****
68th Legislature 2023 SB 411.1
1 SENATE BILL NO. 411
2 INTRODUCED BY B. USHER
3
4 A BILL FOR AN ACT ENTITLED: “AN ACT GENERALLY REVISING MOTOR VEHICLE LAWS; REVISING
5 DEFINITIONS; REVISING LAWS RELATED TO DEALER DATA; REVISING LAWS RELATED TO
6 PROHIBITED ACTIONS; REVISING LAWS RELATED TO RESPONSIBILITIES AND RESTRICTIONS;
7 REVISING LAWS RELATED TO PROHIBITED ACTS RELATING TO A MOTOR VEHICLE FRANCHISEE;
8 REVISING MOTOR VEHICLE LICENSING REQUIREMENTS; AMENDING SECTIONS 30-11-717, 30-11-718,
9 30-11-719, 61-4-201, 61-4-202, AND 61-4-208, MCA; AND PROVIDING AN IMMEDIATE EFFECTIVE DATE
10 AND AN APPLICABILITY DATE.”
11
12 WHEREAS, the Legislature finds that the distribution and sale of motor vehicles within this state vitally
13 affect the general economy of the state, the public interest, and the public welfare; and
14 WHEREAS, to promote the public interest and the public welfare and in the exercise of the state's
15 police power, it is necessary to regulate motor vehicle manufacturers, distributors, and factory or distributor
16 representatives and to regulate dealers of motor vehicles doing business in this state to prevent frauds,
17 impositions, and other abuses upon its citizens and to protect and preserve the investments and properties of
18 the citizens of this state.
19
20 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:
21
22 Section 1. Section 30-11-717, MCA, is amended to read:
23 "30-11-717. Definitions. As used in 30-11-718, 30-11-719, [section 4], and this section, the following
24 definitions apply:
25 (1) "Authorized integrator" means any third party with whom a dealer has entered into a
26 contractual relationship to perform a specific function for the dealer that permits the third party to access
27 protected dealer data or to write data to a dealer data system, or both, to carry out the specified function.
28 (2) "Cyber ransom" means to encrypt, restrict, or prohibit or threaten or attempt to encrypt, restrict,
-1- Authorized Print Version – SB 411
****
68th Legislature 2023 SB 411.1
1 or prohibit a dealer's or a dealer's authorized integrator's access to protected dealer data for monetary gain.
2 (2)(3) "Dealer" has the same meaning as "new motor vehicle dealer" provided in 61-4-201 and
3 includes any authorized dealer personnel acting on behalf of the dealer owner-operator.
4 (3)(4) "Dealer data system" means any software, hardware, or firmware owned, leased, rented, or
5 controlled by a dealer and used by the dealer in its business operations or licensed by a dealer that includes a
6 system of web-based applications, computer software, or computer hardware, whether located at the motor
7 vehicle dealership or hosted remotely, and that stores or provides access to protected dealer data and includes
8 dealership management systems and consumer relations management systems.
9 (4)(5) "Dealer data vendor" means any dealer management system provider, or customer consumer
10 relationship management system provider, or other vendor providing similar services, other than a motor
11 vehicle manufacturer or distributor or a subsidiary or affiliate of a manufacturer or distributor, that permissibly
12 stores protected dealer data pursuant to a contract with a dealer.
13 (5)(6) "Fees" means charges for allowing access to protected dealer data in excess of any direct
14 costs incurred by the dealer data vendor in providing protected dealer data access to an authorized integrator
15 or allowing an authorized integrator to write data to a dealer data system. Fees must be disclosed to the dealer
16 prior to entering into a contract with a dealer data vendor and must be specified in the terms of the contract.
17 (7) "Prior express written consent" means the dealer's express written consent that is contained in
18 a document separate from any other consent, contract, franchise agreement, or other writing and that contains:
19 (a) the dealer's consent to the data sharing and identification of all parties with whom the data may
20 be shared;
21 (b) all details that the dealer requires relating to the scope and nature of the data to be shared,
22 including the data fields and the duration for which the sharing is authorized; and
23 (c) provisions and restrictions that are required under federal law to allow the sharing.
24 (6)(8) "Protected dealer data" means any:
25 (a) any nonpublic personal information, including information defined in 15 U.S.C. 6809 pertaining to
26 a consumer, that is provided to a dealer by a consumer or otherwise obtained by a dealer and stored in the
27 dealer's dealer data system; or
28 (a) personal, financial, or other data relating to a consumer that a consumer provides to a dealer or
-2- Authorized Print Version – SB 411
****
68th Legislature 2023 SB 411.1
1 that a dealer otherwise obtains and that is stored in the dealer's data system;
2 (b) any other data regarding a dealer's business operations that is stored in the dealer's dealer
3 data system.; or
4 (c) motor vehicle diagnostic data that is stored in a dealer data system. This subsection (8)(c) does
5 not give a dealer any ownership rights to share or use the motor vehicle diagnostic data beyond what is
6 necessary to fulfill a dealer's obligation to provide warranty, repair, or service work to a consumer.
