SENATE BILL NO. 198 A bill to regulate data collection by motor vehicle dealers, manufacturers, and third parties; to prescribe requirements for the collection, sharing, and use of protected dealer data; to regulate dealer data vendors and authorized integrators; and to prescribe civil sanctions. the people of the state of michigan enact: Sec. 1. This act may be cited as the "motor vehicle dealer data collection act". Sec. 3. As used in this act: (a) "Authorized integrator" means a third party that a dealer enters into a contractual relationship with to perform a specific function for the dealer that allows the third party to access protected dealer data or to write data to a dealer data system, or both, to carry out the specified function. (b) "Cyber ransom" means to encrypt, restrict, or prohibit or threaten or attempt to encrypt, restrict, or prohibit a dealer's or an authorized integrator's access to protected dealer data for monetary gain. (c) "Dealer" means that term as defined in section 11 of the Michigan vehicle code, 1949 PA 300, MCL 257.11. (d) "Dealer data system" means a software, hardware, or firmware system that is owned, leased, or licensed by a dealer and includes a system of web-based applications, computer software, or computer hardware, located at the motor vehicle dealership or a remote location, that stores or provides access to protected dealer data including, but not limited to, dealership management systems and consumer relations management systems. (e) "Dealer data vendor" means a dealer management system provider, consumer relationship management system provider, or other vender providing similar services that permissibly stores protected dealer data under a contract with the dealer. (f) "Fee" means a charge for access to protected dealer data beyond any direct costs incurred by the dealer data vendor in providing protected dealer data access to an authorized integrator or allowing an authorized integrator to write data to a dealer data system. (g) "Motor vehicle" means that term as defined in section 33 of the Michigan vehicle code, 1949 PA 300, MCL 257.33. Motor vehicle does not include a bus, tractor, or farm equipment. (h) "Person" means an individual or a partnership, corporation, limited liability company, association, or other legal entity. (i) "Prior express written consent" means consent from a dealer contained in a document that is separate from any other consent, contract, franchise agreement, or other writing that contains all of the following: (i) The dealer's express consent to the data sharing and identification of the parties with whom the data may be shared. (ii) Any details required by the dealer relating to the scope and nature of the data to be shared, including the data fields and the duration for which the sharing is authorized. (iii) All provisions and restrictions that are required under federal law to allow the sharing of the data. (j) "Protected dealer data" means any of the following types of data: (i) Personal, financial, or other data relating to a consumer that a consumer provides to a dealer or that a dealer otherwise obtains and that is stored in the dealer's dealer data system. (ii) Motor vehicle diagnostic data that is stored in a dealer data system and used to fulfill a dealer's obligation to provide warranty, repair, or service work to consumers. (iii) Other data regarding a dealer's business operations that is stored in the dealer data system. (k) "Required manufacturer data" means data that is required to be obtained by the manufacturer under federal or state law or required to complete or verify a transaction between the dealer and the manufacturer. Required manufacturer data does not include consumer data on a consumer credit application or a dealer's notes about a consumer that are not related to a transaction. (l) "Star standards" means the current applicable security standards published by the Standards for Technology in Automotive Retail. (m) "Third party" means a service provider, vendor, dealer data vendor, authorized integrator, or any other person other than a dealer, a government entity acting under federal, state, or local law, an entity acting pursuant to a valid court order, or a manufacturer. Sec. 5. (1) A manufacturer or a third party shall not require a dealer to grant the manufacturer, the third party, or any person acting on behalf of the manufacturer or third party, direct or indirect access to the dealer's dealer data system. (2) A dealer may submit or push data or information to a manufacturer or third party through a widely acceptable electronic file format or protocol that complies with star standards or other generally accepted cybersecurity standards that are at least as comprehensive as star standards. Sec. 7. (1) A third party shall not do any of the following: (a) Access, share, sell, copy, use, or transmit protected dealer data without prior express written consent. (b) Engage in an act of cyber ransom. (c) Take an action by contract, technical means, or any other means to prohibit or limit a dealer's ability to protect, store, copy, share, or use protected dealer data, including, but not limited to, any of the following actions: (i) Imposing a fee or other restriction on a dealer or an authorized integrator for accessing or sharing protected dealer data or for writing data to a dealer data system, including a fee on a dealer that submits or pushes data or information to a third party under section 5. A charge is considered a fee under this subparagraph unless a third party discloses the charge to the dealer and justifies the charge by documentation of the costs associated with access and, on written