Utah Code 13-73-202. Service provider contracts — Franchisors and third parties — Prohibitions

(1)

Ask a business law question, get an answer ASAP!
Thousands of highly rated, verified business lawyers.
Click here to chat with a lawyer about your rights.

Terms Used In Utah Code 13-73-202

Authorized integrator: means a third party with whom a franchisee enters into a contract to perform a specific function for a franchisee that allows the third party to access protected dealer data or to write data to a dealer data system, or both, to carry out the specified function. See Utah Code 13-73-101
Contract: A legal written agreement that becomes binding when signed.
Cyber ransom: means to encrypt, restrict, or prohibit, or to threaten or attempt to encrypt, restrict, or prohibit a franchisee's or a franchisee's authorized integrator's access to protected dealer data or other dealer data to obtain payment not agreed to by the franchisee or the franchisee's authorized integrator in a written contract for services or goods. See Utah Code 13-73-101
Damages: Money paid by defendants to successful plaintiffs in civil cases to compensate the plaintiffs for their injuries.
Dealer data system: means a software, hardware, or firmware system that is owned, leased, or licensed by a franchisee, that includes a system of web-based applications, computer software, or computer hardware, whether located at the franchisee's dealership or hosted remotely, and that stores or provides access to protected dealer data. See Utah Code 13-73-101
Fee: means payment for access to protected dealer data which is in addition to charges written in an executed contract for goods or services. See Utah Code 13-73-101
Franchisee: means the same as that term is defined in Section 13-14-102. See Utah Code 13-73-101
Franchisor: means the same as that term is defined in Section 13-14-102. See Utah Code 13-73-101
Indemnification: In general, a collateral contract or assurance under which one person agrees to secure another person against either anticipated financial losses or potential adverse legal consequences. ^{Source: FDIC}
Manufacturer: means a manufacturer of new motor vehicles. See Utah Code 13-73-101
Other generally accepted standards: means security standards that are at least as comprehensive as STAR standards. See Utah Code 13-73-101
Person: means :
     (24)(a) an individual;
     (24)(b) an association;
     (24)(c) an institution;
     (24)(d) a corporation;
     (24)(e) a company;
     (24)(f) a trust;
     (24)(g) a limited liability company;
     (24)(h) a partnership;
     (24)(i) a political subdivision;
     (24)(j) a government office, department, division, bureau, or other body of government; and
     (24)(k) any other organization or entity. See Utah Code 68-3-12.5
Prior express written consent: means a franchisee's express written consent to protected dealer data sharing that:
     (13)(a) is in a document separate from any other:
          (13)(a)(i) consent;
          (13)(a)(ii) contract;
          (13)(a)(iii) franchise agreement; or
          (13)(a)(iv) writing;
     (13)(b) identifies all parties with whom the protected dealer data may be shared; and
     (13)(c) contains:
          (13)(c)(i) all details that the franchisee requires relating to the scope and nature of the protected dealer data to be shared, including the data fields and the duration for which the sharing is authorized; and
          (13)(c)(ii) all provisions and restrictions that are required under federal law to allow sharing the protected dealer data. See Utah Code 13-73-101
Protected dealer data: means :
          (14)(a)(i) consumer data that:
               (14)(a)(i)(A)
                    (14)(a)(i)(A)(I) a consumer provides to a franchisee; or
                    (14)(a)(i)(A)(II) a franchisee otherwise obtains; and
               (14)(a)(i)(B) is stored in the franchisee's dealer data system;
          (14)(a)(ii) other data that relates to a franchisee's daily business operations and is stored in the franchisee's dealer data system; and
          (14)(a)(iii) motor vehicle diagnostic data. See Utah Code 13-73-101
Required manufacturer data: means data that:
          (15)(a)(i) a manufacturer is required to obtain under federal or state law;
          (15)(a)(ii) is required to complete or verify a transaction between the franchisee and the manufacturer;
          (15)(a)(iii) is motor vehicle diagnostic data; or
          (15)(a)(iv) is reasonably necessary for:
               (15)(a)(iv)(A) a safety notice, recall notice, manufacturer field action, or other legal notice obligation relating to the repair, service, and update of a motor vehicle;
               (15)(a)(iv)(B) the sale and delivery of a new motor vehicle or certified used motor vehicle to a consumer, including necessary data for the vehicle manufacturer to activate services purchased by the consumer;
               (15)(a)(iv)(C) the validation and payment of consumer or franchisee incentives;
               (15)(a)(iv)(D) claims for franchisee-supplied services relating to warranty parts or repairs;
               (15)(a)(iv)(E) the evaluation of franchisee performance, including the evaluation of the franchisee's monthly financial statements and sales or service, consumer satisfaction with the franchisee through direct consumer contact, or consumer surveys;
