Oregon Statutes 650.123 – Use of protected dealer data; prohibitions; liabilities
(1) As used in this section:
Terms Used In Oregon Statutes 650.123
- Contract: A legal written agreement that becomes binding when signed.
- Lease: A contract transferring the use of property or occupancy of land, space, structures, or equipment in consideration of a payment (e.g., rent). Source: OCC
- Obligation: An order placed, contract awarded, service received, or similar transaction during a given period that will require payments during the same or a future period.
- Person: includes individuals, corporations, associations, firms, partnerships, limited liability companies and joint stock companies. See Oregon Statutes 174.100
(a) ‘Access fee’ means a requirement to pay money for access to protected dealer data.
(b)(A) ‘Authorized integrator’ means a person with which a dealer has a contractual relationship or to which the dealer otherwise gives express written authorization to have access to protected dealer data stored on a dealer data system or to write protected dealer data to the dealer data system for the purpose of performing a specific function for the dealer.
(B) ‘Authorized integrator’ does not include:
(i) A manufacturer, distributor or importer or any entity that is a subsidiary or affiliate of, or acts on behalf of, a manufacturer, distributor or importer; or
(ii) A governmental body or other person that is acting in accordance with federal, state or local law or a valid court order.
(c) ‘Dealer data system’ means software, hardware or firmware that a dealer leases or rents from a dealer management system provider for the purpose of storing protected dealer data.
(d) ‘Dealer management system provider’ means a person that for compensation maintains and provides access to a dealer data system in which a dealer stores protected dealer data.
(e) ‘Protected dealer data’ means:
(A) Personal data or financial data about a consumer that a dealer generated or that the consumer provided to the dealer and that is not otherwise publicly available; and
(B) Any other data to which a dealer has rights in connection with the dealer’s daily business operations and stores or maintains in a dealer data system.
(2) A dealer management system provider may:
(a) Condition a dealer’s or authorized integrator’s access to and ability to receive, share, copy, use, write or transmit protected dealer data from or to a dealer data system on the dealer’s or authorized integrator’s compliance with security standards;
(b) Require an authorized integrator to have express written authorization from a dealer before allowing the authorized integrator to gain access to, receive, share, copy, use or transmit protected dealer data; and
(c) Deny access to a dealer data system to a dealer if the dealer fails to pay an amount due to the dealer management system provider under a lease, contract or other agreement concerning the dealer’s access to or use of the dealer data system.
(3) Except as provided in subsection (2) of this section, a dealer management system provider may not take any action that would limit or prohibit a dealer’s or an authorized integrator’s ability to receive, protect, store, copy, share or use protected dealer data using means that include, but are not limited to:
(a) Imposing an access fee on a dealer or authorized integrator.
(b) Restricting a dealer or an authorized integrator from sharing protected dealer data or writing data or having access to a dealer data system. Examples of restrictions this paragraph does not permit include, but are not limited to:
(A) Limits on the scope or nature of protected dealer data to which a dealer or authorized integrator has access or may share or write to a dealer data system; and
(B) A requirement for a dealer or authorized integrator to provide sensitive or confidential business information or information that a dealer or authorized integrator uses for competitive purposes in return for access to protected dealer data or an authorization to share or write protected dealer data to a dealer data system.
(4) Except as otherwise provided in this section, any term or condition of a contract with a dealer management system provider that conflicts with the requirements set forth in subsection (3) of this section is void and unenforceable to the extent of the conflict.
(5)(a) An authorized integrator shall:
(A) Obtain express written authorization from a dealer before gaining access to, receiving, sharing, copying, using, writing or transmitting protected dealer data; and
(B) Comply with security standards in gaining access to, receiving, sharing, copying, using, writing or transmitting protected dealer data.
(b) A dealer may withdraw, revoke or amend any express written authorization the dealer provides under paragraph (a)(A) of this subsection:
(A) At the dealer’s sole discretion, if the dealer gives 30 days’ prior notice to an authorized integrator; or
(B) Immediately, for good cause.
(6)(a) This section does not prevent a dealer, a dealer management system provider or an authorized integrator from discharging the dealer’s, dealer management system provider’s or authorized integrator’s obligations under federal, state or local law to secure and prevent unauthorized access to protected dealer data, or from limiting the scope of the obligations, in accordance with federal, state or local law.
(b) A dealer management system provider is not liable for any action that a dealer takes directly with respect to securing or preventing unauthorized access to protected dealer data, or for actions that an authorized integrator takes in appropriately following the dealer’s written instructions for securing or preventing unauthorized access to protected dealer data, to the extent that the actions prevent the dealer management system provider from meeting a legal obligation to secure or prevent unauthorized access to protected dealer data.
(c) A dealer is not liable for any action that an authorized integrator takes directly with respect to securing or preventing unauthorized access to protected dealer data, or for actions that the authorized integrator takes in appropriately following the dealer’s written instructions for securing or preventing unauthorized access to protected dealer data, to the extent that the actions prevent the dealer from meeting a legal obligation to secure or prevent unauthorized access to protected dealer data.
(d) An authorized integrator is not liable for any action that a dealer takes directly with respect to securing or preventing unauthorized access to protected dealer data, or for actions that the dealer takes in appropriately following the authorized integrator’s written instructions for securing or preventing unauthorized access to protected dealer data, to the extent that the actions prevent the authorized integrator from meeting a legal obligation to secure or prevent unauthorized access to protected dealer data. [2019 c.500 § 2]