BILL NUMBER: AB 2291 CHAPTERED 09/20/06 CHAPTER 353 FILED WITH SECRETARY OF STATE SEPTEMBER 20, 2006 APPROVED BY GOVERNOR SEPTEMBER 20, 2006 PASSED THE ASSEMBLY AUGUST 29, 2006 PASSED THE SENATE AUGUST 24, 2006 AMENDED IN SENATE AUGUST 14, 2006 AMENDED IN SENATE AUGUST 7, 2006 AMENDED IN ASSEMBLY MAY 31, 2006 AMENDED IN ASSEMBLY APRIL 17, 2006 INTRODUCED BY Assembly Member Evans FEBRUARY 22, 2006 An act to amend Section 11713.3 of, and to add Section 11713.25 to, the Vehicle Code, relating to vehicles. LEGISLATIVE COUNSEL'S DIGEST AB 2291, Evans Vehicles: dealer: data security. (1) Existing law prohibits any motor vehicle manufacturer, manufacturer branch, distributor, or distributor branch that is licensed under the Vehicle Code from engaging in certain conduct involving a dealer having a franchise for the sale of new vehicles or vehicle parts including prohibiting those manufacturers, branches, and distributors from competing with a dealer, as specified, or engaging in unfair discrimination in favor of any dealership owned or controlled by those entities. This bill would additionally prohibit a motor vehicle manufacturer, manufacturer branch, distributor, or distributor branch from accessing, modifying, or extracting information from a confidential dealer computer record, as specified, or using electronic, contractual, or using other means to prevent or interfere with the lawful efforts of a dealer to comply with specified data security and privacy laws, to ensure that the accessed data is within the scope of consent, or to monitor data accessed from the dealer's computer system. The bill would provide that these prohibitions do not limit a duty that a dealer may have to safeguard the security and privacy of records maintained by the dealer. Because a violation of these provisions would be a crime, the bill would impose a state-mandated local program. (2) Existing law regulates the handling of customer records and requires that a business take all reasonable steps to destroy a customer's records in its custody or control when they are no longer to be retained. Existing law requires a person or business that owns or licenses computerized data that includes personal information, as defined, to disclose any breach of the security of its system, as specified. This bill would prohibit a computer vendor from accessing, modifying, or extracting information from a confidential dealer computer record, as defined, or personally identifiable consumer data, as defined, from a dealer without 1st obtaining an express written consent from the dealer and without maintaining specified safeguards to protect the information. The bill would prohibit requiring a dealer, as a condition of doing or continuing to do business, to give express consent, except under specified circumstances. Since a violation of the Vehicle Code is a crime, by proscribing certain activities related to a confidential dealer computer record or personally identifiable consumer data, this bill would create a new crime, thereby imposing a state-mandated local program. (3) The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement. This bill would provide that no reimbursement is required by this act for a specified reason. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 11713.3 of the Vehicle Code is amended to read: 11713.3. It is unlawful and a violation of this code for any manufacturer, manufacturer branch, distributor, or distributor branch licensed under this code to do any of the following: (a) To refuse or fail to deliver in reasonable quantities and within a reasonable time after receipt of an order from a dealer having a franchise for the retail sale of any new vehicle sold or distributed by the manufacturer or distributor, any new vehicle or parts or accessories to new vehicles as are covered by the franchise, if the vehicle, parts, or accessories are publicly advertised as being available for delivery or actually being delivered. This subdivision is not violated, however, if the failure is caused by acts or causes beyond the control of the manufacturer, manufacturer branch, distributor, or distributor branch. (b) To prevent or require, or attempt to prevent or require, by contract or otherwise, any change in the capital structure of a dealership or the means by or through which the dealer finances the operation of the dealership, if the dealer at all times meets any reasonable capital standards agreed to by the dealer and the manufacturer or distributor, and if a change in capital structure does not cause a change in the principal management or have the effect of a sale of the franchise without the consent of the manufacturer or distributor. (c) To prevent or require, or attempt to prevent or require, a dealer to change the executive management of a dealership, other than the principal dealership operator or operators, if the franchise was granted to the dealer in reliance upon the personal qualifications of that person. (d) (1) Except as provided in subdivision (t), to prevent or require, or attempt to prevent or require, by contract or otherwise, any dealer, or any officer, partner, or stockholder of any dealership, the sale or transfer of any part of the interest of any of them to any other person. No dealer, officer, partner, or stockholder shall, however, have the right to sell, transfer, or assign the franchise, or any right thereunder, without the consent of the manufacturer or distributor except that the