request by the dealer, provides the dealer with documentation that the charges were agreed to in writing by the dealer or provided for in the contract for service or goods. (ii) Prohibiting a third party that is compliant with star standards or other generally accepted cybersecurity standards that are at least as comprehensive as star standards and that the dealer has identified as an authorized integrator from integrating into the dealer's dealer data system. (iii) Placing an unreasonable restriction on integration by an authorized integrator or a third party that the dealer wishes to be an authorized integrator. (d) Access or permit access to protected dealer data without prior express written consent. (2) An unreasonable restriction under subsection (1)(c)(iii) includes all of the following: (a) An unreasonable limitation or condition on the scope or nature of the protected dealer data that is shared with an authorized integrator. (b) An unreasonable limitation or condition on the ability of the authorized integrator to write data to a dealer data system. (c) An unreasonable limitation or condition on a third party that accesses or shares protected dealer data or that writes data to a dealer system. (d) A requirement of unreasonable access to sensitive, competitive, or other confidential business information of a third party as a condition for access to protected dealer data or sharing protected dealer data with an authorized integrator. Sec. 9. (1) Prior express written consent may be unilaterally revoked or amended by a dealer without cause with a 60-day notice or immediately for cause. (2) Subject to this subsection, prior express written consent must not be a condition of or factor for consideration or eligibility for any manufacturer program, standard, or policy, including one that offers a bonus, incentive, rebate, or other payment or benefit to a dealer. If the bonus, incentive, rebate, or other payment program requires the delivery of information that is considered protected dealer data to qualify for the program and receive the program benefits, a dealer shall supply the information to participate in the program. Sec. 11. (1) A manufacturer shall not access, share, sell, copy, use, transmit, or require a dealer to share or provide access to protected dealer data beyond the required manufacturer data without prior express written consent. (2) A manufacturer may use required manufacturer data obtained from a dealer data system, as reasonably necessary, for any of following purposes: (a) To satisfy a safety, recall, or other legal notice obligation. (b) To process and complete the sale and delivery of a new motor vehicle or a certified used motor vehicle to a consumer. (c) To validate and pay consumer or dealer incentives. (d) A claim for dealer supplied services relating to warranty parts or repairs. (e) To evaluate a dealer's performance, including, but not limited to, a dealer's monthly financial statements, sales, service, or consumer satisfaction with the dealer through direct consumer contact or consumer surveys. (f) Dealer and market analytics. (g) To identify the dealer that sold or leased a specific motor vehicle and the date of the transaction. (h) Marketing purposes designed for the benefit of or to direct leads to dealers. (i) Motor vehicle diagnostic data. (j) To develop, evaluate, or improve the manufacturer's products or services. (3) A manufacturer shall not engage in an act of cyber ransom or take an action by contract, technical means, or any other means to prohibit or limit a dealer's ability to protect, store, copy, share, or use protected dealer data, including by an action described in section 7(1)(c)(ii). (4) A manufacturer or a manufacturer's selected third party shall not require a dealer to pay a fee for sharing required manufacturer data if all of the following apply: (a) The manufacturer requires the dealer to provide the required manufacturer data through a specific third party that the manufacturer selects. (b) The required manufacturer data is in a format that is compatible with the file format required by the manufacturer. (c) The third-party vendor satisfies or is in compliance with the star standards or other generally accepted cybersecurity standards that are at least as comprehensive as the star standards. (5) Unless otherwise provided in this section or section 21, this act does not restrict or limit a manufacturer's right to obtain required manufacturer data, use required manufacturer data for the purposes under subsection (2), or use or control data that is proprietary to the manufacturer, created by the manufacturer, obtained from a source other than the dealer, or that is public information. Sec. 13. A manufacturer shall indemnify a dealer for a third-party claim asserted against or damages incurred by the dealer to the extent caused by access to, use of, or disclosure of protected dealer data in violation of this act by the manufacturer or a third party acting on behalf of a manufacturer to whom the manufacturer has provided the protected dealer data. Sec. 15. (1) A dealer data vendor shall adopt and make available a standardized framework for both of the following: (a) The exchange, integration, and sharing of protected dealer data from a dealer data system with an authorized integrator. (b) The retrieval of protected dealer data by an authorized integrator using star standards or a standard that is compatible with star standards. (2) A dealer data vendor shall provide access to open application programming interfaces to an authorized integrator. (3) If the application program interfaces under subsection (2) are not the reasonable commercial or