2009 North Carolina Code
Chapter 20 - Motor Vehicles.
§ 20-305.7. Protecting dealership data and consent to access dealership information.
§ 20‑305.7. Protecting dealership data and consent to access dealership information.
(a) No manufacturer, factory branch, distributor, or distributor branch shall access or obtain dealer or customer data from or write dealer or customer data to a dealer management computer system utilized by a motor vehicle dealer located in this State, or require or coerce a motor vehicle dealer located in this State to utilize a particular dealer management computer system, unless the dealer management computer system allows the dealer to reasonably maintain the security, integrity, and confidentiality of the data maintained in the system. No manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor shall prohibit a dealer from providing a means to regularly and continually monitor the specific data accessed from or written to the dealer's computer system and from complying with applicable State and federal laws and any rules or regulations promulgated thereunder. These provisions shall not be deemed to impose an obligation on a manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor to provide such capability.
(b) No manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor may access or utilize customer or prospect information maintained in a dealer management computer system utilized by a motor vehicle dealer located in this State for purposes of soliciting any such customer or prospect on behalf of, or directing such customer or prospect to, any other dealer. The limitations in this subsection do not apply to:
(1) A customer that requests a reference to another dealership;
(2) A customer that moves more than 60 miles away from the dealer whose data was accessed;
(3) Customer or prospect information that was provided to the dealer by the manufacturer, factory branch, distributor, or distributor branch; or
(4) Customer or prospect information obtained by the manufacturer, factory branch, distributor, or distributor branch where the dealer agrees to allow the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor the right to access and utilize the customer or prospect information maintained in the dealer's dealer management computer system for purposes of soliciting any customer or prospect of the dealer on behalf of, or directing such customer or prospect to, any other dealer in a separate, stand‑alone written instrument dedicated solely to such authorization.
No manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor, may provide access to customer or dealership information maintained in a dealer management computer system utilized by a motor vehicle dealer located in this State, without first obtaining the dealer's prior express written consent, revocable by the dealer upon five business days written notice, to provide such access. Prior to obtaining said consent and prior to entering into an initial contract or renewal of a contract with a dealer located in this State, the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of, or through any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor shall provide to the dealer a written list of all third parties to whom any North Carolina dealer management computer system data has been provided within the 12‑month period ending November 1 of the prior year. The list shall further describe the scope of the data provided. In addition to the initial list, a dealer management computer system vendor or any third party acting on behalf of, or through a dealer management computer system vendor shall provide to the dealer an annual list of third parties to whom said data is being provided on November 1 of each year and to whom said data has been provided in the preceding 12 months and describe the scope of the data provided. Such list shall be provided to the dealer by January 1 of each year. Any dealer management computer system vendor's contract that directly relates to the transfer or accessing of dealer or dealer customer information must conspicuously state, "NOTICE TO DEALER: THIS AGREEMENT RELATES TO THE TRANSFER AND ACCESSING OF CONFIDENTIAL INFORMATION AND CONSUMER RELATED DATA". Such consent does not change any such person's obligations to comply with the terms of this section and any additional State or federal laws (and any rules or regulations promulgated thereunder) applicable to them with respect to such access. In addition, no dealer management computer system vendor may refuse to provide a dealer management computer system to a motor vehicle dealer located in this State if the dealer refuses to provide any consent under this subsection, except to the extent that consent is deemed by the parties to be reasonably necessary in order for the vendor to provide the system to the dealer.
(c) No dealer management computer system vendor, or third party acting on behalf of or through any dealer management computer system vendor, may access or obtain data from or write data to a dealer management computer system utilized by a motor vehicle dealer located in this State, unless the dealer management computer system allows the dealer to reasonably maintain the security, integrity, and confidentiality of the customer and dealership information maintained in the system. No dealer management computer system vendor, or third party acting on behalf of or through any dealer management computer system vendor, shall prohibit a dealer from providing a means to regularly and continually monitor the specific data accessed from or written to the dealer's computer system and from complying with applicable State and federal laws and any rules or regulations promulgated thereunder. These provisions shall not be deemed to impose an obligation on a manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of any manufacturer, factory branch, distributor, distributor branch, or dealer management computer system vendor to provide such capability.
(d) Any manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or any third party acting on behalf of or through any dealer management computer system vendor, having electronic access to customer or motor vehicle dealership data in a dealership management computer system utilized by a motor vehicle dealer located in this State shall provide notice to the dealer of any security breach of dealership or customer data obtained through such access, which at the time of the breach was in the possession or custody of the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or third party. The disclosure notification shall be made without unreasonable delay by the manufacturer, factory branch, distributor, distributor branch, dealer management computer system vendor, or third party following discovery by the person, or notification to the person, of the breach. The disclosure notification shall describe measures reasonably necessary to determine the scope of the breach and corrective actions which may be taken in an effort to restore the integrity, security, and confidentiality of such data. Such measures and corrective actions shall be implemented as soon as practicable by all persons responsible for the breach.
(e) Nothing in this section shall preclude, prohibit, or deny the right of the manufacturer, factory branch, distributor, or distributor branch to receive customer or dealership information from a motor vehicle dealer located in this State for the purposes of complying with federal or State safety requirements or implementing steps related to manufacturer recalls at such times as necessary in order to comply with federal and State requirements or manufacturer recalls provided that receiving this information from the dealer does not impair, alter, or reduce the security, integrity, and confidentiality of the customer and dealership information collected or generated by the dealer.
(f) The following definitions apply to this section:
(1) "Dealer management computer system" A computer hardware and software system having dealer business process management modules that provide real time access to customer records and transactions by a motor vehicle dealer located in this State and that allow such motor vehicle dealer timely information in order to sell vehicles, parts or services through such motor vehicle dealership.
(2) "Dealer management computer system vendor" A seller or reseller of dealer management computer systems (but only to the extent that such person is engaged in such activities).
(3) "Security breach" An incident of unauthorized access to and acquisition of records or data containing dealership or dealership customer information where unauthorized use of the dealership or dealership customer information has occurred or is reasonably likely to occur or that creates a material risk of harm to a dealership or a dealership's customer. Any incident of unauthorized access to and acquisition of records or data containing dealership or dealership customer information shall constitute a security breach.
(g) The provisions of G.S. 20‑308.1(d) shall not apply to an action brought under this section against a dealer management computer system vendor.
(h) This section shall apply to contracts entered into on or after November 1, 2005. (2005‑409, s. 4; 2007‑513, s. 10.)
Disclaimer: These codes may not be the most recent version. North Carolina may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
