11713.25
. (a) A computer vendor shall not do any of the following:
(1) Access, modify, or extract information from a confidential
dealer computer record or personally identifiable consumer data from
a dealer without first obtaining express written consent from the
dealer and without maintaining administrative, technical, and
physical safeguards to protect the security, confidentiality, and
integrity of the information.
(2) (A) Except as provided in subparagraph (B), require a dealer
as a condition of doing or continuing to do business, to give express
consent to perform the activities specified in paragraph (1).
(B) Express consent may be required as a condition of doing or
continuing to do business if the consent is limited to permitting
access to personally identifiable consumer data to the extent
necessary to do any of the following:
(i) To protect against, or prevent actual or potential fraud,
unauthorized transactions, claims, or other liability, or to protect
against breaches of confidentiality or security of consumer records.
(ii) To comply with institutional risk control or to resolve
consumer disputes or inquiries.
(iii) To comply with federal, state, or local laws, rules, and
other applicable legal requirements, including lawful requirements of
a law enforcement or governmental agency.
(iv) To comply with lawful requirements of a self-regulatory
organization or as necessary to perform an investigation on a matter
related to public safety.
(v) To comply with a properly authorized civil, criminal, or
regulatory investigation, or subpoena or summons by federal, state,
or local authorities.
(vi) To make other use of personally identifiable consumer data
with the express written consent of the consumer that has not been
revoked by the consumer.
(3) Use electronic, contractual, or other means to prevent or
interfere with the lawful efforts of a dealer to comply with federal
and state data security and privacy laws and to maintain the
security, integrity, and confidentiality of confidential dealer
computer records, including, but not limited to, the ability of a
dealer to monitor specific data accessed from or written to the
dealer computer system. Waiver of this subdivision or purported
consents authorizing the activities proscribed by the subdivision is
void.
(b) A dealer shall have the right to prospectively revoke an
express consent by providing a 10-day written notice to the computer
vendor to whom the consent was provided or on any shorter period of
notice agreed to by the computer vendor and the dealer. An agreement
that requires a dealer to waive its right to prospectively revoke an
express consent is void.
(c) For the purposes of this section, the following terms mean as
follows:
(1) "Confidential dealer computer record" means a computer record
residing on the dealer's computer system that contains, in whole or
in part, any personally identifiable consumer data, or the dealer's
financial or other proprietary data.
(2) "Computer vendor" means a person, other than a manufacturer,
manufacturer branch, distributor, or distributor branch, who in the
ordinary course of that person's business configured, sold, leased,
licensed, maintained, or otherwise made available to a dealer, a
dealer computer system.
(3) "Dealer computer system" means a computer system or
computerized application primarily designed for use by and sold to a
motor vehicle dealer that, by ownership, lease, license, or
otherwise, is used by and in the ordinary course of business of a
dealer.
(4) "Express consent" means the unrevoked written consent signed
by a dealer that specifically describes the data that may be
accessed, the means by which it may be accessed, the purpose for
which it may be used, and the person or class of persons to whom it
may be disclosed.
(5) "Personally identifiable consumer data" means information that
is any of the following:
(A) Information of the type specified in subparagraph (A) of
paragraph (6) of subdivision (e) of Section 1798.83 of the Civil
Code.
(B) Information that is nonpublic personal information as defined
in Section 313.3(n)(1) of Title 16 of the Code of Federal
Regulations.
(C) Information that is nonpublic personal information as defined
in subdivision (a) of Section 4052 of the Financial Code.
(d) This section does not limit a duty that a dealer may have to
safeguard the security and privacy of records maintained by the
dealer.