After succumbing to the skilled art of a car salesman, car buyers face the less exciting aspect of purchasing a new vehicle: paperwork. Dealerships collect all sorts of information about their customers, including social-security numbers, credit applications, and credit history. This highly-sensitive information is stored on a dealer management system (“DMS”) and is used in the day-to-day operations of a car dealership. Dealers often use separate software applications for other tasks and rely on those third-party applications being able to access the data stored in the dealer's DMS.

To strengthen privacy protections for collected consumer data, the Arizona legislature enacted the “Dealer Law,” which prohibits DMS providers from “‘tak[ing] any action by contract, technical means or otherwise to prohibit or limit a dealer's ability to protect, store, copy, share or use' data the dealer has stored in its DMS.” Essentially, DMS providers may not prohibit or restrict a dealer-authorized third-party from integrating into the dealer's data system if it complies with industry security standards. Additionally, the Dealer Law requires DMS providers to “[a]dopt and make available a standardized framework for the exchange, integration and sharing of data” with dealer-authorized integrators. This is most often done using an open application programming interface (“API”), which provides for standardized communications between computer systems.

Two DMS providers subject to the statute, CDK Global LLC and Reynolds and Reynolds Co. (“CDK”), sued the Attorney General of Arizona and sought a preliminary injunction against the Dealer Law's enforcement on the grounds that it is preempted by the Copyright Act and Computer Fraud and Abuse Act (“CFAA”), violates the Contracts Clause and Takings Clause, and is unconstitutionally vague. The district court concluded that CDK was unlikely to succeed on the merits of its claims, dismissed the CFAA and vagueness claims, and denied a preliminary injunction. CDK appealed to the Court of Appeals for the Ninth Circuit.

First, CDK sought review of the dismissed claims. The court recognized that after the district court dismissed the CFAA and vagueness claims, CDK filed an amended complaint omitting them. As the amended complaint was the “operative pleading” when the district court ruled on the preliminary injunction motion, the court found it would be inappropriate to assess them in reviewing the denial of the injunction.

The court then turned to its review of the district court's preliminary injunction denial for abuse of discretion and de novo review of the underlying legal conclusions.

The court first addressed CDK's claim that the Dealer Law conflicts with the Copyright Act because it “grants dealers and their authorized integrators the right to access [CDK's] systems and create unlicensed copies of (1) its DMS, (2) its APIs, and (3) its data compilations” thereby violating CDK's exclusive reproduction rights. The court noted that because CDK brought a facial challenge to the statute, it must show that there are no applications or circumstances under which the statute would be valid.

With respect to CDK's DMSs, the court explained that the reproduction right extends only to copies, or material objects in which a work is fixed in a tangible medium of expression. A work is “fixed” when its embodiment is sufficiently permanent to permit it to be reproduced or communicated for a period of more than transitory duration. The court determined that while “loading software into a computer's memory satisfies the embodiment requirement” and can result in copying that program, it does not always result in copying. Unable to present any evidence that the Dealer Law requires the embodiments of CDK's DMSs to persist for a period of more than transitory duration, CDK failed to carry the high burden necessary for the facial challenge.

CDK then argued that the Dealer Law requires it to create APIs whose specified command names will be copied by authorized integrators to communicate with the DMS. The court based its analysis on the Supreme Court's decision in Google LLC v. Oracle Am., Inc. Analogizing an authorized integrator's API request to Oracle's Java SE “method calls” code­—which simply tells the computer which task it should perform and does not result in verbatim copying of API source code—the court determined that CDK would not be able to show the use of its API by authorized integrators would necessarily infringe any copyright.

Finally, CDK argued the Dealer Law permits dealers and authorized integrators to copy and distribute its copyrighted data compilations. Recognizing that copyright protects expression, not facts, the court explained that the limited protection requires “unauthorized use of substantially the entire item” to find infringement. The court concluded that authorized integrators would not infringe any copyright by making copies of the raw data or even subsets of the data arranged by the provider in particular ways. Unable to establish that every possible application of the statute would conflict with the Copyright Act, CDK's preemption claim failed.

Next, the court addressed CDK's constitutional claims that the Dealer Law violates the Contracts Clause and Takings Clause.

A state law violates the Contract Clause if it “(1) ‘operate[s] as a substantial impairment of a contractual relationship,' and (2) is not ‘drawn in an appropriate and reasonable way to advance a significant and legitimate public purpose.'” The court found that the Dealer Law did not impair CDK's ability to perform contracts simply because it imposes access limitations and restricts access to third parties who comply with industry standards. Additionally, as CDK's own witnesses explained, DMSs store highly sensitive consumer information. Unsurprisingly, the court noted that the Arizona legislature has a legitimate interest in safeguarding the privacy of its citizens. Further, it achieves this objective by eliminating incentives for dealers to engage in unsecured data transfers and requiring DMS providers to give access only to those authorized integrators that comply with industry security standards.

Finally, CDK argued the Dealer Law violates the Takings Clause because the law “requires DMS providers to allow authorized integrators ‘to enter, use, and occupy their DMSs.'” The district court found that there was no physical invasion of DMS providers' systems and that CDK, in fact, voluntarily licenses its DMS to dealers. Finding the lack of physical invasion dispositive and that CDK “‘cannot assert a per se right to compensation based on [its] inability to exclude particular individuals'”, the court turned to assess CDK's argument that the statute constitutes a regulatory taking.

The district court found 1) the economic impact of the Dealer Law is minimal, 2) the Dealer Law does not impermissibly interfere with distinct investment-backed expectations, and 3) the character of the Dealer Law is “more akin to an ‘interference aris[ing] from some public program adjusting the benefits and burdens of economic life to promote the common good' than ‘a physical invasion by government.'” The court agreed with the district court and affirmed the ruling, leaving CDK's claims no better than roadkill.

The case is CDK Global LLC v. Brnovich, No. 20-16469 (9th Cir. Oct. 25, 2021).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.