§ 20‑305.7.  Protecting dealership data and consent to access dealership information.

(a) Except as expressly authorized in this section, no manufacturer, factory branch, distributor, or distributor branch shall require a new motor vehicle dealer to provide its customer lists, customer information, consumer contact information, transaction data, or service files. Any requirement by a manufacturer, factory branch, distributor, or distributor branch that a new motor vehicle dealer provide its customer lists, customer information, consumer contact information, transaction data, or service files to the manufacturer, factory branch, distributor, or distributor branch, or to any third party as a condition to the dealer's participation in any incentive program or contest, for a customer or dealer to receive any incentive payments otherwise earned under an incentive program or contest, for the dealer to obtain consumer or customer leads, or for the dealer to receive any other benefits, rights, merchandise, or services for which the dealer would otherwise be entitled to obtain under the franchise or any other contract or agreement, or which shall customarily be provided to dealers, shall be voidable at the option of the dealer, and the dealer shall automatically be entitled to all benefits earned under the applicable incentive program or contest or any other contract or agreement, unless all of the following conditions are satisfied: (i) the customer information requested relates solely to the specific program requirements or goals associated with such manufacturer's or distributor's own vehicle makes and does not require that the dealer provide general customer information or other information related to the dealer; (ii) such requirement is lawful and would also not require the dealer to allow any customer the right to opt out under the federal Gramm‑Leach‑Bliley Act, 15 U.S.C., Subchapter I, § 1608, et seq.; and (iii) the dealer is either permitted to restrict the data fields that may be accessed in the dealer's dealer management computer system, or the dealer is permitted to provide the same dealer, consumer, or customer data or information specified by the manufacturer or distributor by timely obtaining and pushing or otherwise furnishing the required data in a widely accepted file format such as comma delimited in accordance with subsection (g1) of this section. Nothing contained in this section shall limit the ability of the manufacturer, factory branch, distributor, or distributor branch to require that the dealer provide, or use in accordance with the law, such customer information related solely to such manufacturer's or distributor's own vehicle makes to the extent necessary to do any of the following:

(1) Satisfy any safety or recall notice obligations.

(2) Complete the sale and delivery of a new motor vehicle to a customer.

(3) Validate and pay customer or dealer incentives.

(4) Submit to the manufacturer, factory branch, distributor, or distributor branch claims for any services supplied by the dealer for any claim for warranty parts or repairs.

At the request of a manufacturer or distributor or of a third party acting on behalf of a manufacturer or distributor, a dealer may only be required to provide customer information related solely to such manufacturer's or distributor's own vehicle makes for reasonable marketing purposes, market research, consumer surveys, market analysis, and dealership performance analysis, but the dealer is only required to provide such customer information to the extent lawfully permissible; to the extent the requested information relates solely to specific program requirements or goals associated with such manufacturer's or distributor's own vehicle makes and does not require the dealer to provide general customer information or other information related to the dealer; and to the extent the requested information can be provided without requiring that the dealer allow any customer the right to opt out under the federal Gramm‑Leach‑Bliley Act, 15 U.S.C., Subchapter I, § 6801, et seq.

No manufacturer, factory branch, distributor, or distributor branch shall access or obtain dealer or customer data from or write dealer or customer data to a dealer management computer system utilized by a motor vehicle dealer located in this State, or require or coerce a motor vehicle dealer located in this State to utilize a particular dealer management computer system, unless the dealer management computer system allows the dealer to reasonably maintain the security, integrity, and confidentiality of the data maintained in the system. No manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor shall prohibit a dealer from providing a means to regularly and continually monitor the specific data accessed from or written to the dealer's computer system and from complying with applicable State and federal laws and any rules or regulations promulgated thereunder. These provisions shall not be deemed to impose an obligation on a manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor to provide such capability. Notwithstanding the terms or conditions of any incentive program or contest that is either required or voluntary on the part of the dealer, or the terms or conditions of any other contract or agreement, it shall be unlawful for any manufacturer, factory branch, distributor, or distributor branch to fail or refuse to provide dealer notice, in a standalone written document, at least 30 days prior to making any changes in any of the dealer or customer data the dealer is requested or required to share with a manufacturer, factory branch, distributor, or distributor branch, or any third party. The changes in any of the dealer or customer data the dealer is required or requested to provide shall be void unless the applicable manufacturer, factory branch, distributor, or distributor branch complies with the notice requirements contained in this paragraph.

