Enrolled Copy S.B. 215
1 MOTOR VEHICLE CONSUMER DATA PROTECTION
2024 GENERAL SESSION
STATE OF UTAH
Chief Sponsor: Chris H. Wilson House Sponsor: Steve Eliason
2
3 LONG TITLE
4 General Description:
5 This bill enacts provisions related to motor vehicle consumer data protection.
6 Highlighted Provisions:
7 This bill:
8 ▸ defines terms; and
9 ▸ enacts provisions related to storing, sharing, and accessing motor vehicle consumer data.
10 Money Appropriated in this Bill:
11 None
12 Other Special Clauses:
13 None
14 Utah Code Sections Affected:
15 ENACTS:
16 13-70-101, as Utah Code Annotated 1953
17 13-70-102, as Utah Code Annotated 1953
18 13-70-201, as Utah Code Annotated 1953
19 13-70-202, as Utah Code Annotated 1953
20 13-70-203, as Utah Code Annotated 1953
21
22 Be it enacted by the Legislature of the state of Utah:
23 Section 1. Section 13-70-101 is enacted to read:
24
CHAPTER 70. MOTOR VEHICLE CONSUMER DATA PROTECTION
25
Part 1. General Provisions
26 13-70-101 . Definitions.
 S.B. 215 Enrolled Copy
27 As used in this chapter:
28 (1) "Authorized integrator" means a third party with whom a franchisee enters into a
29 contract to perform a specific function for a franchisee that allows the third party to
30 access protected dealer data or to write data to a dealer data system, or both, to carry out
31 the specified function.
32 (2) "Consumer data" means non-public personal information defined in 15 U.S.C. Sec.
33 6809(4) as it existed on January 1, 2024.
34 (3) "Cyber ransom" means to encrypt, restrict, or prohibit, or to threaten or attempt to
35 encrypt, restrict, or prohibit a franchisee's or a franchisee's authorized integrator's access
36 to protected dealer data or other dealer data to obtain payment not agreed to by the
37 franchisee or the franchisee's authorized integrator in a written contract for services or
38 goods.
39 (4) (a) "Dealer data system" means a software, hardware, or firmware system that is
40 owned, leased, or licensed by a franchisee, that includes a system of web-based
41 applications, computer software, or computer hardware, whether located at the
42 franchisee's dealership or hosted remotely, and that stores or provides access to
43 protected dealer data.
44 (b) "Dealer data system" means a dealership management system or a consumer
45 relationship management system.
46 (5) "Dealer data vendor" means a third party dealer management system provider,
47 consumer relationship management system provider, or third party vendor providing
48 similar services that store protected dealer data pursuant to a contract with the franchisee.
49 (6) "Dealership" means the same as that term is defined in Section 13-14-102.
50 (7) "Fee" means payment for access to protected dealer data which is in addition to charges
51 written in an executed contract for goods or services.
52 (8) "Franchisee" means the same as that term is defined in Section 13-14-102.
53 (9) "Franchisee program" means a bonus, incentive, rebate, or other payment program that a
54 franchisor offers to a franchisee.
55 (10) "Franchisor" means the same as that term is defined in Section 13-14-102.
56 (11) (a) "Manufacturer" means a manufacturer of new motor vehicles.
57 (b) "Manufacturer" does not include a manufacturer acting in the capacity of a vendor,
58 service provider, dealer data vendor, or an affiliate or subsidiary of a manufacturer
59 operating as a vendor, service provider, or a dealer data vendor.
60 (c) "Manufacturer" does not include a manufacturer that does not have a franchisee in
-2-
 Enrolled Copy S.B. 215
61 the state.
62 (12) "Other generally accepted standards" means security standards that are at least as
63 comprehensive as STAR standards.
64 (13) "Prior express written consent" means a franchisee's express written consent to
65 protected dealer data sharing that:
66 (a) is in a document separate from any other:
67 (i) consent;
68 (ii) contract;
69 (iii) franchise agreement; or
70 (iv) writing;
71 (b) identifies all parties with whom the protected dealer data may be shared; and
72 (c) contains:
73 (i) all details that the franchisee requires relating to the scope and nature of the
74 protected dealer data to be shared, including the data fields and the duration for
75 which the sharing is authorized; and
76 (ii) all provisions and restrictions that are required under federal law to allow sharing
77 the protected dealer data.
