20-305.7. Protecting dealership data and consent to access dealership information.

(a) Except as expressly authorized in this section, no manufacturer, factory branch, distributor, or distributor branch shall require a new motor vehicle dealer to provide its customer lists, customer information, consumer contact information, transaction data, or service files. Any requirement by a manufacturer, factory branch, distributor, or distributor branch that a new motor vehicle dealer provide its customer lists, customer information, consumer contact information, transaction data, or service files as a condition to the dealer's participation in any incentive program or contest for a customer or dealer to receive any incentive payments otherwise earned under an incentive program or contest, for the dealer to obtain consumer or customer leads, or for the dealer to receive any other benefits, rights, merchandise, or services for which the dealer would otherwise be entitled to obtain under the franchise or any other contract or agreement, or which shall customarily be provided to dealers, shall be voidable at the option of the dealer, unless all of the following conditions are satisfied: (i) the customer information requested relates solely to the specific program requirements or goals associated with such manufacturer's or distributor's own vehicle makes and does not require that the dealer provide general customer information or other information related to the dealer; (ii) such requirement is lawful and would also not require the dealer to allow any customer the right to opt out under the federal Gramm-Leach-Bliley Act, 15 U.S.C., Subchapter I, 1608, et seq.; and (iii) the dealer is not required to allow the manufacturer or distributor or any third party to have direct access to the dealer's computer system, but the dealer is instead permitted to provide the same dealer, consumer, or customer data or information specified by the manufacturer or distributor by timely obtaining and pushing or otherwise furnishing the required data in a widely accepted file format such as comma delimited in accordance with subsection (g1) of this section. Nothing contained in this section shall limit the ability of the manufacturer, factory branch, distributor, or distributor branch to require that the dealer provide, or use in accordance with the law, such customer information related solely to such manufacturer's or distributor's own vehicle makes to the extent necessary to do any of the following:

(1) Satisfy any safety or recall notice obligations.

(2) Complete the sale and delivery of a new motor vehicle to a customer.

(3) Validate and pay customer or dealer incentives.

(4) Submit to the manufacturer, factory branch, distributor, or distributor branch claims for any services supplied by the dealer for any claim for warranty parts or repairs.

At the request of a manufacturer or distributor or of a third party acting on behalf of a manufacturer or distributor, a dealer may only be required to provide customer information related solely to such manufacturer's or distributor's own vehicle makes for reasonable marketing purposes, market research, consumer surveys, market analysis, and dealership performance analysis, but the dealer is only required to provide such customer information to the extent lawfully permissible; to the extent the requested information relates solely to specific program requirements or goals associated with such manufacturer's or distributor's own vehicle makes and does not require the dealer to provide general customer information or other information related to the dealer; and to the extent the requested information can be provided without requiring that the dealer allow any customer the right to opt out under the federal Gramm-Leach-Bliley Act, 15 U.S.C., Subchapter I, 6801, et seq.

No manufacturer, factory branch, distributor, or distributor branch shall access or obtain dealer or customer data from or write dealer or customer data to a dealer management computer system utilized by a motor vehicle dealer located in this State, or require or coerce a motor vehicle dealer located in this State to utilize a particular dealer management computer system, unless the dealer management computer system allows the dealer to reasonably maintain the security, integrity, and confidentiality of the data maintained in the system. No manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor shall prohibit a dealer from providing a means to regularly and continually monitor the specific data accessed from or written to the dealer's computer system and from complying with applicable State and federal laws and any rules or regulations promulgated thereunder. These provisions shall not be deemed to impose an obligation on a manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor to provide such capability.

(b) No manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor may access or utilize customer or prospect information maintained in a dealer management computer system utilized by a motor vehicle dealer located in this State for purposes of soliciting any such customer or prospect on behalf of, or directing such customer or prospect to, any other dealer. The limitations in this subsection do not apply to:

(1) A customer that requests a reference to another dealership;

(2) A customer that moves more than 60 miles away from the dealer whose data was accessed;

(3) Customer or prospect information that was provided to the dealer by the manufacturer, factory branch, distributor, or distributor branch; or

(4) Customer or prospect information obtained by the manufacturer, factory branch, distributor, or distributor branch where the dealer agrees to allow the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor the right to access and utilize the customer or prospect information maintained in the dealer's dealer management computer system for purposes of soliciting any customer or prospect of the dealer on behalf of, or directing such customer or prospect to, any other dealer in a separate, stand-alone written instrument dedicated solely to such authorization.

No manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor, may provide access to customer or dealership information maintained in a dealer management computer system utilized by a motor vehicle dealer located in this State, without first obtaining the dealer's prior express written consent, revocable by the dealer upon five business days written notice, to provide such access. Prior to obtaining said consent and prior to entering into an initial contract or renewal of a contract with a dealer located in this State, the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of, or through any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor shall provide to the dealer a written list of all specific third parties to whom any data obtained from the dealer has actually been provided within the 12-month period ending November 1 of the prior year. The list shall further describe the scope and specific fields of the data provided. In addition to the initial list, a dealer management computer system vendor or any third party acting on behalf of, or through a dealer management computer system vendor shall provide to the dealer an annual list of third parties to whom said data is actually being provided on November 1 of each year and to whom said data has actually been provided in the preceding 12 months and describe the scope and specific fields of the data provided. Such list shall be provided to the dealer by January 1 of each year. Any dealer management computer system vendor's contract that directly relates to the transfer or accessing of dealer or dealer customer information must conspicuously state, "NOTICE TO DEALER: THIS AGREEMENT RELATES TO THE TRANSFER AND ACCESSING OF CONFIDENTIAL INFORMATION AND CONSUMER RELATED DATA". Such consent does not change any such person's obligations to comply with the terms of this section and any additional State or federal laws (and any rules or regulations promulgated thereunder) applicable to them with respect to such access. In addition, no dealer management computer system vendor may refuse to provide a dealer management computer system to a motor vehicle dealer located in this State if the dealer refuses to provide any consent under this subsection.