(b) No manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor may access or utilize customer or prospect information maintained in a dealer management computer system utilized by a motor vehicle dealer located in this State for purposes of soliciting any such customer or prospect on behalf of, or directing the customer or prospect to, any other dealer. The limitations in this subsection do not apply to any of the following:

(1) A customer that requests a reference to another dealership.

(2) A customer that moves more than 60 miles away from the dealer whose data was accessed.

(3) Customer or prospect information that was provided to the dealer by the manufacturer, factory branch, distributor, or distributor branch.

(4) Customer or prospect information obtained by the manufacturer, factory branch, distributor, or distributor branch where the dealer agrees to allow the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor the right to access and utilize the customer or prospect information maintained in the dealer's dealer management computer system for purposes of soliciting any customer or prospect of the dealer on behalf of, or directing the customer or prospect to, any other dealer in a separate, stand‑alone written instrument dedicated solely to the authorization.

No manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor may provide access to customer or dealership information maintained in a dealer management computer system utilized by a motor vehicle dealer located in this State, without first obtaining the dealer's prior express written consent, revocable by the dealer upon five business days written notice, to provide the access. Prior to obtaining this consent and prior to entering into an initial contract or renewal of a contract with a dealer located in this State, the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of, or through any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor shall provide to the dealer a written list of all specific third parties to whom any data obtained from the dealer has actually been provided within the 12‑month period ending November 1 of the prior year. The list shall further describe the scope and specific fields of the data provided. In addition to the initial list, a dealer management computer system vendor or any third party acting on behalf of or through a dealer management computer system vendor shall provide to the dealer an annual list of each and every third party to whom the data is actually being provided on November 1 of each year and each and every third party to whom the data was actually provided in the preceding 12 months and for each and every third party identified, the scope and specific fields of the data provided to the third party during the 12‑month period. This list shall be provided to the dealer by January 1 of each year. The lists required in this subsection of the third parties to whom any data obtained from the dealer has actually been provided shall be specific to each affected dealer. It is insufficient and unlawful for the provider of this information to furnish any dealer a list of third parties who could or may have received any of the affected dealer's data, as the information required to be provided in this subsection requires the provider of this information to state the identity and other specified information of each and every third party to whom the data was actually provided during the relevant period of time. Any dealer management computer system vendor's contract that directly relates to the transfer or accessing of dealer or dealer customer information must conspicuously state, "NOTICE TO DEALER: THIS AGREEMENT RELATES TO THE TRANSFER AND ACCESSING OF CONFIDENTIAL INFORMATION AND CONSUMER RELATED DATA". This consent does not change any such person's obligations to comply with the terms of this section and any additional State or federal laws (and any rules or regulations adopted under these laws) applicable to the person with respect to the access. In addition, no dealer management computer system vendor shall refuse to provide a dealer management computer system to a motor vehicle dealer located in this State if the dealer refuses to provide any consent under this subsection.