78 (14) (a) "Protected dealer data" means:
79 (i) consumer data that:
80 (A) (I) a consumer provides to a franchisee; or
81 (II) a franchisee otherwise obtains; and
82 (B) is stored in the franchisee's dealer data system;
83 (ii) other data that relates to a franchisee's daily business operations and is stored in
84 the franchisee's dealer data system; and
85 (iii) motor vehicle diagnostic data.
86 (b) "Protected dealer data" does not include data that:
87 (i) is otherwise publicly available; or
88 (ii) a franchisor or third party obtains through another source.
89 (15) (a) "Required manufacturer data" means data that:
90 (i) a manufacturer is required to obtain under federal or state law;
91 (ii) is required to complete or verify a transaction between the franchisee and the
92 manufacturer;
93 (iii) is motor vehicle diagnostic data; or
94 (iv) is reasonably necessary for:
-3-
 S.B. 215 Enrolled Copy
95 (A) a safety notice, recall notice, manufacturer field action, or other legal notice
96 obligation relating to the repair, service, and update of a motor vehicle;
97 (B) the sale and delivery of a new motor vehicle or certified used motor vehicle to
98 a consumer, including necessary data for the vehicle manufacturer to activate
99 services purchased by the consumer;
100 (C) the validation and payment of consumer or franchisee incentives;
101 (D) claims for franchisee-supplied services relating to warranty parts or repairs;
102 (E) the evaluation of franchisee performance, including the evaluation of the
103 franchisee's monthly financial statements and sales or service, consumer
104 satisfaction with the franchisee through direct consumer contact, or consumer
105 surveys;
106 (F) franchisee and market analytics;
107 (G) the identification of the franchisee that sold or leased a specific motor vehicle
108 and the date of the transaction;
109 (H) marketing purposes designed for the benefit of franchisees, or to direct leads
110 to the franchisee providing the dealer protected data to the franchisor;
111 (I) the development, evaluation, or improvement of the manufacturer's products or
112 services; or
113 (J) the daily operational interactions of the franchisee with the manufacturer or
114 other franchisees through applications hosted on the manufacturer's dealer
115 electronic communications system.
116 (b) "Required manufacturer data" does not include:
117 (i) consumer data on the consumer's credit application; or
118 (ii) a franchisee's individualized notes about a consumer that are not related to a
119 transaction.
120 (16) "Service provider" means a person that processes protected dealer data on behalf of a
121 franchisee and that receives, from or on behalf of the franchisee, consumer protected
122 dealer data for a business purpose pursuant to a written contract, if the contract prohibits
123 the person from:
124 (a) selling or sharing the protected dealer data;
125 (b) retaining, using, or disclosing the protected dealer data for any purpose other than for
126 the business purposes specified in the contract for the franchisee, including retaining,
127 using, or disclosing the protected dealer data for a commercial purpose other than the
128 business purposes specified in the contract with the franchisee, or as permitted under
-4-
 Enrolled Copy S.B. 215
129 this title;
130 (c) retaining, using, or disclosing the protected dealer data outside of the direct business
131 relationship between the service provider and the franchisee; or
132 (d) combining the protected dealer data that the service provider receives from, or on
133 behalf of, the franchisee with personal information that the service provider receives
134 from, or on behalf of, another person or persons, or collects from the service
135 provider's own interaction with the consumer.
136 (17) "STAR standards" means the current, applicable security standards published by the
137 Standards for Technology in Automotive Retail.
138 (18) (a) "Third party" means a person other than a franchisee.
139 (b) "Third party" includes:
140 (i) a service provider;
141 (ii) a vendor, including a dealer data vendor and authorized integrator;
142 (iii) a manufacturer acting in the capacity of a vendor, service provider, or dealer data
143 vendor; or
144 (iv) an affiliate of a manufacturer described in Subsection (18)(b)(iii).
145 (c) "Third party" does not include:
146 (i) a governmental entity acting pursuant to federal, state, or local law;
147 (ii) a person acting pursuant to a valid court order;
148 (iii) a manufacturer, not acting in the capacity of a vendor, service provider, or dealer
149 data vendor; or
150 (iv) an affiliate of a manufacturer described in Subsection (18)(c)(iii).