7 (9) "Required manufacturer data" means:
8 (a) data required to be obtained by the manufacturer under federal or state law or to complete or
9 verify a transaction between the dealer and the manufacturer; and
10 (b) information that is reasonably necessary for any of the following:
11 (i) a safety, recall, or other legal notice obligation;
12 (ii) the sale and delivery of a new motor vehicle or a certified used motor vehicle to a consumer;
13 (iii) the validation and payment of consumer or dealer incentives;
14 (iv) claims for dealer-supplied services relating to warranty parts or repairs;
15 (v) the evaluation of dealer performance, including but not limited to the evaluation of the dealer's
16 monthly financial statements and sales or service, consumer satisfaction with the dealer through direct
17 consumer contact, or consumer surveys;
18 (vi) dealer and market analytics;
19 (vii) the identification of the dealer that sold or leased a specific motor vehicle and the time of the
20 transaction;
21 (viii) marketing purposes designed for the benefit of or to direct leads to dealers, not including a
22 consumer's financial information on the consumer's credit application or a dealer's individualized notes about a
23 consumer that are not related to a transaction;
24 (ix) motor diagnostic data; or
25 (x) the development, evaluation, or improvement of the manufacturer's products or services.
26 (10) "STAR standards" means the current, applicable security standards published by the standards
27 for technology in automotive retail.
28 (7)(11) (a) "Third party" includes service providers, vendors, dealer data vendors, authorized
-3- Authorized Print Version – SB 411
****
68th Legislature 2023 SB 411.1
1 integrators, and any other individual or entity person other than the dealer.
2 (b) The term does not include any a government entity acting pursuant to federal, state, or local
3 law, any entity a third party acting pursuant to a valid court order, or a manufacturer, a motor vehicle
4 manufacturer or distributor or a subsidiary or affiliate of a motor vehicle manufacturer or distributor, or an entity
5 acting on behalf of and with whom the manufacturer or distributor has an express agreement to preserve the
6 privacy of protected dealer data."
7
8 Section 2. Section 30-11-718, MCA, is amended to read:
9 "30-11-718. Prohibited actions. (1) A third party may not do any of the following:
10 (a) access, share, sell, copy, use, or transmit protected dealer data from a dealer data system
11 without the prior express written consent of the dealer;
12 (b) take any action by contract, by technical means, or by any other means that would otherwise to
13 prohibit or limit a dealer's ability to protect, store, copy, share, or use any protected dealer data. This includes
14 but is not limited to:, including all of the following:
15 (i) imposing any fees fee or other restrictions restriction on the dealer or any an authorized
16 integrator for access to accessing or sharing of protected dealer data or for writing data to a dealer data
17 system, including any fee on a dealer that chooses to submit or push data or information to the third party as
18 prescribed in this section. A third party shall disclose a charge to the dealer and justify the charge by
19 documentary evidence of the costs associated with access or the charge is a fee pursuant to this subsection
20 (1)(b)(i);.
21 (ii) prohibiting any a third party that has satisfied or is compliant with the STAR standards or other
22 generally accepted standards that are at least as comprehensive as the STAR standards and that the dealer
23 has identified as one of its authorized integrators from integrating into that the dealer's dealer data system or
24 placing an unreasonable restrictions restriction on integration by any such an authorized integrator or other third
25 party that the dealer wishes to be an authorized integrator. Examples of restrictions include but are not limited
26 to For the purposes of this subsection (1)(b)(ii), "unreasonable restriction" includes:
27 (A) restrictions an unreasonable limitation or condition on the scope or nature of the data that is
28 shared with an authorized integrator;
-4- Authorized Print Version – SB 411
****
68th Legislature 2023 SB 411.1
1 (B) restrictions an unreasonable limitation on the ability of the authorized integrator to write data to
2 a dealer data system;
3 (C) restrictions an unreasonable limitation or conditions condition on a third party accessing that
4 accesses or sharing shares protected dealer data or writing that writes data to a dealer data system; and
5 (D) requiring unreasonable access to a third party's sensitive, competitive, or other confidential
6 business information of a third party as a condition for access to accessing protected dealer data or sharing
7 protected dealer data with an authorized integrator.