consent shall not be unreasonably withheld. (2) (A) For the transferring franchisee to fail, prior to the sale, transfer, or assignment of a franchisee or the sale, assignment, or transfer of all, or substantially all, of the assets of the franchised business or a controlling interest in the franchised business to another person, to notify the manufacturer or distributor of the franchisee's decision to sell, transfer, or assign the franchise. The notice shall be in writing and shall include all of the following: (i) The proposed transferee's name and address. (ii) A copy of all of the agreements relating to the sale, assignment, or transfer of the franchised business or its assets. (iii) The proposed transferee's application for approval to become the successor franchisee. The application shall include forms and related information generally utilized by the manufacturer or distributor in reviewing prospective franchisees, if those forms are readily made available to existing franchisees. As soon as practicable after receipt of the proposed transferee's application, the manufacturer or distributor shall notify the franchisee and the proposed transferee of any information needed to make the application complete. (B) For the manufacturer or distributor, to fail, on or before 60 days after the receipt of all of the information required pursuant to subparagraph (A), or as extended by a written agreement between the manufacturer or distributor and the franchisee, to notify the franchisee of the approval or the disapproval of the sale, transfer, or assignment of the franchise. The notice shall be in writing and shall be personally served or sent by certified mail, return receipt requested, or by guaranteed overnight delivery service that provides verification of delivery and shall be directed to the franchisee. Any proposed sale, assignment, or transfer shall be deemed approved, unless disapproved by the franchisor in the manner provided by this subdivision. If the proposed sale, assignment, or transfer is disapproved, the franchisor shall include in the notice of disapproval a statement setting forth the reasons for the disapproval. (3) In any action in which the manufacturer's or distributor's withholding of consent under this subdivision or subdivision (e) is an issue, whether the withholding of consent was unreasonable is a question of fact requiring consideration of all the existing circumstances. (e) To prevent, or attempt to prevent, a dealer from receiving fair and reasonable compensation for the value of the franchised business. There shall be no transfer or assignment of the dealer's franchise without the consent of the manufacturer or distributor, which consent shall not be unreasonably withheld or conditioned upon the release, assignment, novation, waiver, estoppel, or modification of any claim or defense by the dealer. (f) To obtain money, goods, services, or any other benefit from any other person with whom the dealer does business, on account of, or in relation to, the transaction between the dealer and that other person, other than for compensation for services rendered, unless the benefit is promptly accounted for, and transmitted to, the dealer. (g) To require a dealer to prospectively assent to a release, assignment, novation, waiver, or estoppel that would relieve any person from liability to be imposed by this article or to require any controversy between a dealer and a manufacturer, distributor, or representative, to be referred to any person other than the board, if the referral would be binding on the dealer. This subdivision does not, however, prohibit arbitration before an independent arbitrator. (h) To increase prices of motor vehicles that the dealer had ordered for private retail consumers prior to the dealer's receipt of the written official price increase notification. A sales contract signed by a private retail consumer is evidence of each such order. In the event of manufacturer price reductions, the amount of the reduction received by a dealer shall be passed on to the private retail consumer by the dealer if the retail price was negotiated on the basis of the previous higher price to the dealer. Price reductions apply to all vehicles in the dealer's inventory that were subject to the price reduction. Price differences applicable to new model or series motor vehicles at the time of the introduction of new models or series shall not be considered a price increase or price decrease. This subdivision does not apply to price changes caused by either of the following: (1) The addition to a motor vehicle of required or optional equipment pursuant to state or federal law. (2) Revaluation of the United States dollar in the case of a foreign-make vehicle. (i) To fail to pay to a dealer, within a reasonable time following receipt of a valid claim by a dealer thereof, any payment agreed to be made by the manufacturer or distributor to the dealer by reason of the fact that a new vehicle of a prior year model is in the dealer's inventory at the time of introduction of new model vehicles. (j) To deny the widow or heirs designated by a deceased owner of a dealership, the opportunity to participate in the ownership of the dealership or successor dealership under a valid franchise for a reasonable time after the death of the owner. (k) To offer any refunds or other types of inducements to any person for the purchase of new motor vehicles of a certain line-make to be sold to the state