May 1 is a busy privacy day in Utah, with not only updates to the breach notification and social media platforms and minors laws going into effect, but also a new AI law, and one in the vehicle space. This last, the Utah Motor Vehicle Data Protection Act, has a narrow scope. It impacts “dealer data systems,” i.e., systems used by car dealerships to house consumer information.

Under the law, franchisors (car brands) can’t force franchisees (car dealers) into giving the brand access to the dealer’s data system. Further, brands can access the franchisee’s data system only with the franchisee’s prior express written consent. The law also includes provisions for contracts between the car dealer and service providers who process dealer data. It also imposes obligations on entities that provide dealer data systems. These include technical measures for transferring information and data protection obligations.

The law expressly states that it does not apply to “data outside of a dealer data system.” This would include information generated by the car itself, or devices people connect to their cars. It also does not give car dealerships the right to use consumer information in a way that is different either from agreements with the individual, or the reasons why the person gave the dealership the information. Finally, the drafters of the law specifically call out that the franchisee does not, through this law, get ownership of either diagnostic data or the right to share such data.

Putting it into Practice: There are other states with dealer data systems laws, thus regulating this space is not new to Utah. While the scope of the law is narrow, applying only to dealer data systems, it is part of a clear privacy trend in the beehive state.