8 (c) prohibit or limit a dealer's ability to store, copy, or securely share, or use protected dealer data
9 outside of the dealer data system in any manner or and for any reason; or
10 (d) permit allow access to or access protected dealer data without the prior express written
11 consent of the dealer; or
12 (e) engage in any act of cyber ransom.
13 (2) Prior express written consent may:
14 (a) be unilaterally revoked or amended by the dealer with 30 days' notice without cause and
15 immediately for cause;
16 (b) not be sought or required as a condition of or factor for consideration or eligibility for any
17 manufacturer program, standard, or policy, including those that offer or relate to a bonus, incentive, rebate, or
18 other payment or benefit to a dealer, except that if the bonus, incentive, rebate, or other payment program
19 requires the delivery of the information that is protected dealer data to qualify for the program and receive the
20 program benefits, a dealer shall supply the information to participate in the program.
21 (2)(3) Nothing in this section prevents any dealer This section does not prevent a dealer,
22 manufacturer, or third party from discharging its obligations as a service provider or otherwise under federal,
23 state, or local law to protect and secure protected dealer data or to otherwise limit those responsibilities.
24 (3)(4) A dealer data vendor or an authorized integrator is not responsible for any action taken directly
25 by the dealer, or for any action the dealer data vendor or authorized integrator takes in appropriately following
26 the written instructions of the dealer, to the extent that the action prevents it from meeting any legal obligation
27 regarding the protection of protected dealer data or results in any liability as a consequence of such actions by
28 the dealer.
-5- Authorized Print Version – SB 411
****
68th Legislature 2023 SB 411.1
1 (4)(5) A dealer is not responsible for any action taken directly by any of its dealer data vendors or
2 authorized integrators, or for any action the dealer takes directly in appropriately following the written
3 instructions of any of its dealer data vendors or authorized integrators, to the extent that the action prevents it
4 from meeting any legal obligation regarding the protection of protected dealer data or results in any liability as a
5 consequence of such actions by the dealer data vendor or authorized integrator."
6
7 Section 3. Section 30-11-719, MCA, is amended to read:
8 "30-11-719. Other responsibilities and restrictions. (1) All dealer data vendors and authorized
9 integrators:
10 (1)(a) may access, use, store, or share protected dealer data only to the extent permitted in the
11 contract with the dealer;
12 (2)(b) shall make any agreement regarding access to, sharing or selling of, copying, using, or
13 transmitting protected dealer data terminable upon no more than 90 days' notice from the dealer;
14 (3)(c) must, on notice of the dealer's intent to terminate its contract and in order to prevent any risk of
15 consumer harm or inconvenience, work to ensure a secure transition of all protected dealer data to a successor
16 dealer data vendor or authorized integrator, including but not limited to:
17 (a)(i) providing unrestricted access to, or an electronic copy of, all protected dealer data and all other
18 data stored in the dealer data system in a format that a successor dealer data vendor or authorized integrator
19 can access and use; and
20 (b)(ii) deleting or returning to the dealer all protected dealer data prior to termination of the contract
21 pursuant to any written directions of the dealer;
22 (4)(d) shall provide a dealer, on request, with a listing of all entities with whom it is sharing dealer
23 data or with whom it has allowed access to protected dealer data; and
24 (5)(e) shall allow a dealer to audit the dealer data vendor's or authorized integrator's access to and
25 use of any protected dealer data.
26 (2) Unless a dealer gives prior express written consent, a manufacturer may not access, share,
27 sell, copy, use, or transmit or require a dealer to share or provide access to protected dealer data beyond the
28 required manufacturer data and may use any required manufacturer data obtained from a dealer data system
-6- Authorized Print Version – SB 411
****
68th Legislature 2023 SB 411.1
1 for the purposes described in subsection (5).
2 (3) A manufacturer may not engage in an act of cyber ransom or take an action by contract,
3 technical means, or otherwise to prohibit or limit a dealer's ability to protect, store, copy, share, or use protected
4 dealer data, including actions described in subsection (3)(b)(ii). A manufacturer or a manufacturer's selected
5 third party may not require a dealer to pay a fee for the sharing of required manufacturer data if the
6 manufacturer both:
7 (a) requires a dealer to provide required manufacturer data through a specific third party that the
8 manufacturer selects; and
9 (b) does not allow the dealer to submit the data using the dealer's choice of a third-party vendor
10 and both of the following apply:
11 (i) the data is in a format that is compatible with the file format required by the manufacturer; and
12 (ii) the third-party vendor satisfies or is in compliance with the STAR standards or other generally
13 accepted standards that are at least as comprehensive as the STAR standards.
14 (4) A manufacturer shall indemnify a dealer for any third-party claims asserted against or damages
15 incurred by the dealer to the extent caused by access to, use of, or disclosure of protected dealer data in
16 viol