30-11-718. Prohibited actions. (1) A third party may not:
(a) access, share, sell, copy, use, or transmit protected dealer data from a dealer data system without the express written consent of the dealer;
(b) take any action by contract, by technical means, or by any other means that would prohibit or limit a dealer's ability to protect, store, copy, share, or use any protected dealer data. This includes but is not limited to:
(i) imposing any fees or other restrictions on the dealer or any authorized integrator for access to or sharing of protected dealer data or for writing data to a dealer data system;
(ii) prohibiting any third party that the dealer has identified as one of its authorized integrators from integrating into that dealer's dealer data system or placing unreasonable restrictions on integration by any such authorized integrator or other third party that the dealer wishes to be an authorized integrator. Examples of restrictions include but are not limited to:
(A) restrictions on the scope or nature of the data shared with an authorized integrator;
(B) restrictions on the ability of the authorized integrator to write data to a dealer data system;
(C) restrictions or conditions on a third party accessing or sharing protected dealer data or writing data to a dealer data system; and
(D) requiring access to sensitive, competitive, or other confidential business information of a third party as a condition for access to protected dealer data or sharing protected dealer data with an authorized integrator.
(c) prohibit or limit a dealer's ability to store, copy, securely share, or use protected dealer data outside the dealer data system in any manner or for any reason; or
(d) permit access to or access protected dealer data without the express written consent of the dealer.
(2) Nothing in this section prevents any dealer or third party from discharging its obligations as a service provider under federal, state, or local law to protect and secure protected dealer data or to otherwise limit those responsibilities.
(3) A dealer data vendor or an authorized integrator is not responsible for any action taken directly by the dealer, or for any action the dealer data vendor or authorized integrator takes in appropriately following the written instructions of the dealer, to the extent that the action prevents it from meeting any legal obligation regarding the protection of protected dealer data or results in any liability as a consequence of such actions by the dealer.
(4) A dealer is not responsible for any action taken directly by any of its dealer data vendors or authorized integrators, or for any action the dealer takes directly in appropriately following the written instructions of any of its dealer data vendors or authorized integrators, to the extent that the action prevents it from meeting any legal obligation regarding the protection of protected dealer data or results in any liability as a consequence of such actions by the dealer data vendor or authorized integrator.
History: En. Sec. 2, Ch. 283, L. 2019.