technical standard for secure data integration, the dealer data vendor may provide a similar open access integration method if that method provides the same or better access as an application programming interface and that method uses the required standardized framework. Sec. 17. (1) A dealer data vendor or an authorized integrator may access, use, store, or share protected dealer data or any other data from a dealer data system only to the extent allowed in a written agreement between the dealer data vendor or authorized integrator and the dealer. (2) An agreement regarding access to, sharing or selling of, copying, using, or transmitting protected dealer data must be terminable not more than 90 days after a dealer data vendor or authorized integrator receives notice from the dealer. (3) On notice of the dealer's intent to terminate the agreement under subsection (2), a dealer data vendor or an authorized integrator shall ensure a secure transition of all protected dealer data to a successor dealer data vendor or authorized integrator by doing both of the following: (a) Providing access to, or an electronic copy of, all protected dealer data and all other data stored in the dealer data system in a commercially reasonable time and format that a successor dealer data vendor or authorized integrator can access and use. (b) Deleting or returning all protected dealer data to the dealer before the termination of the agreement in accordance with any written directions of the dealer. (4) On request by a dealer, a dealer data vendor or an authorized integrator must provide the dealer with a list of any entity the dealer data vendor or authorized integrator is sharing protected dealer data with or any entity to whom the dealer data vendor or authorized integrator has allowed access to protected dealer data. (5) A dealer data vendor or an authorized integrator shall allow a dealer to audit the dealer data vendor's or authorized integrator's access to and use of any protected dealer data. Sec. 19. A person that violates this act is subject to a civil fine of not more than $5,000.00 for each violation. Sec. 21. This act does not do any of the following: (a) Govern, restrict, or apply to data that exists outside of a dealer data system, including data that is generated by a motor vehicle or by a device that a consumer connects to a motor vehicle. (b) Authorize a dealer or a third party to use data that is obtained from a person in a manner inconsistent with an agreement with that person or with the purposes for which that person provided the data to the dealer or third party. (c) Prevent a dealer, manufacturer, or third party from discharging the obligations of the dealer, manufacturer, or third party as a service provider under federal or state law to protect and secure protected dealer data or to otherwise limit those responsibilities.
SENATE BILL NO. 198
A bill to regulate data collection by motor vehicle dealers, manufacturers, and third parties; to prescribe requirements for the collection, sharing, and use of protected dealer data; to regulate dealer data vendors and authorized integrators; and to prescribe civil sanctions.
the people of the state of michigan enact:
Sec. 1. This act may be cited as the "motor vehicle dealer data collection act".
Sec. 3. As used in this act:
(a) "Authorized integrator" means a third party that a dealer enters into a contractual relationship with to perform a specific function for the dealer that allows the third party to access protected dealer data or to write data to a dealer data system, or both, to carry out the specified function.
(b) "Cyber ransom" means to encrypt, restrict, or prohibit or threaten or attempt to encrypt, restrict, or prohibit a dealer's or an authorized integrator's access to protected dealer data for monetary gain.
(c) "Dealer" means that term as defined in section 11 of the Michigan vehicle code, 1949 PA 300, MCL 257.11.
(d) "Dealer data system" means a software, hardware, or firmware system that is owned, leased, or licensed by a dealer and includes a system of web-based applications, computer software, or computer hardware, located at the motor vehicle dealership or a remote location, that stores or provides access to protected dealer data including, but not limited to, dealership management systems and consumer relations management systems.
(e) "Dealer data vendor" means a dealer management system provider, consumer relationship management system provider, or other vender providing similar services that permissibly stores protected dealer data under a contract with the dealer.
(f) "Fee" means a charge for access to protected dealer data beyond any direct costs incurred by the dealer data vendor in providing protected dealer data access to an authorized integrator or allowing an authorized integrator to write data to a dealer data system.
(g) "Motor vehicle" means that term as defined in section 33 of the Michigan vehicle code, 1949 PA 300, MCL 257.33. Motor vehicle does not include a bus, tractor, or farm equipment.
(h) "Person" means an individual or a partnership, corporation, limited liability company, association, or other legal entity.
(i) "Prior express written consent" means consent from a dealer contained in a document that is separate from any other consent, contract, franchise agreement, or other writing that contains all of the following:
(i) The dealer's express consent to the data sharing and identification of the parties with whom the data may be shared.
(ii) Any details required by the dealer relating to the scope and nature of the data to be shared, including the data fields and the duration for which the sharing is authorized.