(b1) Notwithstanding the terms of any contract or agreement with a dealer management computer system vendor or third party, for purposes of this subsection, the dealer's data contained in or on a dealer management computer system owned, leased, or licensed by a dealer located in this State is the property of the dealer. For purposes of this section, the terms "dealer data" and "dealer's data" shall be defined as any information or other data that has been entered, by direct entry or otherwise, or stored on the dealer's dealer management computer system by an officer or employee of the dealer or third party contracted by the dealer, whether stored or hosted on‑site at a dealer location or on the cloud or at any other remote location, that contains data or other information about any of the following: (i) the dealer's sales, service, or parts customers or the dealer's customer transactions, (ii) customer leads generated by or provided to the dealer, (iii) the tracking, history, or performance of the dealer's internal processing of customer orders and work, (iv) customer deal files, (v) customer recommendations or complaints communicated by any means to the dealer, (vi) the tracking of dealer or customer incentive payments sought or received from any manufacturer or distributor, (vii) business plans, goals, objectives, or strategies created by any officer, employer, or contractee of the dealer; (viii) the dealer's internal bank, financial, or business records, (ix) email, voice, and other communications between or among the dealer's officers or employees, (x) email, voice, and other communications between the dealer's officers or employees and third parties, (xi) contracts and agreements with third parties and all records related to the performance of such contracts and agreements, (xii) employee performance, (xiii) dealer personnel records, and (xiv) dealer inventory data. The terms "dealer data" and "dealer's data" specifically exclude the proprietary software, intellectual property, data, or information of a dealer management computer system vendor, manufacturer, factory branch, distributor, or distributor branch, data specifically licensed from a third party by a dealer management computer system vendor, manufacturer, factory branch, distributor, or distributor branch, and data provided to a dealer by a manufacturer, factory branch, distributor, distributor branch, subsidiary, or affiliate.

Notwithstanding the terms of any contract or agreement, it shall be unlawful for any dealer management computer system vendor, or any third party having access to any dealer management computer system, to:

(1) Unreasonably interfere with a dealer's ability to protect, store, copy, share, or use any dealer data downloaded from a dealer management computer system utilized by a new motor vehicle dealer located in this State. Unlawful conduct prohibited by this section includes, but is not limited to:

a. Imposing any unreasonable fees or other restrictions on the dealer or any third party for access to or sharing of dealer data. For purposes of this section, the term "unreasonable fees" means charges for access to customer or dealer data beyond any direct costs incurred by any dealer management computer system vendor in providing access to the dealer's customer or dealer data to a third party that the dealer has authorized to access its dealer management computer system or allowing any third party that the dealer has authorized to access its dealer management computer system to write data to its dealer management computer system. Nothing contained in this subdivision shall be deemed to prohibit the charging of a fee, which includes the ability of the service provider to recoup development costs incurred to provide the services involved and to make a reasonable profit on the services provided. Any charges must be both (i) reasonable in amount and (ii) disclosed to the dealer in reasonably sufficient detail prior to the fees being charged to the dealer, or they will be deemed prohibited, unreasonable fees.

b. Imposing unreasonable restrictions on secure integration by any third party that the dealer has explicitly authorized to access its dealer management computer system for the purpose of accessing dealer data. Examples of unreasonable restrictions include, but are not limited to, any of the following:

1. Unreasonable restrictions on the scope or nature of the dealer's data shared with a third party authorized by the dealer to access the dealer's dealer management computer system.

2. Unreasonable restrictions on the ability of a third party authorized by the dealer to securely access the dealer's dealer management computer system to share dealer data or securely write dealer data to a dealer management computer system.

3. Requiring unreasonable access to sensitive, competitive, or other confidential business information of a third party as a condition for access dealer data.

4. It shall not be an unreasonable restriction to condition a third party's access to the dealer management computer system on that third party's compliance with reasonable security standards or operational protocols that the dealer management computer system vendor specifies.

c. Sharing dealer data with any third party, if sharing the data is not authorized by the dealer.

d. Prohibiting or unreasonably limiting a dealer's ability to store, copy, securely share, or use dealer data outside the dealer's dealer management computer system in any manner and for any reason once it has been downloaded from the dealer management computer system.

e. Permitting access to or accessing dealer data without first obtaining the dealer's express written consent in a standalone document or contractual provision that is conspicuous in appearance, contained in a separate page or screen from any other written material, and requires an independent mark or affirmation from a dealer principal, general manager, or other management level employee of the dealership expressly authorized in writing by the dealer principal or general manager.

f. Upon receipt of a written request from a dealer, failing or refusing to block specific data fields containing dealer data from being shared with one or more third parties. Where blocking hinders, blocks, diminishes, or otherwise interferes with the functionality of a third party's service or product or the dealer's ability to participate in an incentive or other program of a manufacturer, factory branch, distributor, or distributor branch, or other third party authorized by the dealer, the dealer management computer system vendor shall be held harmless from the dealer's decision to block specified data fields, so long as the dealer management computer system vendor was acting at the direction of the dealer.

