Req. No. 776 Page 1 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
STATE OF OKLAHOMA
1st Session of the 60th Legislature (2025)
SENATE BILL 604 By: Gollihare
AS INTRODUCED
An Act relating to motor vehicle dealers; amending
Section 1, Chapter 29, O.S.L. 2023 (47 O.S. Supp.
2024, Section 564.3), which relat es to dealer
management system providers; clarifying parameters of
certain data security standards ; and providing an
effective date.
BE IT ENACTED BY THE PEOPLE OF THE STATE OF OKLAHOMA:
SECTION 1. AMENDATORY Section 1 , Chapter 29, O.S.L. 2023
(47 O.S. Supp. 2024, Section 564.3), is amended to r ead as follows:
Section 564.3. A. As used in this section:
1. “Access fee” means a requirement to pay money for access to
protected dealer data;
2. “Authorized integrator ” means a person who a dealer has a
contractual relationship with or the dealer otherwise gives express
written authorization to have access to protected dealer data stored
on a dealer data system or to write protected dealer data to the
dealer data system for the purpose of performing a specific function
for the dealer;
Req. No. 776 Page 2 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
3. “Dealer data system” means software, hardware, or firmware
that a dealer leases or rents from a dealer management system
provider for the purpose of storing protected dealer data;
4. “Dealer management system provider ” means a person who, for
compensation, maintains and provides access to a dealer data system
in which a dealer stores protected dealer data;
5. “Protected dealer data ” means:
a. consumer data that a dealer generated or that t he
consumer provided to the dealer that is not otherwise
publicly available an d the consumer has not otherwise
provided consent or acknowledgment to share the
information, and
b. any other dealer data in connection with the dealer ’s
daily business operatio ns in which a dealer has rights
in a dealer data system; and
6. Authorized integrator and dealer management system provider
do not include:
a. a manufacturer, distributor, importer, or any entity
that is a subsidiary or affiliate of, or acts on
behalf of, a manufacturer, distributor, or importer,
or
b. a governmental body or other person that is acting in
accordance with federal, state, or local law, or a
valid court order.
Req. No. 776 Page 3 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
B. A dealer management system provider may:
1. Condition access and ability of a dealer or authorized
integrator to receive, share, copy, use, write, or transmit
protected dealer data from or to a dealer data system on the
dealer’s or authorized integrator ’s compliance with commercially
reasonable data security standards;
2. Require an authorized integrator to have express written
authorization from a dealer be fore allowing the authorized
integrator to gain access to, receive, share, copy, use, or transmit
protected dealer data; and
3. Deny access to a dealer data system to a dealer i f the
dealer fails to pay an amount due to the dealer management system
provider under a lease, contract, or other agreement concerning the
dealer’s access to or use of the dealer data system.
C. Except as provided in subsection B of this section, a deale r
management system provider shall not take any action that would
limit or prohibit the ability of a dealer or an authorized
integrator to receive, protect, store, copy, share, or use protected
dealer data using means that include, but are not limited to:
1. Imposing an access fee on a dealer or authorized integrator;
and
2. Restricting a dealer or an authorized integrator from
sharing protected dealer data or writing data or having access to a
Req. No. 776 Page 4 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
dealer data system. Prohibited restrictions pursuant to this
paragraph include, but are not limited to:
a. limits on the scope or nature o f protected dealer data
to which a dealer or authorized integrator has access
or may share or write to a dealer data system, and
b. a requirement for a dealer or authorized integ rator to
provide sensitive or confidential business information
or information that a dealer or authorized integrator
uses for competitive purposes in return for access to
protected dealer data or an authorization to share or
write protected dealer data to a dealer data system.
D. Except as otherwise provided in this section, any t erm or
condition of a contract with a dealer management system provider
that conflicts with the requirements set forth in subsection C of
this section is void and unenforceable t o the extent of the
conflict.
E. An authorized integrator shall:
1. Obtain express written authorization from a dealer before
gaining access to, receiving, sharing, copying, using, writing, or
transmitting protected dealer data;
2. Comply with security standards in gaining access to,
receiving, sharing, copying, using, writing, o r transmitting
protected dealer data; and
Req. No. 776 Page 5 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
3. Allow a dealer to withdraw, revoke, or amend any express
written authorization the dealer provides under paragraph 1 of this
subsection:
a. at the sole discretion of the dealer, if the dealer
gives a thirty-day prior notice to an authorized
integrator, or
b. immediately, for good cause.
F. 1. This section does not prevent a dealer, a dealer
management system provider, or an authorize d integrator from
discharging the obligations of a dealer, dealer management s ystem
provider, or of an authorized integrator under federal, state, or
local law to secure and prevent unauthorized access to protected
dealer data, or from limiting the scope o f the obligations, in
accordance with federal, state, or local law.
2. A dealer management system provider is not liable for any
action that a dealer takes directly with respect to securing or
preventing unauthorized access to protected dealer data, or fo r
actions that an authorized integrator takes in appropriately
following the written instructions of the dealer for securing or
preventing unauthorized access to protected dealer data, to the
extent that the actions prevent the dealer management system
provider from meeting a legal obligation to secure or prevent
unauthorized access to protected dealer data.
Req. No. 776 Page 6 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
3. A dealer is not liable for any action that an authorized
integrator takes directly with respect to securing or preventing
unauthorized access to pr otected dealer data, or for actions that
the authorized integrator takes in ap propriately following the
written instructions of the dealer for securing or preventing
unauthorized access to protected dealer data, to the extent that the
actions prevent the d ealer from meeting a legal obligation to secure
or prevent unauthorized access to protected dealer data.
4. An authorized integrator is not liable for any action that a
dealer takes directly with respect to securing or preventing
unauthorized access to pr otected dealer data, or for actions that
the dealer takes in appropriately fol lowing the written instructions
of the authorized integrator for securing or preventing unauthorized
access to protected dealer data, to the extent that the actions
prevent the authorized integrator from meeting a legal obligation to
secure or prevent unauthorized access to protected dealer data.
5. A manufacturer, distributor, importer, or any entity that is
a subsidiary or affiliate of, or acts on behalf of, a manufacturer,
distributor, or importer is not liable for any action that a dealer,
dealer management system provider, authorized integrator, or other
third party, except for a third party who the manufacturer has
provided the data to as provided for in paragraph 7 of this
subsection, takes directly with respect to securing or preventing
unauthorized access to protected dealer data or for actions that an
Req. No. 776 Page 7 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
authorized integrator, dealer management system provider, or other
third party takes in appropriately following the writte n
instructions of the dealer for securing or preventing unauthorized
access to protected dealer data.
6. Notwithstanding any other agreement, an authorized
integrator shall indemnify and hold the new motor vehicle dealer
harmless from any third -party claims asserted against or damages
incurred by the new motor vehicle dealer to the extent caused by
access to, use of, or disclosure of consumer data in violation of
this section.
7. Notwithstanding any other agreement, a manufacturer,
distributor, importer, or any entity that is a subsidiary or
affiliate of, or acts on behalf of, a ma nufacturer, distributor, or
importer shall indemnify the dealer for any third -party claims
asserted against or damages incurred by the dealer to the extent the
claims or damages are caused by the access to and unlawful
disclosure of protected dealer data resulting from a breach caused
by the manufacturer or distributor or a third party to which the
manufacturer or distributor has provided the protected dealer data
in violation of this section, the written consent granted by the
dealer, or other applicable s tate or federal law.
SECTION 2. This act shall become effective November 1, 2025.
60-1-776 CAD 1/14/2025 10:46:21 AM