the franchisee, including retaining, using, or disclosing the protected dealer data for a commercial purpose other than the business purposes specified in the contract with the franchisee, or as permitted under this title;(c) retaining, using, or disclosing the protected dealer data outside of the direct business relationship between the service provider and the franchisee; or(d) combining the protected dealer data that the service provider receives from, or on behalf of, the franchisee with personal information that the service provider receives from, or on behalf of, another person or persons, or collects from the service provider's own interaction with the consumer.(17) "STAR standards" means the current, applicable security standards published by the Standards for Technology in Automotive Retail.(18)(a) "Third party" means a person other than a franchisee.(b) "Third party" includes:(ii) a vendor, including a dealer data vendor and authorized integrator;(iii) a manufacturer acting in the capacity of a vendor, service provider, or dealer data vendor; or(iv) an affiliate of a manufacturer described in Subsection (18)(b)(iii).(c) "Third party" does not include: (i) a governmental entity acting pursuant to federal, state, or local law;(ii) a person acting pursuant to a valid court order;(iii) a manufacturer, not acting in the capacity of a vendor, service provider, or dealer data vendor; or(iv) an affiliate of a manufacturer described in Subsection (18)(c)(iii).(19) "Vendor" means a person to whom a franchisee makes available protected dealer data for a business purpose, pursuant to a written contract with the franchisee, if the contract: (a) prohibits the vendor from: (i) selling or sharing the protected dealer data;(ii) retaining, using, or disclosing the protected dealer data for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the protected dealer data for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted under this title;(iii) retaining, using, or disclosing the protected dealer data outside of the direct business relationship between the vendor and the franchisee; and(iv) combining the protected dealer data that the vendor receives pursuant to a written contract with the franchisee with personal information that the vendor receives from or on behalf of another person or persons, or collects from the vendor's own interaction with the consumer;(b) includes a certification made by the vendor that the vendor understands the restrictions in Subsection (19)(a)(i) and will comply with the restrictions; and(c) permits, subject to agreement with the vendor, the franchisee to monitor the vendor's compliance with the contract through measures, including ongoing manual reviews, automated scans, regular assessments, audits, or other technical and operational testing at least once every 12 months.(20) "Unreasonable restriction" means:(a) an unreasonable limitation or condition on the scope or nature of the data that is shared with an authorized integrator;(b) an unreasonable limitation or condition on the ability of an authorized integrator to write data to a dealer data system;(c) an unreasonable limitation or condition on a third party that accesses or shares protected dealer data or that writes data to a dealer data system;(d) requiring unreasonable access to a franchisor's or a third party's sensitive, competitive, or other confidential business information as a condition for accessing protected dealer data or sharing protected dealer data with an authorized integrator;(e) prohibiting or limiting a franchisee's ability to store, copy, securely share, or use protected dealer data outside of the dealer data system in any manner or for any reason; or(f) allowing access to, or accessing protected dealer data without, the franchisee's prior express written consent.Added by Chapter 212, 2024 General Session ,§ 1, eff. 5/1/2024.