(2) Access, use, store, or share any dealer data from a dealer management computer system in any manner other than as expressly permitted in its written agreement with the dealer.

(3) Fail to provide the dealer with the option and ability to securely obtain and push or otherwise distribute specified dealer data within the dealer's dealer management computer system to any third party instead of the third party receiving the dealer data directly from the dealer's dealer management computer system vendor or providing the third party direct access to the dealer's dealer management computer system. A dealer management computer system vendor shall be held harmless for any errors, breach, misuse, or any harms directly or indirectly caused by a dealer sharing data with any third party beyond the control of the dealer management computer system vendor. In the event a dealer sharing data with a third party outside of the control of the dealer computer management system vendor causes damage to the dealer management computer system or any third party, the party or parties that caused the damage shall be liable for the damage.

(4) Fail to provide the dealer, within seven days of receiving a dealer's written request, access to any SOC 2 audit conducted on behalf of the dealer management computer system vendor and related to the services licensed by the dealer.

(5) Fail to promptly provide a dealer, upon the dealer's written request, a written listing of all entities with whom it is currently sharing any data from the dealer's dealer management computer system and with whom it has, within the immediately 12 preceding months, shared any data from the dealer's dealer management computer system, the specific data fields shared with each entity identified, and the dates any data was shared, to the extent that information can reasonably be stored by the dealership management computer system vendor.

(6) Upon receipt of a dealer's written request to terminate any contract or agreement for the provision of hardware or software related to the dealer's dealer management computer system, to fail to promptly provide a copy of the dealer's data maintained on its dealership management computer system to the dealer in a secure, usable format.

Nothing in this section prevents the charging of a fee, which includes the ability of the dealer management computer system vendor to recoup costs incurred to provide the services involved and to make a reasonable profit on the services provided. Charges must be disclosed to and approved by the dealer prior to the time the dealer incurs the charges.

Nothing in this section prevents any dealer or third party from discharging its obligations as a service provider under federal, State, or local law to protect and secure protected dealer data.

Nothing in this section shall be deemed to prohibit a dealer management computer system vendor from conditioning a party's access to, or integration with, a dealer's dealer management computer system on that party's compliance with reasonable security standards or other operational protocols that the dealer's computer management system vendor specifies.

For purposes of this subsection, the term "third party" shall not be applicable to any manufacturer, factory branch, distributor, distributor branch, or subsidiary or affiliate thereof.

(b2) The rights conferred on dealers in this section are not waivable and may not be reduced or otherwise modified by any contract or agreement.

(c) No dealer management computer system vendor, or third party acting on behalf of or through any dealer management computer system vendor, may access or obtain data from or write data to a dealer management computer system utilized by a motor vehicle dealer located in this State, unless the dealer management computer system allows the dealer to reasonably maintain the security, integrity, and confidentiality of the customer and dealership information maintained in the system. No dealer management computer system vendor, or third party acting on behalf of or through any dealer management computer system vendor, shall prohibit a dealer from providing a means to regularly and continually monitor the specific data accessed from or written to the dealer's computer system and from complying with applicable State and federal laws and any rules or regulations adopted under these laws. This section does not impose an obligation on a manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor to provide this capability.

(d) Any manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of or through any dealer management computer system vendor, having electronic access to customer or motor vehicle dealership data in a dealership management computer system utilized by a motor vehicle dealer located in this State shall provide notice to the dealer of any security breach of dealership or customer data obtained through the access, which at the time of the breach was in the possession or custody of the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or third party. The disclosure notification shall be made without unreasonable delay by the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or third party following discovery by the person, or notification to the person, of the breach. The disclosure notification shall describe measures reasonably necessary to determine the scope of the breach and corrective actions that may be taken in an effort to restore the integrity, security, and confidentiality of the data. These measures and corrective actions shall be implemented as soon as practicable by all persons responsible for the breach.

