Utah Code 13-73-203. Dealer data vendors — Authorized integrators — Requirements
Current as of: 2024 | Check for updates
|
Other versions
(1)
Terms Used In Utah Code 13-73-203
- Authorized integrator: means a third party with whom a franchisee enters into a contract to perform a specific function for a franchisee that allows the third party to access protected dealer data or to write data to a dealer data system, or both, to carry out the specified function. See Utah Code 13-73-101
- Dealer data system: means a software, hardware, or firmware system that is owned, leased, or licensed by a franchisee, that includes a system of web-based applications, computer software, or computer hardware, whether located at the franchisee's dealership or hosted remotely, and that stores or provides access to protected dealer data. See Utah Code 13-73-101
- Dealer data vendor: means a third party dealer management system provider, consumer relationship management system provider, or third party vendor providing similar services that store protected dealer data pursuant to a contract with the franchisee. See Utah Code 13-73-101
- Franchisee: means the same as that term is defined in Section
13-14-102 . See Utah Code 13-73-101 - Other generally accepted standards: means security standards that are at least as comprehensive as STAR standards. See Utah Code 13-73-101
- Protected dealer data: means :(14)(a)(i) consumer data that:(14)(a)(i)(A)(14)(a)(i)(A)(I) a consumer provides to a franchisee; or(14)(a)(i)(A)(II) a franchisee otherwise obtains; and(14)(a)(i)(B) is stored in the franchisee's dealer data system;(14)(a)(ii) other data that relates to a franchisee's daily business operations and is stored in the franchisee's dealer data system; and(14)(a)(iii) motor vehicle diagnostic data. See Utah Code 13-73-101
- STAR standards: means the current, applicable security standards published by the Standards for Technology in Automotive Retail. See Utah Code 13-73-101
- Vendor: means a person to whom a franchisee makes available protected dealer data for a business purpose, pursuant to a written contract with the franchisee, if the contract:
(19)(a) prohibits the vendor from:(19)(a)(i) selling or sharing the protected dealer data;(19)(a)(ii) retaining, using, or disclosing the protected dealer data for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the protected dealer data for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted under this title;(19)(a)(iii) retaining, using, or disclosing the protected dealer data outside of the direct business relationship between the vendor and the franchisee; and(19)(a)(iv) combining the protected dealer data that the vendor receives pursuant to a written contract with the franchisee with personal information that the vendor receives from or on behalf of another person or persons, or collects from the vendor's own interaction with the consumer;(19)(b) includes a certification made by the vendor that the vendor understands the restrictions in Subsection (19)(a)(i) and will comply with the restrictions; and(19)(c) permits, subject to agreement with the vendor, the franchisee to monitor the vendor's compliance with the contract through measures, including ongoing manual reviews, automated scans, regular assessments, audits, or other technical and operational testing at least once every 12 months. See Utah Code 13-73-101(1)(a) A dealer data vendor shall adopt and make available to a franchisee and authorized integrator in a standardized framework:(1)(a)(i) the exchange, integration, and sharing of data between a dealer data system and an authorized integrator; and(1)(a)(ii) the retrieval of data by an authorized integrator.(1)(b) The standardized framework described in Subsection (1)(a) shall comply with STAR standards or other generally accepted standards.(2)(2)(a) Except as provided in Subsection (2)(b), a dealer data vendor shall provide to an authorized integrator access to open application programming interfaces for the standardized framework described in Subsection (1) that meet the reasonable commercial or technical standard for secure data integration.(2)(b) If the open application interfaces described in Subsection (2)(a) do not meet the reasonable commercial or technical standard for secure data integration, a dealer data vendor may provide to an authorized integrator a similar open access integration method that:(2)(b)(i) provides the same or better access to an authorized integrator as an application programming interface; and(2)(b)(ii) uses the standardized framework described in Subsection (1).(3) A dealer data vendor and an authorized integrator:(3)(a) may access, use, store, or share protected dealer data or any other data from a dealer data system only to the extent allowed in the written agreement with the franchisee;(3)(b) shall, upon a franchisee’s request, provide the franchisee with a list of all persons:(3)(b)(i) with whom the dealer data vendor or authorized integrator is sharing, or has shared, protected dealer data; or(3)(b)(ii) to whom the dealer data vendor or authorized integrator has allowed or is allowing access to protected dealer data; and(3)(c) shall allow a franchisee to audit the dealer data vendor’s or authorized integrator’s access to and use of protected dealer data.(4) A franchisee may terminate an agreement between a dealer data vendor or authorized integrator and the franchisee relating to access to, sharing of, selling of, copying, using, or transmitting protected dealer data upon 90 days’ notice.(5)(5)(a) If a dealer data vendor or authorized integrator receives a franchisee’s notice described in Subsection (4), the dealer data vendor or authorized integrator shall ensure a secure transition of all protected dealer data to a successor dealer data vendor or successor authorized integrator.(5)(b) In fulfilling the dealer data vendor’s or authorized integrator’s duties under Subsection (5)(a), a dealer data vendor or authorized integrator shall:(5)(b)(i) provide access to or an electronic copy of all protected dealer data and all other data stored in the dealer data system in:(5)(b)(i)(A) a commercially reasonable time; and(5)(b)(i)(B) a format that the successor dealer data vendor or successor authorized integrator can access and use; and(5)(b)(ii) before the agreement terminates, delete or return to the franchisee all protected dealer data pursuant to the franchisee’s written directions.