               (15)(a)(iv)(F) franchisee and market analytics;
               (15)(a)(iv)(G) the identification of the franchisee that sold or leased a specific motor vehicle and the date of the transaction;
               (15)(a)(iv)(H) marketing purposes designed for the benefit of franchisees, or to direct leads to the franchisee providing the dealer protected data to the franchisor;
               (15)(a)(iv)(I) the development, evaluation, or improvement of the manufacturer's products or services; or
               (15)(a)(iv)(J) the daily operational interactions of the franchisee with the manufacturer or other franchisees through applications hosted on the manufacturer's dealer electronic communications system. See Utah Code 13-73-101
Service provider: means a person that processes protected dealer data on behalf of a franchisee and that receives, from or on behalf of the franchisee, consumer protected dealer data for a business purpose pursuant to a written contract, if the contract prohibits the person from:
     (16)(a) selling or sharing the protected dealer data;
     (16)(b) retaining, using, or disclosing the protected dealer data for any purpose other than for the business purposes specified in the contract for the franchisee, including retaining, using, or disclosing the protected dealer data for a commercial purpose other than the business purposes specified in the contract with the franchisee, or as permitted under this title;
     (16)(c) retaining, using, or disclosing the protected dealer data outside of the direct business relationship between the service provider and the franchisee; or
     (16)(d) combining the protected dealer data that the service provider receives from, or on behalf of, the franchisee with personal information that the service provider receives from, or on behalf of, another person or persons, or collects from the service provider's own interaction with the consumer. See Utah Code 13-73-101
STAR standards: means the current, applicable security standards published by the Standards for Technology in Automotive Retail. See Utah Code 13-73-101
State: when applied to the different parts of the United States, includes a state, district, or territory of the United States. See Utah Code 68-3-12.5
Third party: includes :
          (18)(b)(i) a service provider;
          (18)(b)(ii) a vendor, including a dealer data vendor and authorized integrator;
          (18)(b)(iii) a manufacturer acting in the capacity of a vendor, service provider, or dealer data vendor; or
          (18)(b)(iv) an affiliate of a manufacturer described in Subsection (18)(b)(iii). See Utah Code 13-73-101
Unreasonable restriction: means :
     (20)(a) an unreasonable limitation or condition on the scope or nature of the data that is shared with an authorized integrator;
     (20)(b) an unreasonable limitation or condition on the ability of an authorized integrator to write data to a dealer data system;
     (20)(c) an unreasonable limitation or condition on a third party that accesses or shares protected dealer data or that writes data to a dealer data system;
     (20)(d) requiring unreasonable access to a franchisor's or a third party's sensitive, competitive, or other confidential business information as a condition for accessing protected dealer data or sharing protected dealer data with an authorized integrator;
     (20)(e) prohibiting or limiting a franchisee's ability to store, copy, securely share, or use protected dealer data outside of the dealer data system in any manner or for any reason; or
     (20)(f) allowing access to, or accessing protected dealer data without, the franchisee's prior express written consent. See Utah Code 13-73-101
Vendor: means a person to whom a franchisee makes available protected dealer data for a business purpose, pursuant to a written contract with the franchisee, if the contract:
     (19)(a) prohibits the vendor from:
          (19)(a)(i) selling or sharing the protected dealer data;
          (19)(a)(ii) retaining, using, or disclosing the protected dealer data for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the protected dealer data for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted under this title;
          (19)(a)(iii) retaining, using, or disclosing the protected dealer data outside of the direct business relationship between the vendor and the franchisee; and
          (19)(a)(iv) combining the protected dealer data that the vendor receives pursuant to a written contract with the franchisee with personal information that the vendor receives from or on behalf of another person or persons, or collects from the vendor's own interaction with the consumer;
     (19)(b) includes a certification made by the vendor that the vendor understands the restrictions in Subsection (19)(a)(i) and will comply with the restrictions; and
     (19)(c) permits, subject to agreement with the vendor, the franchisee to monitor the vendor's compliance with the contract through measures, including ongoing manual reviews, automated scans, regular assessments, audits, or other technical and operational testing at least once every 12 months. See Utah Code 13-73-101
Writing: includes :
     (48)(a) printing;
     (48)(b) handwriting; and
     (48)(c) information stored in an electronic or other medium if the information is retrievable in a perceivable format. See Utah Code 68-3-12.5

