(a) A computer vendor shall not do any of the following:
(1) Access, modify, or extract information from a confidential dealer computer record or personally identifiable consumer data from a dealer without first obtaining express written consent from the dealer and without maintaining administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of the information.
(2) (A) Except as provided in subparagraph (B), require a dealer as a condition of doing or continuing to do business, to give express consent to perform the activities specified in paragraph (1).
(B) Express consent may be required as a condition of doing or continuing to do business if the consent is limited to permitting access to personally identifiable consumer data to the extent necessary to do any of the following:
(i) To protect against, or prevent actual or potential fraud, unauthorized transactions, claims, or other liability, or to protect against breaches of confidentiality or security of consumer records.
(ii) To comply with institutional risk control or to resolve consumer disputes or inquiries.
(iii) To comply with federal, state, or local laws, rules, and other applicable legal requirements, including lawful requirements of a law enforcement or governmental agency.
(iv) To comply with lawful requirements of a self-regulatory organization or as necessary to perform an investigation on a matter related to public safety.
(v) To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities.
(vi) To make other use of personally identifiable consumer data with the express written consent of the consumer that has not been revoked by the consumer.
(3) Use electronic, contractual, or other means to prevent or interfere with the lawful efforts of a dealer to comply with federal and state data security and privacy laws and to maintain the security, integrity, and confidentiality of confidential dealer computer records, including, but not limited to, the ability of a dealer to monitor specific data accessed from or written to the dealer computer system. Waiver of this subdivision or purported consents authorizing the activities proscribed by the subdivision is void.
(b) A dealer shall have the right to prospectively revoke an express consent by providing a 10-day written notice to the computer vendor to whom the consent was provided or on any shorter period of notice agreed to by the computer vendor and the dealer. An agreement that requires a dealer to waive its right to prospectively revoke an express consent is void.
(c) For the purposes of this section, the following terms mean as follows:
(1) “Confidential dealer computer record” means a computer record residing on the dealer’s computer system that contains, in whole or in part, any personally identifiable consumer data, or the dealer’s financial or other proprietary data.
(2) “Computer vendor” means a person, other than a manufacturer, manufacturer branch, distributor, or distributor branch, who in the ordinary course of that person’s business configured, sold, leased, licensed, maintained, or otherwise made available to a dealer, a dealer computer system.
(3) “Dealer computer system” means a computer system or computerized application primarily designed for use by and sold to a motor vehicle dealer that, by ownership, lease, license, or otherwise, is used by and in the ordinary course of business of a dealer.
(4) “Express consent” means the unrevoked written consent signed by a dealer that specifically describes the data that may be accessed, the means by which it may be accessed, the purpose for which it may be used, and the person or class of persons to whom it may be disclosed.
(5) “Personally identifiable consumer data” means information that is any of the following:
(A) Information of the type specified in subparagraph (A) of paragraph (6) of subdivision (e) of Section 1798.83 of the Civil Code.
(B) Information that is nonpublic personal information as defined in Section 313.3(n)(1) of Title 16 of the Code of Federal Regulations.
(C) Information that is nonpublic personal information as defined in subdivision (a) of Section 4052 of the Financial Code.
(d) This section does not limit a duty that a dealer may have to safeguard the security and privacy of records maintained by the dealer.
(Added by Stats. 2006, Ch. 353, Sec. 2. Effective January 1, 2007.)
Last modified: October 25, 2018