A. As used in this section:1. "Access fee" means a requirement to pay money for access to protected dealer data;2. "Authorized integrator" means a person who a dealer has a contractual relationship with or the dealer otherwise gives express written authorization to have access to protected dealer data stored on a dealer data system or to write protected dealer data to the dealer data system for the purpose of performing a specific function for the dealer;3. "Dealer data system" means software, hardware, or firmware that a dealer leases or rents from a dealer management system provider for the purpose of storing protected dealer data;4. "Dealer management system provider" means a person who, for compensation, maintains and provides access to a dealer data system in which a dealer stores protected dealer data;5. "Protected dealer data" means:a. consumer data that a dealer generated or that the consumer provided to the dealer that is not otherwise publicly available and the consumer has not otherwise provided consent or acknowledgment to share the information, andb. any other dealer data in connection with the dealer's daily business operations in which a dealer has rights in a dealer data system; and 6.Authorized integrator and dealer management system provider do not include: a. a manufacturer, distributor, importer, or any entity that is a subsidiary or affiliate of, or acts on behalf of, a manufacturer, distributor, or importer, orb. a governmental body or other person that is acting in accordance with federal, state, or local law, or a valid court order.B. A dealer management system provider may: 1. Condition access and ability of a dealer or authorized integrator to receive, share, copy, use, write, or transmit protected dealer data from or to a dealer data system on the dealer's or authorized integrator's compliance with security standards;2. Require an authorized integrator to have express written authorization from a dealer before allowing the authorized integrator to gain access to, receive, share, copy, use, or transmit protected dealer data; and3. Deny access to a dealer data system to a dealer if the dealer fails to pay an amount due to the dealer management system provider under a lease, contract, or other agreement concerning the dealer's access to or use of the dealer data system.C. Except as provided in subsection B of this section, a dealer management system provider shall not take any action that would limit or prohibit the ability of a dealer or an authorized integrator to receive, protect, store, copy, share, or use protected dealer data using means that include, but are not limited to: 1. Imposing an access fee on a dealer or authorized integrator; and 2. Restricting a dealer or an authorized integrator from sharing protected dealer data or writing data or having access to a dealer data system. Prohibited restrictions pursuant to this paragraph include, but are not limited to: a. limits on the scope or nature of protected dealer data to which a dealer or authorized integrator has access or may share or write to a dealer data system, andb. a requirement for a dealer or authorized integrator to provide sensitive or confidential business information or information that a dealer or authorized integrator uses for competitive purposes in return for access to protected dealer data or an authorization to share or write protected dealer data to a dealer data system.D. Except as otherwise provided in this section, any term or condition of a contract with a dealer management system provider that conflicts with the requirements set forth in subsection C of this section is void and unenforceable to the extent of the conflict.E. An authorized integrator shall:1. Obtain express written authorization from a dealer before gaining access to, receiving, sharing, copying, using, writing, or transmitting protected dealer data;2. Comply with security standards in gaining access to, receiving, sharing, copying, using, writing, or transmitting protected dealer data; and3. Allow a dealer to withdraw, revoke, or amend any express written authorization the dealer provides under paragraph 1 of this subsection: a. at the sole discretion of the dealer, if the dealer gives a thirty-day prior notice to an authorized integrator, orb. immediately, for good cause.F.1. This section does not prevent a dealer, a dealer management system provider, or an authorized integrator from discharging the obligations of a dealer, dealer management system provider, or of an authorized integrator under federal, state, or local law to secure and prevent unauthorized access to protected dealer data, or from limiting the scope of the obligations, in accordance with federal, state, or local law.2. A dealer management system provider is not liable for any action that a dealer takes directly with respect to securing or preventing unauthorized access to protected dealer data, or for actions that an authorized integrator takes in appropriately following the written instructions of the dealer for securing or preventing unauthorized access to protected dealer data, to the extent that the actions prevent the dealer management system provider from meeting a legal obligation to secure or prevent unauthorized access to protected dealer data.3. A dealer is not liable for any action that an authorized integrator takes directly with respect to securing or preventing unauthorized access to protected dealer data, or for actions that the authorized integrator takes in appropriately following the written instructions of the dealer for securing or preventing unauthorized access to protected dealer data, to the extent that the actions prevent the dealer from meeting a legal obligation to secure or prevent unauthorized access to protected dealer data.4. An authorized integrator is not liable for any action that a dealer takes directly with respect to securing or preventing unauthorized access to protected dealer data, or for actions that the dealer takes in appropriately following the written instructions of the authorized integrator for securing or preventing unauthorized access to protected dealer data, to the extent that the actions prevent the authorized integrator from meeting a legal obligation to secure or prevent unauthorized access to protected dealer data.5. A manufacturer, distributor, importer, or any entity that is a subsidiary or affiliate of, or acts on behalf of, a manufacturer, distributor, or importer is not liable for any action that a dealer, dealer management system provider, authorized integrator, or other third party, except for a third party who the manufacturer has provided the data to as provided for in paragraph 7 of this subsection, takes directly with respect to securing or preventing unauthorized access to protected dealer data or for actions that an authorized integrator, dealer management system provider, or other third party takes in appropriately following the written instructions of the dealer for securing or preventing unauthorized access to protected dealer data.6. Notwithstanding any other agreement, an authorized integrator shall indemnify and hold the new motor vehicle dealer harmless from any third-party claims asserted against or damages incurred by the new motor vehicle dealer to the extent caused by access to, use of, or disclosure of consumer data in violation of this section.7. Notwithstanding any other agreement, a manufacturer, distributor, importer, or any entity that is a subsidiary or affiliate of, or acts on behalf of, a manufacturer, distributor, or importer shall indemnify the dealer for any third-party claims asserted against or damages incurred by the dealer to the extent the claims or damages are caused by the access to and unlawful disclosure of protected dealer data resulting from a breach caused by the manufacturer or distributor or a third party to which the manufacturer or distributor has provided the protected dealer data in violation of this section, the written consent granted by the dealer, or other applicable state or federal law.Okla. Stat. tit. 47, § 564.3
Added by Laws 2023 , c. 29, s. 1, eff. 11/1/2023.