(c) No dealer management computer system vendor, or third party acting on behalf of or through any dealer management computer system vendor, may access or obtain data from or write data to a dealer management computer system utilized by a motor vehicle dealer located in this State, unless the dealer management computer system allows the dealer to reasonably maintain the security, integrity, and confidentiality of the customer and dealership information maintained in the system. No dealer management computer system vendor, or third party acting on behalf of or through any dealer management computer system vendor, shall prohibit a dealer from providing a means to regularly and continually monitor the specific data accessed from or written to the dealer's computer system and from complying with applicable State and federal laws and any rules or regulations promulgated thereunder. These provisions shall not be deemed to impose an obligation on a manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor to provide such capability.

(d) Any manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of or through any dealer management computer system vendor, having electronic access to customer or motor vehicle dealership data in a dealership management computer system utilized by a motor vehicle dealer located in this State shall provide notice to the dealer of any security breach of dealership or customer data obtained through such access, which at the time of the breach was in the possession or custody of the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or third party. The disclosure notification shall be made without unreasonable delay by the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or third party following discovery by the person, or notification to the person, of the breach. The disclosure notification shall describe measures reasonably necessary to determine the scope of the breach and corrective actions which may be taken in an effort to restore the integrity, security, and confidentiality of such data. Such measures and corrective actions shall be implemented as soon as practicable by all persons responsible for the breach.

(e) Nothing in this section shall preclude, prohibit, or deny the right of the manufacturer, factory branch, distributor, or distributor branch to receive customer or dealership information from a motor vehicle dealer located in this State for the purposes of complying with federal or State safety requirements or implementing steps related to manufacturer recalls at such times as necessary in order to comply with federal and State requirements or manufacturer recalls provided that receiving this information from the dealer does not impair, alter, or reduce the security, integrity, and confidentiality of the customer and dealership information collected or generated by the dealer.

(f) The following definitions apply to this section:

(1) "Dealer management computer system" - A computer hardware and software system that is owned or leased by the dealer, including a dealer's use of Web applications, software, or hardware, whether located at the dealership or provided at a remote location and that provides access to customer records and transactions by a motor vehicle dealer located in this State and that allows such motor vehicle dealer timely information in order to sell vehicles, parts or services through such motor vehicle dealership.

(2) "Dealer management computer system vendor" - A seller or reseller of dealer management computer systems, a person that sells computer software for use on dealer management computer systems, or a person who services or maintains dealer management computer systems, but only to the extent that each of the sellers, resellers, or other persons listed in this subdivision are engaged in such activities.

(3) "Security breach" - An incident of unauthorized access to and acquisition of records or data containing dealership or dealership customer information where unauthorized use of the dealership or dealership customer information has occurred or is reasonably likely to occur or that creates a material risk of harm to a dealership or a dealership's customer. Any incident of unauthorized access to and acquisition of records or data containing dealership or dealership customer information, or any incident of disclosure of dealership customer information to one or more third parties which shall not have been specifically authorized by the dealer or customer, shall constitute a security breach.

(g) The provisions of G.S. 20-308.1(d) shall not apply to an action brought under this section against a dealer management computer system vendor.

(g1) Notwithstanding any of the terms or provisions contained in this section or in any consent, authorization, release, novation, franchise, or other contract or agreement, whenever any manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of or through, or approved, referred, endorsed, authorized, certified, granted preferred status, or recommended by, any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor requires that a new motor vehicle dealer provide any dealer, consumer, or customer data or information through direct access to a dealer's computer system, the dealer is not required to provide, and may not be required to consent to provide in any written agreement, such direct access to its computer system. The dealer may instead provide the same dealer, consumer, or customer data or information specified by the requesting party by timely obtaining and pushing or otherwise furnishing the requested data to the requesting party in a widely accepted file format such as comma delimited; provided that, when a dealer would otherwise be required to provide direct access to its computer system under the terms of a consent, authorization, release, novation, franchise, or other contract or agreement, a dealer that elects to provide data or information through other means may be charged a reasonable initial set-up fee and a reasonable processing fee based on the actual incremental costs incurred by the party requesting the data for establishing and implementing the process for the dealer. Any term or provision contained in any consent, authorization, release, novation, franchise, or other contract or agreement which is inconsistent with any term or provision contained in this subsection shall be voidable at the option of the dealer.

(g2) Notwithstanding the terms or conditions of any consent, authorization, release, novation, franchise, or other contract or agreement, every manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of or through any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor, having electronic access to consumer or customer data or other information in a computer system utilized by a new motor vehicle dealer, or who has otherwise been provided consumer or customer data or information by the dealer, shall fully indemnify and hold harmless any dealer from whom it has acquired such consumer or customer data or other information from all damages, costs, and expenses incurred by such dealer. Such indemnification by the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or third party acting on behalf of these entities includes, but is not limited to, judgments, settlements, fines, penalties, litigation costs, defense costs, court costs, costs related to the disclosure of security breaches, and attorneys' fees arising out of complaints, claims, civil or administrative actions, and, to the fullest extent allowable under the law, governmental investigations and prosecutions to the extent caused by a security breach or the access, storage, maintenance, use, sharing, disclosure, or retention of such dealer's consumer or customer data or other information, or maintenance or services provided to any computer system utilized by a new motor vehicle dealer.

(h) This section shall apply to contracts entered into on or after November 1, 2005. (2005-409, s. 4; 2007-513, s. 10; 2011-290, s. 11; 2013-302, s. 9.)