151 (19) "Vendor" means a person to whom a franchisee makes available protected dealer data
152 for a business purpose, pursuant to a written contract with the franchisee, if the contract:
153 (a) prohibits the vendor from:
154 (i) selling or sharing the protected dealer data;
155 (ii) retaining, using, or disclosing the protected dealer data for any purpose other than
156 for the business purposes specified in the contract, including retaining, using, or
157 disclosing the protected dealer data for a commercial purpose other than the
158 business purposes specified in the contract, or as otherwise permitted under this
159 title;
160 (iii) retaining, using, or disclosing the protected dealer data outside of the direct
161 business relationship between the vendor and the franchisee; and
162 (iv) combining the protected dealer data that the vendor receives pursuant to a written
-5-
 S.B. 215 Enrolled Copy
163 contract with the franchisee with personal information that the vendor receives
164 from or on behalf of another person or persons, or collects from the vendor's own
165 interaction with the consumer;
166 (b) includes a certification made by the vendor that the vendor understands the
167 restrictions in Subsection (19)(a)(i) and will comply with the restrictions; and
168 (c) permits, subject to agreement with the vendor, the franchisee to monitor the vendor's
169 compliance with the contract through measures, including ongoing manual reviews,
170 automated scans, regular assessments, audits, or other technical and operational
171 testing at least once every 12 months.
172 (20) "Unreasonable restriction" means:
173 (a) an unreasonable limitation or condition on the scope or nature of the data that is
174 shared with an authorized integrator;
175 (b) an unreasonable limitation or condition on the ability of an authorized integrator to
176 write data to a dealer data system;
177 (c) an unreasonable limitation or condition on a third party that accesses or shares
178 protected dealer data or that writes data to a dealer data system;
179 (d) requiring unreasonable access to a franchisor's or a third party's sensitive,
180 competitive, or other confidential business information as a condition for accessing
181 protected dealer data or sharing protected dealer data with an authorized integrator;
182 (e) prohibiting or limiting a franchisee's ability to store, copy, securely share, or use
183 protected dealer data outside of the dealer data system in any manner or for any
184 reason; or
185 (f) allowing access to, or accessing protected dealer data without, the franchisee's prior
186 express written consent.
187 Section 2. Section 13-70-102 is enacted to read:
188 13-70-102 . Applicability.
189 This chapter does not:
190 (1) govern, restrict, or apply to data outside of a dealer data system, including data that is
191 generated by a motor vehicle or a device that a consumer connects to a motor vehicle;
192 (2) authorize a franchisee or third party to use data that the franchisee or third party obtains
193 from a person in a manner that is inconsistent with:
194 (a) an agreement with the person; or
195 (b) the purposes for which the person provides the data to the franchisee or third party; or
196 (3) except as is necessary to fulfill a franchisee's obligation to provide warranty, repair, or
-6-
 Enrolled Copy S.B. 215
197 service to consumers, grant a franchisee:
198 (a) ownership of motor vehicle diagnostic data; or
199 (b) rights to share or use motor vehicle diagnostic data.
200 Section 3. Section 13-70-201 is enacted to read:
201
Part 2. Data Protection Regulations
202 13-70-201 . Data submissions to franchisors or third parties.
203 (1) A franchisor or third party may not require a franchisee to grant to the franchisor, third
204 party, or person acting on behalf of the franchisor or third party, direct or indirect access
205 to the franchisee's dealer data system.
206 (2) A franchisee may submit or push data or information to a franchisor or third party
207 through an electronic file format or protocol if the electronic file format or protocol:
208 (a) is widely accepted; and
209 (b) complies with:
210 (i) STAR standards; or
211 (ii) other generally accepted standards.
212 Section 4. Section 13-70-202 is enacted to read:
213 13-70-202 . Service provider contracts -- Franchisors and third parties --
214 Prohibitions -- Requirements.
215 (1) (a) A service provider contract may permit the franchisee to monitor the service
216 provider's compliance with the contract through ongoing manual reviews, automated
217 scans, regular assessments, audits, or other technical and operational testing, at least
218 once every 12 months.
219 (b) If a service provider or vendor engages another person to assist the service provider
220 or vendor in processing protected dealer data for a business purpose on behalf of the
221 franchisee, or if another person engaged by the service provider or vendor engages a
222 person to assist in processing protected dealer data for that business purpose, the
223 service provider or vendor shall notify the franchisee of that engagement, and the
224 engagement shall be pursuant to a written contract binding the person to observe all
225 the requirements described in Subsection 13-70-101(16).
226 (2) A franchisor or third party may not:
227 (a) access, share, sell, copy, use, or transmit protected dealer data without prior express
228 written consent;
229 (b) engage in any act of cyber ransom; or
-7-
 S.B. 215 Enrolled Copy
230 (c) take action to prohibit or limit a franchisee's ability to protect, store, copy, share, or
231 use protected dealer data, including:
232 (i) imposing a fee for, or other restriction on, the franchisee or authorized integrator:
233 (A)