or any political subdivision thereof without making the same offer to all other dealers in the same line-make within the relevant market area. (l) To modify, replace, enter into, relocate, terminate or refuse to renew a franchise in violation of Article 4 (commencing with Section 3060) of Chapter 6 of Division 2. (m) To employ a person as a representative who has not been licensed pursuant to Article 3 (commencing with Section 11900) of Chapter 4 of Division 5. (n) To deny any dealer the right of free association with any other dealer for any lawful purpose. (o) (1) To compete with a dealer in the same line-make operating under an agreement or franchise from a manufacturer or distributor in the relevant market area. (2) A manufacturer, branch, or distributor or any entity that controls or is controlled by, a manufacturer, branch, or distributor, shall not, however, be deemed to be competing in the following limited circumstances: (A) Owning or operating a dealership for a temporary period, not to exceed one year. However, after a showing of good cause by a manufacturer, branch, or distributor that it needs additional time to operate a dealership in preparation for sale to a successor independent franchisee, the board may extend the time period. The board shall extend the time period until December 31, 2002, for any manufacturer that meets all of the following requirements: (i) The manufacturer has no more than 25 franchisees in the state and those franchisees collectively operate dealership facilities in at least 15 counties of the state. (ii) All of the dealership facilities operated by the manufacturer' s franchisees in the state trade exclusively in the manufacturer's line-make. (iii) No fewer than one-half of the manufacturer's franchisees in the state own and operate two or more dealership facilities in their assigned areas of responsibility. (iv) The manufacturer holds a temporary ownership interest in no more than two dealerships in the state that are located in the relevant market area of any other franchisee of the same line-make not owned, in whole or part, by the manufacturer. (B) Owning an interest in a dealer as part of a bona fide dealer development program that satisfies all of the following requirements: (i) The sole purpose of the program is to make franchises available to persons lacking capital, training, business experience, or other qualities ordinarily required of prospective franchisees and the dealer development candidate is an individual who is unable to acquire the franchise without assistance of the program. (ii) The dealer development candidate has made a significant investment subject to loss in the franchised business of the dealer. (iii) The program requires the dealer development candidate to manage the day-to-day operations and business affairs of the dealer and to acquire, within a reasonable time and on reasonable terms and conditions, beneficial ownership and control of a majority interest in the dealer and disassociation of any direct or indirect ownership or control by the manufacturer, branch, or distributor. (C) Owning a wholly owned subsidiary corporation of a distributor that sells motor vehicles at retail, if, for at least three years prior to January 1, 1973, the subsidiary corporation has been a wholly owned subsidiary of the distributor and engaged in the sale of vehicles at retail. (3) (A) Every manufacturer, branch, and distributor that owns or operates a dealership in the manner described in subparagraph (A) of paragraph (2) shall give written notice to the board, within 10 days, each time it commences or terminates operation of a dealership and each time it acquires or divests itself of an ownership interest. (B) Every manufacturer, branch, and distributor that owns an interest in a dealer in the manner described in subparagraph (B) of paragraph (2) shall give written notice to the board, annually, of the name and location of each dealer in which it has an ownership interest. (p) To unfairly discriminate among its franchisees with respect to warranty reimbursement or authority granted to its franchisees to make warranty adjustments with retail customers. (q) To sell vehicles to persons not licensed under this chapter for resale. (r) To fail to affix an identification number to any park trailer, as described in Section 18009.3 of the Health and Safety Code, that is manufactured on or after January 1, 1987, and that does not clearly identify the unit as a park trailer to the department. The configuration of the identification number shall be approved by the department. (s) To dishonor a warranty, rebate, or other incentive offered to the public or a dealer in connection with the retail sale of a new motor vehicle, based solely upon the fact that an autobroker arranged or negotiated the sale. This subdivision shall not prohibit the disallowance of that rebate or incentive if the purchaser or dealer is ineligible to receive the rebate or incentive pursuant to any other term or condition of a rebate or incentive program. (t) To exercise a right of first refusal or any other right requiring a franchisee or any owner thereof to sell, transfer, or assign to the franchisor, or to any nominee of the franchisor, all or any material part of the franchised business or of the assets thereof unless all of the following requirements are met: (1) The franchise authorizes the franchisor to exercise a right of first refusal to acquire the franchised business