Arizona Dealer Data Security Act Survives Initial Challenge From DMS Providers

Cover image

Does your business own its data? Could you move it if you had to?

That’s the intent behind a new law in Arizona, which seeks to provide auto dealerships with guaranteed controls over the data they enter into DMS (dealer management system) software throughout the course of their work. Enacted in March 2019, the Dealer Data Security Act (DDSA) went into effect over the summer, but not before the largest DMS providers sought to block the statute in federal court.

From Automotive News:

The Arizona law, signed by Republican Gov. Doug Ducey on April 9, essentially allows dealers to share data with any third party they identify as an authorized integrator and prohibits fees for such access. It is part of a broader fight by dealers in several states over control of the data in dealer management systems.

Currently, the DMS landscape is dominated by two leading providers: CDK Global and Reynolds & Reynolds, who together comprise over two-thirds US market share in the category. When Earlybird has gone to integrate with these systems on behalf of our clients, we’ve seen first-hand how these providers can charge tens of thousands of dollars for dealership clients to easily access their own data, through a PostgreSQL database or other web endpoint.

To us, it’s disappointing to see providers in any industry restrict their customers in this way. Small businesses like Earlybird aren’t looking to supplant them; we provide niche services outside the scope of their offerings, and could even make their market positions “stickier” long-term. We wish they would recognize how making secure data access easier for their users and the other vendors they trust can be done profitably, and to the benefit of the companies they serve.

CDK and Reynolds argued in court that complying with the Dealer Data Security Act would expose their protected intellectual property, and make their platforms less secure. But, rightly, the court rejected those arguments. As Brandon Bigelow and Katherine Moskop at Seyfarth Shaw LLP explained back in August, the court found the law could be interpreted as to not interfere with providers’ rights under the Copyright Act. The July decision also found that providers “failed to show a substantial impairment to their contract rights” under the Constitution’s Contracts Clause because the Dealer Data Security Act doesn’t require that companies like Earlybird have direct access to DMS platforms, only the data contained within them, by way of a “standardized framework,” like an application programming interface (API).

The DDSA is a state statute, applying only to Arizona, and Earlybird uses secure and legal ways to integrate with these systems, even outside of the new protections it provides. But regardless of whether you're a dealer group, or other type of organization, it’s time to start thinking about how portable and transferable your company’s valuable internal data is. As some SaaS providers age and fall behind or capture markets, there are incentives for them to restrict and begin charging for data access that many users may presently take for granted.