Ninth Circuit Affirms Denial Of Preliminary Injunction Against Arizona “Dealer Data Security Law”
11/03/2021On October 25, 2021, a unanimous panel of the United States Court of Appeals for the Ninth Circuit affirmed a district court order denying database vendors’ (“Plaintiff-Appellants”) motion for a preliminary injunction against enforcement of Arizona’s 2019 “Dealer Data Security Law.” CDK Global LLC v. Brnovich, No. 20-16469 (9th Cir. 2021). The Arizona law restricts car dealership database vendors from engaging in certain practices believed to be anticompetitive and provides consumers with certain additional privacy rights over the information that is collected for such databases. The database vendors argued that the law was preempted by the federal Copyright Act and violated their federal constitutional rights.
Plaintiff-Appellants are licensors of popular dealer management systems (“DMS”), databases used by car dealerships to manage customer and company data. Historically, Plaintiff-Appellants permitted third-party software systems to pull data directly from the DMS databases for the dealership’s use. Plaintiff-Appellants, however, developed their own proprietary data integration system and prohibited third-party vendors from accessing DMS data through any means other than the integrated systems they offered. The Arizona legislature adopted the Dealer Data Security Law in response to the development of these proprietary systems, and it requires database vendors to permit third-party data integration using an “application programming interface” (“API”) or a similar industry standard system for intersystem communication.
Plaintiff-Appellants sued the Arizona Attorney General for a preliminary injunction against the enforcement of the Dealer Data Security Law and sought a declaration that it was preempted by the Copyright Act and violated the United States Constitution. The Arizona Automobile Dealers Association intervened in defense of the Dealer Data Security Law. The district court denied the motion for a preliminary injunction and dismissed certain claims.
On appeal, a Ninth Circuit panel sustained the district court’s denial of the preliminary injunction in full. It first considered Plaintiff-Appellants’ arguments that the Dealer Data Security Law was inconsistent with the Copyright Act. Plaintiff-Appellants had argued that creating an API would effectively require them to create a copy of their software on their network each time that third-party access was required. However, the panel noted that these copies never left the Plaintiff-Appellants’ servers, and so were never “alienated,” and may be too transient to receive any copyright protection at all. Further, the panel found that compliance with the Dealer Data Security Law did not necessarily require the creation of such software copies, meaning they could not serve as the basis for the Plaintiff-Appellants’ challenge to the law.
Plaintiff-Appellants also argued that the Dealer Data Security Law required them to develop and then permit third-party integrators’ access to and use of an API, which they claimed to alienate their property interest held in the proprietary database software. The panel disagreed, however, reasoning that the law permitted the use of non-proprietary alternatives to APIs and questioning whether mere use of an API would be barred by the Copyright Act, citing recent precedent. Similarly, the panel rejected Plaintiff-Appellants’ argument that they were being deprived of a protected property interest in the compilation of customer data stored in the DMS. The panel reasoned that an “arrangement of facts” can enjoy some limited copyright protection, but only if that arrangement reflects a certain degree of creativity in its compilation. Because third parties generally only access DMS databases to pull a subset of stored customer data, the panel concluded that the customer data stored in the DMS databases were not organized in a sufficiently creative fashion to warrant copyright protection.
Finally, the panel rejected Plaintiff-Appellants’ constitutional claims. They found no breach of Plaintiff-Appellants’ rights under the Contracts Clause because the Dealer Data Security Law did not impose a sufficiently heavy burden on their contractual obligations and the state was reasonably pursuing its regulatory interest. Contrary to Plaintiff-Appellants’ argument, the panel found that the Taking Clause was not implicated, for two reasons: first, because the law only required the provision of data and not physical access; and second, no regulatory taking occurred, as the economic cost was minimal and there was no interference with Plaintiff-Appellants’ investment-backed expectations.
The CDK Global decision is significant, as the compilation and protection of customer data becomes ever more valuable to businesses and important to the economy, in turn attracting more attention from competition regulators. In this instance, the Ninth Circuit found that neither the Copyright Act nor the federal Constitution barred state legislation aimed to promote free access to data.