(iii) All provisions and restrictions that are required under federal law to allow the sharing of the data.
(j) "Protected dealer data" means any of the following types of data:
(i) Personal, financial, or other data relating to a consumer that a consumer provides to a dealer or that a dealer otherwise obtains and that is stored in the dealer's dealer data system.
(ii) Motor vehicle diagnostic data that is stored in a dealer data system and used to fulfill a dealer's obligation to provide warranty, repair, or service work to consumers.
(iii) Other data regarding a dealer's business operations that is stored in the dealer data system.
(k) "Required manufacturer data" means data that is required to be obtained by the manufacturer under federal or state law or required to complete or verify a transaction between the dealer and the manufacturer. Required manufacturer data does not include consumer data on a consumer credit application or a dealer's notes about a consumer that are not related to a transaction.
(l) "Star standards" means the current applicable security standards published by the Standards for Technology in Automotive Retail.
(m) "Third party" means a service provider, vendor, dealer data vendor, authorized integrator, or any other person other than a dealer, a government entity acting under federal, state, or local law, an entity acting pursuant to a valid court order, or a manufacturer.
Sec. 5. (1) A manufacturer or a third party shall not require a dealer to grant the manufacturer, the third party, or any person acting on behalf of the manufacturer or third party, direct or indirect access to the dealer's dealer data system.
(2) A dealer may submit or push data or information to a manufacturer or third party through a widely acceptable electronic file format or protocol that complies with star standards or other generally accepted cybersecurity standards that are at least as comprehensive as star standards.
Sec. 7. (1) A third party shall not do any of the following:
(a) Access, share, sell, copy, use, or transmit protected dealer data without prior express written consent.
(b) Engage in an act of cyber ransom.
(c) Take an action by contract, technical means, or any other means to prohibit or limit a dealer's ability to protect, store, copy, share, or use protected dealer data, including, but not limited to, any of the following actions:
(i) Imposing a fee or other restriction on a dealer or an authorized integrator for accessing or sharing protected dealer data or for writing data to a dealer data system, including a fee on a dealer that submits or pushes data or information to a third party under section 5. A charge is considered a fee under this subparagraph unless a third party discloses the charge to the dealer and justifies the charge by documentation of the costs associated with access and, on written request by the dealer, provides the dealer with documentation that the charges were agreed to in writing by the dealer or provided for in the contract for service or goods.
(ii) Prohibiting a third party that is compliant with star standards or other generally accepted cybersecurity standards that are at least as comprehensive as star standards and that the dealer has identified as an authorized integrator from integrating into the dealer's dealer data system.
(iii) Placing an unreasonable restriction on integration by an authorized integrator or a third party that the dealer wishes to be an authorized integrator.
(d) Access or permit access to protected dealer data without prior express written consent.
(2) An unreasonable restriction under subsection (1)(c)(iii) includes all of the following:
(a) An unreasonable limitation or condition on the scope or nature of the protected dealer data that is shared with an authorized integrator.
(b) An unreasonable limitation or condition on the ability of the authorized integrator to write data to a dealer data system.
(c) An unreasonable limitation or condition on a third party that accesses or shares protected dealer data or that writes data to a dealer system.
(d) A requirement of unreasonable access to sensitive, competitive, or other confidential business information of a third party as a condition for access to protected dealer data or sharing protected dealer data with an authorized integrator.
Sec. 9. (1) Prior express written consent may be unilaterally revoked or amended by a dealer without cause with a 60-day notice or immediately for cause.
(2) Subject to this subsection, prior express written consent must not be a condition of or factor for consideration or eligibility for any manufacturer program, standard, or policy, including one that offers a bonus, incentive, rebate, or other payment or benefit to a dealer. If the bonus, incentive, rebate, or other payment program requires the delivery of information that is considered protected dealer data to qualify for the program and receive the program benefits, a dealer shall supply the information to participate in the program.
Sec. 11. (1) A manufacturer shall not access, share, sell, copy, use, transmit, or require a dealer to share or provide access to protected dealer data beyond the required manufacturer data without prior express written consent.
(2) A manufacturer may use required manufacturer data obtained from a dealer data system, as reasonably necessary, for any of following purposes:
(a) To satisfy a safety, recall, or other legal notice obligation.
(b) To process and complete the sale and delivery of a new motor vehicle or a certified used motor vehicle to a consumer.
(c) To validate and pay consumer or dealer incentives.
(d) A claim for dealer supplied services relating to warranty parts or repairs.