(e) Nothing in this section precludes, prohibits, or denies the right of the manufacturer, factory branch, distributor, or distributor branch to receive customer or dealership information from a motor vehicle dealer located in this State for the purposes of complying with federal or State safety requirements or implementing steps related to manufacturer recalls at such times as necessary in order to comply with federal and State requirements or manufacturer recalls so long as receiving this information from the dealer does not impair, alter, or reduce the security, integrity, and confidentiality of the customer and dealership information collected or generated by the dealer.

(f) The following definitions apply to this section:

(1) Dealer management computer system. – A computer hardware and software system that is owned or leased by the dealer, including a dealer's use of Web applications, software, or hardware, whether located at the dealership or provided at a remote location and that provides access to customer records and transactions by a motor vehicle dealer located in this State and that allows the motor vehicle dealer timely information in order to sell vehicles, parts, or services through the motor vehicle dealership.

(2) Dealer management computer system vendor. – A seller or reseller of dealer management computer systems, a person that sells computer software for use on dealer management computer systems, or a person that services or maintains dealer management computer systems, but only to the extent that each of the sellers, resellers, or other persons listed in this subdivision are engaged in these activities.

(3) Security breach. – An incident of unauthorized access to and acquisition of records or data containing dealership or dealership customer information where unauthorized use of the dealership or dealership customer information has occurred or is reasonably likely to occur or that creates a material risk of harm to a dealership or a dealership's customer. Any incident of unauthorized access to and acquisition of records or data containing dealership or dealership customer information or any incident of disclosure of dealership customer information to one or more third parties that has not been specifically authorized by the dealer or customer constitutes a security breach.

(g) G.S. 20‑308.1(d) does not apply to an action brought under this section against a dealer management computer system vendor.

(g1) Notwithstanding any of the terms or provisions contained in this section or in any consent, authorization, release, novation, franchise, or other contract or agreement, whenever any manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of or through, or approved, referred, endorsed, authorized, certified, granted preferred status, or recommended by, any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor requires that a new motor vehicle dealer provide any dealer, consumer, or customer data or information through direct access to a dealer's computer system, the dealer is not required to provide, and shall not be required to consent to provide in any written agreement, such direct access to its computer system. The dealer may instead provide the same dealer, consumer, or customer data or information specified by the requesting party by timely obtaining and pushing or otherwise furnishing the requested data to the requesting party in a widely accepted file format such as comma delimited. When a dealer would otherwise be required to provide direct access to its computer system under the terms of a consent, authorization, release, novation, franchise, or other contract or agreement, a dealer that elects to provide data or information through other means may be charged a reasonable initial set‑up fee and a reasonable processing fee based on the actual incremental costs incurred by the party requesting the data for establishing and implementing the process for the dealer. Any term or provision contained in any consent, authorization, release, novation, franchise, or other contract or agreement that is inconsistent with any term or provision contained in this subsection is voidable at the option of the dealer.

(g2) Notwithstanding the terms or conditions of any consent, authorization, release, novation, franchise, or other contract or agreement, every manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of or through any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor, having electronic access to consumer or customer data or other information in a computer system utilized by a new motor vehicle dealer, or who has otherwise been provided consumer or customer data or information by the dealer, shall fully indemnify and hold harmless any dealer from whom it has acquired the consumer or customer data or other information from all damages, costs, and expenses incurred by the dealer. This indemnification by the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or third party acting on behalf of these entities includes, but is not limited to, judgments, settlements, fines, penalties, litigation costs, defense costs, court costs, costs related to the disclosure of security breaches, and attorneys' fees arising out of complaints, claims, civil or administrative actions, and, to the fullest extent allowable under the law, governmental investigations and prosecutions to the extent caused by a security breach; the access, storage, maintenance, use, sharing, disclosure, or retention of the dealer's consumer or customer data or other information; or maintenance or services provided to any computer system utilized by a new motor vehicle dealer.

(h) This section applies to contracts entered into on or after November 1, 2005.  (2005‑409, s. 4; 2007‑513, s. 10; 2011‑290, s. 11; 2013‑302, s. 9; 2018‑27, s. 3; 2019‑125, s. 7; 2019‑177, s. 4.2; 2020‑51, s. 2.)