AN ACT

amending title 28, chapter 10, Arizona Revised Statutes, by adding article 10; relating to motor vehicle dealers.

(TEXT OF BILL BEGINS ON NEXT PAGE)

Be it enacted by the Legislature of the State of Arizona:

Section 1.  Title 28, chapter 10, Arizona Revised Statutes, is amended by adding article 10, to read:

ARTICLE 10.  PROTECTED DATA

START_STATUTE28-4651.  Definitions

In this article, unless the context otherwise requires:

1.  "Authorized Integrator” means a Third Party with whom a Dealer enters into a contractual relationship to perform a specific function for a Dealer that allows the Third Party to access Protected Dealer Data or to write data to a Dealer Data System, or both, to carry out the specified function.

2.  "Cyber Ransom" means to encrypt, restrict or prohibit or threaten or attempt to encrypt, restrict or prohibit access to Protected Dealer Data for monetary gain or for political or ideological purposes.

3.  "Dealer Data System" means software, hardware or firmware that a Dealer uses in its business operations.

4.  "Dealer Data Vendor" means a dealer management system provider, customer relationship management system provider or other vendor providing similar services that permissibly stores Protected Dealer Data pursuant to a contract with the Dealer.

5.  "Fee" means a charge for allowing access to Protected Dealer Data beyond any direct costs incurred by the Dealer Data Vendor in providing Protected Dealer Data access to an Authorized Integrator or allowing an Authorized Integrator to write data to a Dealer Data System.

6.  "Prior Express Written Consent" means the dealer's express written consent that is contained in a document separate from any other consent, contract, franchise agreement or other writing and that contains:

(a)  the Dealer's consent to the data sharing and identification of all parties with whom the data may be shared.

(b)  all details that the Dealer requires relating to the scope and nature of the data to be shared, including the data fields and the duration for which the sharing is authorized.

(c)  All provisions and restrictions that are required under federal law to allow the sharing. 

7.  "Protected Dealer Data" means any:

(a)  Personal, financial or other data relating to a consumer that a consumer provides to a Dealer or that a Dealer otherwise obtains and that is stored in the Dealer's Dealer Data System.

(b)  Telematics or similar data that are emitted by a motor vehicle or motor vehicle system, that are stored in any motor vehicle or Dealer Data System and that are accessible by a Dealer or that Dealer's Dealer Data System.

(c)  motor vehicle diagnostic data that are stored in or transmitted by a motor vehicle to a Dealer Data System.

(d)  Other data that relates to a Dealer's business operations in the Dealer's Dealer Data System.

8.  "Required Manufacturer Data" means data that is required to be obtained by the Manufacturer under federal law or to complete or verify a financial transaction between the Dealer and the Manufacturer.

9.  "Third Party":

(a)  Includes a Service provider, vendor, including a Dealer Data Vendor and Authorized Integrator, and any other person other than the Dealer.

(b)  Does not include a governmental entity acting pursuant to federal, state or local law or a third party acting pursuant to a valid court order.END_STATUTE

START_STATUTE28-4652.  Dealer; data submission to third parties

A Dealer may submit or push data or information to a Third Party through any widely acceptable electronic file format or protocol instead of providing the Third Party with access to the Dealer's Dealer Data System.END_STATUTE

START_STATUTE28-4653.  Third parties; prohibitions; requirements

A.  A Third Party may not do any of the following:

1.  Access, share, sell, copy, use or transmit Protected Dealer Data without prior express written consent. 

2.  Engage in any act of Cyber Ransom.

3.  Take any action by contract, technical means or otherwise to prohibit or limit a Dealer's ability to protect, store, copy, share or use protected Dealer Data, including all of the following:

(a)  Imposing any Fee or other restriction of any kind on the Dealer or an Authorized Integrator for accessing or sharing Protected Dealer Data or for writing data to a Dealer Data System, including any Fee on a Dealer that chooses to submit or push data or information to the Third Party as prescribed in section 28‑4652.  A third party must disclose a charge to the dealer and justify the charge by documentary evidence of the costs associated with access or the charge will be deemed to be a Fee pursuant to this subdivision.

(b)  Prohibiting a Third Party that the Dealer has identified as one of its Authorized Integrators from integrating into the Dealer's Dealer Data System or placing an unreasonable restriction on integration by an Authorized Integrator or other Third Party that the Dealer wishes to be an Authorized Integrator.  For the purposes of this SUBDIVISION, "Unreasonable restriction" includes:

(i)  An unreasonable restriction on the scope or nature of the data that is shared with an Authorized Integrator.

