Automotive data and software company CDK Global LLC (CDK),  filed suit in 2019 against the Arizona Attorney General in the U.S. District Court for the District of Arizona seeking an injunction against a new law from taking effect.

The new law increased privacy protections for consumers whose data are collected by car dealers and prevents database providers (such as CDK) from limiting access to dealer data by dealer-authorized third parties. The law also requires providers to create a standardized framework to facilitate such access. This law is similar to the Massachusetts “right to repair” law that we wrote about last year.

The U.S. District Court denied CDK’s request for injunctive relief and this week the Ninth Circuit Court of Appeals affirmed that decision.

In its appeal, CDK argued that Arizona’s law was preempted by the Copyright Act, claiming that the law allows dealers the right to access CDK’s systems and create unlicensed copies of its dealer management system, application programming interfaces, and data compilations. However, the Ninth Circuit disagreed and said that it would be possible for CDK to comply with this law without having to create a new copy of its software for these third-party requests. The Court further reflected that, even if CDK had to create new copies, it had not established that such copies would infringe on its reproduction right.

CDK also argued that the law violates the U.S. Constitution’s contracts clause. However, again, the Ninth Circuit disagreed, holding that CDK did not show that the statute impairs its ability to perform its contracts. The Ninth Circuit also agreed with the district court’s finding that CDK could fulfill its data security obligations while still complying with the statute’s mandate. The Court held that there is “no basis to question the judgment of the Arizona Legislature that the statute promotes the common good through the advancement of consumer privacy and competition.”

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy and Security Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy and Security Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.