(1)(a) A service provider contract may permit the franchisee to monitor the service provider’s compliance with the contract through ongoing manual reviews, automated scans, regular assessments, audits, or other technical and operational testing, at least once every 12 months.

(1)(b) If a service provider or vendor engages another person to assist the service provider or vendor in processing protected dealer data for a business purpose on behalf of the franchisee, or if another person engaged by the service provider or vendor engages a person to assist in processing protected dealer data for that business purpose, the service provider or vendor shall notify the franchisee of that engagement, and the engagement shall be pursuant to a written contract binding the person to observe all the requirements described in Subsection 13-74-101(16).

(2) A franchisor or third party may not:

(2)(a) access, share, sell, copy, use, or transmit protected dealer data without prior express written consent;

(2)(b) engage in any act of cyber ransom; or

(2)(c) take action to prohibit or limit a franchisee’s ability to protect, store, copy, share, or use protected dealer data, including:

(2)(c)(i) imposing a fee for, or other restriction on, the franchisee or authorized integrator:

(2)(c)(i)(A) accessing or sharing protected dealer data;

(2)(c)(i)(B) writing data to a dealer data system; or

(2)(c)(i)(C) submitting or pushing data or information to the third party under Subsection 13-74-201(2);

(2)(c)(ii) unreasonably prohibiting a third party or an authorized integrator that satisfies STAR standards or other generally accepted standards from integrating into the franchisee’s dealer data system; or

(2)(c)(iii) placing an unreasonable restriction on integration by an authorized integrator or third party.

(3)

(3)(a) Notwithstanding Subsection (2)(c)(i)(A), a franchisor or a third party may charge a franchisee the franchisor’s or third party’s actual third party costs, including a reasonable profit margin for providing access to protected dealer data to a franchisee, authorized integrator, or other third party if the franchisor or third party:

(3)(a)(i) discloses the charge to the franchisee in writing; and

(3)(a)(ii) upon written request by the franchisee, provides to the franchisee documentation that the charges were agreed to in writing by the franchisee or provided for in the contract for services or goods.

(3)(b) If a third party fails to comply with Subsection (3)(a), a charge described in Subsection (3)(a) is a fee prohibited under Subsection (2)(c)(i).

(4)

(4)(a) A franchisee may unilaterally revoke or amend the prior express written consent described in Subsection (2)(a):

(4)(a)(i) with 60 days notice without cause; or

(4)(a)(ii) immediately for cause.

(4)(b)

(4)(b)(i) Except as provided in Subsection (4)(b)(ii), a franchisor may not seek or require prior express written consent as a condition of or factor for consideration or eligibility for a:

(4)(b)(i)(A) franchisor program;

(4)(b)(i)(B) standard or policy; or

(4)(b)(i)(C) benefit to a franchisee.

(4)(b)(ii) If a franchisor’s program reasonably requires delivery of information that is protected dealer data to qualify for the program and receive franchisor program benefits, a franchisee shall provide the information to participate in the franchisor program.

(5) This section does not:

(5)(a) limit a franchisee’s, franchisor’s, or third party’s obligations:

(5)(a)(i) as a service provider;

(5)(a)(ii) under federal, state, or local law, to protect and secure protected dealer data; or

(5)(a)(iii) regarding required manufacturer data; and

(5)(b) require a franchisor to pay a benefit to a franchisee if the franchisee refuses to provide data reasonably necessary to participate in the franchisor program.

(6) A franchisor or franchisor’s selected third party may not require a franchisee to pay a fee for sharing required manufacturer data if:

(6)(a) the franchisor requires a franchisee to provide required manufacturer data through a specific third party that the franchisor selects;

(6)(b) the franchisor does not allow the franchisee to submit the required manufacturer data using the franchisee’s choice of a third party vendor;

(6)(c) the franchisee’s data is in a format that is compatible with the format required by the franchisor; and

(6)(d) the third party vendor satisfies the STAR standards or other generally accepted standards.

(7) A franchisor may not access, sell, copy, use, transmit, or require a franchisee to share or provide access to protected dealer data, unless:

(7)(a) the protected dealer data is required manufacturer data; or

(7)(b) the franchisee provides prior express written consent.

(8) A franchisor may only use required manufacturer data that the franchisor obtains from a dealer data system for the purposes described in Subsection 13-74-101(14).

(9)

(9)(a) A franchisor, authorized integrator, or other third party shall indemnify a franchisee for any claims or damages if:

(9)(a)(i) the claims or damages directly result from a violation of this section by the party from whom the franchisee is seeking indemnification;

(9)(a)(ii) the claims or damages directly result from a violation of this section by:

(9)(a)(ii)(A) a vendor or contractor as an agent acting on behalf of the party from whom the franchisee is seeking indemnification; or

(9)(a)(ii)(B) a vendor or other service provider who the party from whom the franchisee is seeking indemnification required the franchisee to use; and

(9)(a)(iii) the claims or damages result from a violation of this section for:

(9)(a)(iii)(A) accessing or providing access to protected dealer data;

(9)(a)(iii)(B) using protected dealer data; or

(9)(a)(iii)(C) disclosing protected dealer data.

(9)(b) A franchisee bringing a cause of action against a franchisor, authorized integrator, or other third party for a violation of this section has the burden of proof.

(10) Notwithstanding Subsection (6), this chapter does not restrict or limit a franchisor’s right to:

(10)(a) access or obtain required manufacturer data;

(10)(b) use, share, copy, or transmit required manufacturer data for the purposes described in Subsection 13-74-101(15); or

(10)(c) use or control data that is:

(10)(c)(i) proprietary to the franchisor;

(10)(c)(ii) created by the franchisor;

(10)(c)(iii) obtained from a source other than the franchisee; or

(10)(c)(iv) public information.

Previous section

Next section

Part 2 Contents

LawServer

Utah Code 13-73-202. Service provider contracts — Franchisors and third parties — Prohibitions — Requirements

Terms Used In Utah Code 13-73-202