(e) To evaluate a dealer's performance, including, but not limited to, a dealer's monthly financial statements, sales, service, or consumer satisfaction with the dealer through direct consumer contact or consumer surveys.
(f) Dealer and market analytics.
(g) To identify the dealer that sold or leased a specific motor vehicle and the date of the transaction.
(h) Marketing purposes designed for the benefit of or to direct leads to dealers.
(i) Motor vehicle diagnostic data.
(j) To develop, evaluate, or improve the manufacturer's products or services.
(3) A manufacturer shall not engage in an act of cyber ransom or take an action by contract, technical means, or any other means to prohibit or limit a dealer's ability to protect, store, copy, share, or use protected dealer data, including by an action described in section 7(1)(c)(ii).
(4) A manufacturer or a manufacturer's selected third party shall not require a dealer to pay a fee for sharing required manufacturer data if all of the following apply:
(a) The manufacturer requires the dealer to provide the required manufacturer data through a specific third party that the manufacturer selects.
(b) The required manufacturer data is in a format that is compatible with the file format required by the manufacturer.
(c) The third-party vendor satisfies or is in compliance with the star standards or other generally accepted cybersecurity standards that are at least as comprehensive as the star standards.
(5) Unless otherwise provided in this section or section 21, this act does not restrict or limit a manufacturer's right to obtain required manufacturer data, use required manufacturer data for the purposes under subsection (2), or use or control data that is proprietary to the manufacturer, created by the manufacturer, obtained from a source other than the dealer, or that is public information.
Sec. 13. A manufacturer shall indemnify a dealer for a third-party claim asserted against or damages incurred by the dealer to the extent caused by access to, use of, or disclosure of protected dealer data in violation of this act by the manufacturer or a third party acting on behalf of a manufacturer to whom the manufacturer has provided the protected dealer data.
Sec. 15. (1) A dealer data vendor shall adopt and make available a standardized framework for both of the following:
(a) The exchange, integration, and sharing of protected dealer data from a dealer data system with an authorized integrator.
(b) The retrieval of protected dealer data by an authorized integrator using star standards or a standard that is compatible with star standards.
(2) A dealer data vendor shall provide access to open application programming interfaces to an authorized integrator.
(3) If the application program interfaces under subsection (2) are not the reasonable commercial or technical standard for secure data integration, the dealer data vendor may provide a similar open access integration method if that method provides the same or better access as an application programming interface and that method uses the required standardized framework.
Sec. 17. (1) A dealer data vendor or an authorized integrator may access, use, store, or share protected dealer data or any other data from a dealer data system only to the extent allowed in a written agreement between the dealer data vendor or authorized integrator and the dealer.
(2) An agreement regarding access to, sharing or selling of, copying, using, or transmitting protected dealer data must be terminable not more than 90 days after a dealer data vendor or authorized integrator receives notice from the dealer.
(3) On notice of the dealer's intent to terminate the agreement under subsection (2), a dealer data vendor or an authorized integrator shall ensure a secure transition of all protected dealer data to a successor dealer data vendor or authorized integrator by doing both of the following:
(a) Providing access to, or an electronic copy of, all protected dealer data and all other data stored in the dealer data system in a commercially reasonable time and format that a successor dealer data vendor or authorized integrator can access and use.
(b) Deleting or returning all protected dealer data to the dealer before the termination of the agreement in accordance with any written directions of the dealer.
(4) On request by a dealer, a dealer data vendor or an authorized integrator must provide the dealer with a list of any entity the dealer data vendor or authorized integrator is sharing protected dealer data with or any entity to whom the dealer data vendor or authorized integrator has allowed access to protected dealer data.
(5) A dealer data vendor or an authorized integrator shall allow a dealer to audit the dealer data vendor's or authorized integrator's access to and use of any protected dealer data.
Sec. 19. A person that violates this act is subject to a civil fine of not more than $5,000.00 for each violation.
Sec. 21. This act does not do any of the following:
(a) Govern, restrict, or apply to data that exists outside of a dealer data system, including data that is generated by a motor vehicle or by a device that a consumer connects to a motor vehicle.
(b) Authorize a dealer or a third party to use data that is obtained from a person in a manner inconsistent with an agreement with that person or with the purposes for which that person provided the data to the dealer or third party.
(c) Prevent a dealer, manufacturer, or third party from discharging the obligations of the dealer, manufacturer, or third party as a service provider under federal or state law to protect and secure protected dealer data or to otherwise limit those responsibilities.