(ii)  An unreasonable restriction on the ability of the Authorized Integrator to write data to a Dealer Data System.

(iii)  An unreasonable restriction or condition on a Third Party that accesses or shares Protected Dealer Data or that writes data to a Dealer Data System.

(iv)  Requiring unreasonable access to a third party's sensitive, competitive or other confidential business information as a condition for accessing Protected Dealer Data or sharing Protected Dealer Data with an Authorized Integrator.

(v)  Prohibiting or limiting a Dealer's ability to store, copy, securely share or use Protected Dealer Data outside of the Dealer Data System in any manner and for any reason.

(vi)  Allowing access to or accessing Protected Dealer Data without prior express written consent.

B.  Prior express written consent may:

1.  Be unilaterally revoked or amended by the Dealer with thirty days' notice without cause and immediately for cause.

2.  Not be sought or required as a condition of or factor for consideration or eligibility for any Manufacturer program, standard or policy, including those that offer or relate to a bonus, incentive, rebate or other payment or benefit to a Dealer.

C.  This Section does not prevent a Dealer or Third Party from discharging its obligations as a service provider or otherwise under federal, state or local law to protect and secure Protected Dealer Data or to otherwise limit those responsibilities.

D.  A Dealer Data Vendor or Authorized Integrator is not responsible for any action taken directly by the Dealer or for any action the dealer data vendor or authorized integrator takes when appropriately following the written instructions of the Dealer, if the action prevents the dealer data vendor or authorized integrator from meeting any legal obligation relating to the protection of Protected Dealer Data or results in any liability as a consequence of the dealer's actions.

E.  A Dealer is not responsible for any action taken directly by its Dealer Data Vendors or Authorized Integrators or for any action the dealer takes when appropriately following the written instructions of the dealer's Dealer Data Vendors or Authorized Integrators, if the action prevents the dealer from meeting any legal obligation relating to the protection of Protected Dealer Data or results in any liability as a consequence of the Dealer Data Vendor's or Authorized Integrator's actions.

F.  A Manufacturer may not require a Dealer to share or provide access to Protected Dealer Data beyond the Required Manufacturer Data and may use the Required Manufacturer Data only for the fulfillment of the manufacturer's legal requirements or in connection with the transaction between the Dealer and the Manufacturer.END_STATUTE

START_STATUTE28-4654.  Dealer data vendors; authorized integrators; requirements

A.  A Dealer Data Vendor shall:

1.  Adopt and make available a standardized framework for the exchange, integration and sharing of data from Dealer Data Systems with Authorized Integrators and the retrieval of data by Authorized Integrators using the standards for technology in automotive retail or a standard that is compatible with the Standards for technology in automotive retail.

2.  Provide access to open application programming interfaces to Authorized Integrators.  If the application programming interfaces are not the reasonable commercial or technical standard for secure data integration, the dealer data vendor may provide a similar open access integration method if that method provides the same or better access to Authorized Integrators as an Application programming interface and uses the required standardized framework.

B.  A Dealer Data Vendor and Authorized Integrator:

1.  May access, use, store or share Protected Dealer Data or any other data from a Dealer Data System only to the extent allowed in the written agreement with the Dealer.

2.  Must make any agreement relating to access to, sharing or selling of, copying, using or transmitting Protected Dealer Data terminable on ninety days' notice from the Dealer.

3.  On notice of the Dealer's intent to terminate the agreement, in order to prevent any risk of consumer harm or inconvenience, Must work to ensure a secure transition of all Protected Dealer Data to a successor Dealer Data Vendor or Authorized Integrator, including:

(a)  Providing unrestricted access to all Protected Dealer Data and all other data stored in the Dealer Data System in a commercially reasonable time and format that a successor Dealer Data Vendor or Authorized Integrator can access and use.

(b)  Deleting or returning to the Dealer all Protected Dealer Data before the contract terminates pursuant to the dealer's written directions.

4.  On a dealer's request, Must provide the Dealer with a listing of all entities with whom it is sharing Protected Dealer Data or with whom it has allowed access to Protected Dealer Data.

5.  Must allow a Dealer to audit the Dealer Data Vendor or Authorized Integrator's access to and use of any Protected Dealer Data. END_STATUTE