or assets thereof in the event of a proposed sale, transfer, or assignment. (2) The franchisor gives written notice of its exercise of the right of first refusal no later than 45 days after the franchisor receives all of the information required pursuant to subparagraph (A) of paragraph (2) of subdivision (d). (3) The sale, transfer, or assignment being proposed relates to not less than all or substantially all of the assets of the franchised business or to a controlling interest in the franchised business. (4) The proposed transferee is neither a family member of an owner of the franchised business, nor a managerial employee of the franchisee owning 15 percent or more of the franchised business, nor a corporation, partnership, or other legal entity owned by the existing owners of the franchised business. For purposes of this paragraph, a "family member" means the spouse of an owner of the franchised business, the child, grandchild, brother, sister, or parent of an owner, or a spouse of one of those family members. Nothing contained in this paragraph limits the rights of the franchisor to disapprove a proposed transferee as provided in subdivision (d). (5) Upon the franchisor's exercise of the right of first refusal, the consideration paid by the franchisor to the franchisee and owners of the franchised business shall equal or exceed all consideration that each of them were to have received under the terms of, or in connection with, the proposed sale, assignment, or transfer, and the franchisor shall comply with all the terms and conditions of the agreement or agreements to sell, transfer, or assign the franchised business. (6) The franchisor shall reimburse the proposed transferee for any expenses paid or incurred by the proposed transferee in evaluating, investigating, and negotiating the proposed transfer to the extent those expenses do not exceed the usual, customary, and reasonable fees charged for similar work done in the area in which the franchised business is located. These expenses include, but are not limited to, legal and accounting expenses, and expenses incurred for title reports and environmental or other investigations of any real property on which the franchisee's operations are conducted. The proposed transferee shall provide the franchisor a written itemization of those expenses, and a copy of all nonprivileged reports and studies for which expenses were incurred, if any, within 30 days of the proposed transferee's receipt of a written request from the franchisor for that accounting. The franchisor shall make payment within 30 days of exercising the right of first refusal. (u) (1) To unfairly discriminate in favor of any dealership owned or controlled, in whole or part, by a manufacturer or distributor or an entity that controls or is controlled by the manufacturer or distributor. Unfair discrimination includes, but is not limited to, the following: (A) The furnishing to any franchisee or dealer that is owned or controlled, in whole or part, by a manufacturer, branch, or distributor of any of the following: (i) Any vehicle that is not made available to each franchisee pursuant to a reasonable allocation formula that is applied uniformly, and any part or accessory that is not made available to all franchisees on an equal basis when there is no reasonable allocation formula that is applied uniformly. (ii) Any vehicle, part, or accessory that is not made available to each franchisee on comparable delivery terms, including the time of delivery after the placement of an order. Differences in delivery terms due to geographic distances or other factors beyond the control of the manufacturer, branch, or distributor shall not constitute unfair competition. (iii) Any information obtained from a franchisee by the manufacturer, branch, or distributor concerning the business affairs or operations of any franchisee in which the manufacturer, branch, or distributor does not have an ownership interest. The information includes, but is not limited to, information contained in financial statements and operating reports, the name, address, or other personal information or buying, leasing, or service behavior of any dealer customer, and any other information which, if provided to a franchisee or dealer owned or controlled by a manufacturer or distributor, would give that franchisee or dealer a competitive advantage. This clause does not apply if the information is provided pursuant to a subpoena or court order, or to aggregated information made available to all franchisees. (B) Referring a prospective purchaser or lessee to a dealer in which a manufacturer, branch, or distributor has an ownership interest, unless the prospective purchaser or lessee resides in the area of responsibility assigned to that dealer or the prospective purchaser or lessee requests to be referred to that dealer. (2) Nothing in this subdivision shall be interpreted to prohibit a franchisor from granting a franchise to prospective franchisees or assisting those franchisees during the course of the franchise relationship as part of a program or programs to make franchises available to persons lacking capital, training, business experience, or other qualifications ordinarily required of prospective franchisees. (v) (1) To access, modify, or extract information from a confidential dealer computer record, as defined in Section 11713.25, without obtaining the prior written consent of the dealer and without maintaining administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of the information. (2) Paragraph (1) does not limit a duty that a dealer may have to safeguard the security and privacy of records maintained by the dealer. (w) (1) To use electronic, contractual, or other means to prevent or interfere with any of the following: (A) The lawful efforts of a dealer to comply with federal and state data security and privacy laws. (B) The ability of a dealer to do either of the following: (i) Ensure that specific data accessed from the dealer's computer system is within the scope of consent specified in subdivision (v). (ii) Monitor specific data accessed from or written to the dealer' s computer system. (2) Paragraph (1) does not limit a duty that a dealer may have to safeguard the security and privacy of records maintained by the dealer. (x) As used in this section, "area of responsibility" is a geographic area specified in a franchise that is used by the franchisor for the purpose of evaluating the franchisee's performance of its sales and service obligations. SEC. 2. Section 11713.25 is added to the Vehicle Code, to read: 11713.25. (a) A computer vendor shall not do any of the following: (1) Access, modify, or extract information from a confidential dealer computer record or personally identifiable consumer data from a dealer without first obtaining express written consent from the dealer and without maintaining administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of the information. (2) (A) Except as provided in subparagraph (B), require a dealer as a condition of doing or continuing to do business, to give express consent to perform the activities specified in paragraph (1). (B) Express consent may be required as a condition of doing or continuing to do business if the consent is limited to permitting access to personally identifiable consumer data to the extent necessary to do any of the following: (i) To protect against, or prevent actual or potential fraud, unauthorized transactions, claims, or other liability, or to protect against breaches of confidentiality or security of consumer records. (ii) To comply with institutional risk control or to resolve consumer disputes or inquiries. (iii) To comply with federal, state, or local laws, rules, and other applicable legal requirements, including lawful requirements of a law enforcement or governmental agency. (iv) To comply with lawful requirements of a self-regulatory organization or as necessary to perform an investigation on a matter related to public safety. (v) To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities. (vi) To make other use of personally identifiable consumer data with the express written consent of the consumer that has not been revoked by the consumer. (3) Use electronic, contractual, or other means to prevent or interfere with the lawful efforts of a dealer to comply with federal and state data security and privacy laws and to maintain the security, integrity, and confidentiality of confidential dealer computer records, including, but not limited to, the ability of a dealer to monitor specific data accessed from or written to the dealer computer system. Waiver of this subdivision or purported consents authorizing the activities proscribed by the subdivision is void. (b) A dealer shall have the right to prospectively revoke an express consent by providing a 10-day written notice to the computer vendor to whom the consent was provided or on any shorter period of notice agreed to by the computer vendor and the dealer. An agreement that requires a dealer to waive its right to prospectively revoke an express consent is void. (c) For the purposes of this section, the following terms mean as follows: (1) "Confidential dealer computer record" means a computer record residing on the dealer's computer system that contains, in whole or in part, any personally identifiable consumer data, or the dealer's financial or other proprietary data. (2) "Computer vendor" means a person, other than a manufacturer, manufacturer branch, distributor, or distributor branch, who in the ordinary course of that person's business configured, sold, leased, licensed, maintained, or otherwise made available to a dealer, a dealer computer system. (3) "Dealer computer system" means a computer system or computerized application primarily designed for use by and sold to a motor vehicle dealer that, by ownership, lease, license, or otherwise, is used by and in the ordinary course of business of a dealer. (4) "Express consent" means the unrevoked written consent signed by a dealer that specifically describes the data that may be accessed, the means by which it may be accessed, the purpose for which it may be used, and the person or class of persons to whom it may be disclosed. (5) "Personally identifiable consumer data" means information that is any of the following: (A) Information of the type specified in subparagraph (A) of paragraph (6) of subdivision (e) of Section 1798.83 of the Civil Code. (B) Information that is nonpublic personal information as defined in Section 313.3(n)(1) of Title 16 of the Code of Federal Regulations. (C) Information that is nonpublic personal information as defined in subdivision (a) of Section 4052 of the Financial Code. (d) This section does not limit a duty that a dealer may have to safeguard the security and privacy of records maintained by the dealer. SEC. 3. No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.