(1) As used in this section, the term:
(a) “Consumer data” means “nonpublic personal information” as such term is defined in 15 U.S.C. s. 6809(4) collected by a motor vehicle dealer and which is provided by the motor vehicle dealer directly to a licensee or third party acting on behalf of a licensee. Consumer data does not include the same or similar data which is obtained by a licensee from any other source.
(b) “Data management system” means a computer hardware or software system that is owned, leased, or licensed by a motor vehicle dealer, including a system of web-based applications, computer software, or computer hardware, whether located at the motor vehicle dealership or hosted remotely, and that stores and provides access to consumer data collected or stored by a motor vehicle dealer. The term includes, but is not limited to, dealership management systems and customer relations management systems.
(2) Notwithstanding the provisions of any franchise agreement, with respect to consumer data a licensee or a third party acting on behalf of a licensee:
(a) Shall comply with all, and not knowingly cause a motor vehicle dealer to violate any, applicable restrictions on reuse or disclosure of the consumer data established by federal or state law and must provide a written statement to the motor vehicle dealer upon request describing the established procedures adopted by the licensee or third party acting on behalf of the licensee which meet or exceed any federal or state requirements to safeguard the consumer data, including, but not limited to, those established in the Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq.
(b) Shall, upon the written request of the motor vehicle dealer, provide a written list of the consumer data obtained from the motor vehicle dealer and all persons to whom any consumer data has been provided by the licensee or a third party acting on behalf of a licensee during the preceding 6 months. The dealer may make such a request no more than once every 6 months. The list must indicate the specific fields of consumer data which were provided to each person. Notwithstanding the foregoing, such a list need not include:
1. A person to whom consumer data was provided, or the specific consumer data provided to such person, if the person was, at the time the consumer data was provided, one of the licensee’s service providers, subcontractors or consultants acting in the course of such person’s performance of services on behalf of or for the benefit of the licensee or motor vehicle dealer, provided that the licensee has entered into an agreement with such person requiring that the person comply with the safeguard requirements of applicable state and federal law, including, but not limited to, those established in the Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq.; or
2. A person to whom consumer data was provided, or the specific consumer data provided to such person, if the motor vehicle dealer has previously consented in writing to such person receiving the consumer data provided and the motor vehicle dealer has not withdrawn such consent in writing.
(c) May not require that a motor vehicle dealer grant the licensee or a third party direct or indirect access to the dealer’s data management system to obtain consumer data. A licensee must permit a motor vehicle dealer to furnish consumer data in a widely accepted file format, such as comma delimited, and through a third-party vendor selected by the motor vehicle dealer. However, a licensee may access or obtain consumer data directly from a motor vehicle dealer’s data management system with the express consent of the dealer. The consent must be in the form of a written document that is separate from the parties’ franchise agreement, is executed by the motor vehicle dealer, and may be withdrawn by the dealer upon 30 days’ written notice to the licensee.
(d) Must indemnify the motor vehicle dealer for any third-party claims asserted against or damages incurred by the motor vehicle dealer to the extent caused by access to, use of, or disclosure of consumer data in violation of this section by the licensee, a third party acting on behalf of the licensee, or a third party to whom the licensee has provided consumer data.
(3) In any cause of action against a licensee pursuant to s. 320.697 for a violation of paragraph (2)(a), paragraph (2)(b), or paragraph (2)(c), the person bringing the action has the burden of proving that the violation was willful or with sufficient frequency to establish a pattern of wrongdoing with respect to such person’s consumer data.
History.—s. 2, ch. 2016-77; s. 3, ch. 2017-187.