Client Alerts  - Data Privacy and Cybersecurity Nov 29, 2022

New York Digital Fair Repair Act Compliance Requirements

View the PDF

New York Digital Fair Repair Act Compliance Requirements

On June 3, 2022, New York State passed the Digital Fair Repair Act (DFRA), a law that requires original manufacturers of electronic equipment to make tools, parts and diagnostic and repair information available to owners of digital electronic equipment as well as independent repair providers. This is intended to diversify consumers’ abilities to have their electronic equipment repaired and not be limited to the manufacturer or its authorized repair providers.

Entities Subject to the DFRA

The DFRA requires original equipment manufacturers (OEMs) and their authorized repair providers to provide owners of covered electronic equipment and independent repair providers with certain resources. An OEM is defined as an individual or business that sells the digital electronic equipment it manufactures. An authorized repair provider is an individual or business that has an arrangement with an OEM to offer diagnosis, maintenance and repair services for the digital electronic equipment manufactured by the OEM. An OEM that offers diagnosis, maintenance and repair services for its own digital electronic equipment and who does not have an arrangement with an unaffiliated individual or business for the provision of these services is considered an authorized repair provider with respect to such equipment.

Owners of covered electronic equipment may not need to be physically present in the state to take advantage of the resource sharing contemplated by the DFRA. This is because the DFRA defines an owner as an individual or business that either purchases or uses covered equipment in New York State. The DFRA’s impact extends outside of the state in several ways. For instance, out-of-state purchasers may be incentivized to buy covered equipment in New York State, regardless of where it will be used, and consumers may choose New York State-based repair providers instead of out-of-state providers.

Covered Resources

Without requiring the disclosure of trade secrets, the DFRA obligates OEMs to provide owners of covered electronic equipment and independent repair providers with the documentation, parts and tools needed for diagnosis, maintenance or repair of covered electronic equipment. Notably, OEMs are not required to provide such material for modification (and not repair) of electronic equipment.

Such covered resources must be provided by OEMs directly or through authorized service providers on fair and reasonable terms, which means that any documents and tools must be provided at no charge, except in limited circumstances when reasonable actual costs may be imposed. Further, tools must be provided without requiring authorization or internet access for their use, without imposing impediments to access or in a manner that impairs the efficient and cost-effective performance of diagnosis, maintenance or repair. The necessary materials to access or reset any lock or security function must also be provided. Meanwhile, parts must be provided at favorable cost, taking into account the terms and incentives under which an OEM offers this material to an authorized repair provider.

Covered Devices

The DFRA encompasses digital electronic equipment, defined as any product with a value over $10, adjusted annually, that depends for its functioning, in whole or in part, on digital electronics embedded in or attached to it.

Although the DFRA covers a wide variety of electronics products, it does not apply to the following:

  • Motor vehicles
  • Home appliances
  • Medical devices
  • Off-road equipment
  • Farm equipment
  • Public safety communications equipment

Limitations on Liability

The law shields OEMs and authorized repair providers from liability arising from any damage or injury caused to any digital electronic equipment by an independent repair provider or the owner, that occurs during repair, diagnosis, maintenance or modification. This includes, but is not limited to, any indirect or consequential damages; any loss of data, privacy or profits; or any reduced functionality or inability to use the digital electronic equipment.

Penalties for Failure to Comply

The New York State Attorney General, who will enforce the law, may seek to enjoin violations and seek restitution of money or property obtained by such violation. Violation of the law could result in a maximum civil penalty of $500 for each violation.

Although the DFRA does not create a private right of action, consumers may seek recourse under consumer protection laws that do permit a private right of action for deceptive and unconscionable trade practices.

Data Privacy and Security Implications

Consumers may face data privacy and cybersecurity risks when they provide a device containing sensitive personal information, such as emails and passwords, pictures or financial records to a repair service provider that is not authorized or vetted by an established OEM, or not licensed by any state or other governing body. Similarly, remote diagnostic tools may provide access to the entire device. This includes software, data and other files, which may enable third parties to identify consumer-specific information such as how often the device is used, when it is used and IP addresses — all of which can be commingled with personally identifiable information.

Repair of equipment also carries the risk that embedded hardware security technology may be compromised, particularly if the repair is performed by those not sufficiently familiar or trained in the technology or device at issue.

Compliance Guidance

The DFRA expands consumers’ abilities to have electronic equipment repaired, imposes obligations on OEMs, and impacts OEM agreements with exclusive repair service providers. OEMs and authorized repair providers should review the obligations imposed by the DFRA and develop a compliance strategy that may include identifying covered equipment, reviewing or amending contracts, establishing processes on what and how certain information may be disclosed to consumers and/or other repair service providers, and a communication strategy.

Additional Assistance

For further assistance, please contact any of the attorneys on our Data Security & Privacy Law Practice Team or the Phillips Lytle attorney with whom you have a relationship.

Related Insights

View All