Hospitality & Retail -


Are mandatory arbitration provisions recognized in your state? If so, are there any limitations to its enforcement?

Yes, with certain exceptions. The general rule is that an arbitration agreement is binding on parties to the agreement.[i]   Generally, nonsignatory parties are not bound, unless dictated by the ordinary principles of contract and agency.[ii] For example, a third party which received benefits under the contract containing an arbitration agreement may be estopped from contesting arbitration.[iii]

Exceptions to the general rule exist, for example, where “a ground exists at law or in equity for the revocation of a contract.” Legal or equitable grounds for revoking any contract include allegations that the contract is void for lack of mutual consent, consideration or capacity, or voidable for fraud, duress, lack of capacity, mistake or violation of a public purpose.[iv] A matter in dispute may also avoid arbitration on a determination that the matter in dispute was outside the scope of the contract.

What is your state’s law, if any, regarding gift cards, subscription services and loyalty programs?

Gift Cards:

Arizona’s only law concerning gift cards, A.R.S. § 44-7402, prescribes:

(1) that a gift card may not be subject to a fee over and above the amount of the gift purchased, and

(2) that there can be no expiration date on the redemption of the gift. A gift card or a code or device associated with a gift card may contain an expiration date with respect to the gift card or the code or device, but not with respect to the underlying monies, if the gift card contains a clear and conspicuous disclosure that the underlying monies do not expire and that the consumer may contact the issuer for a replacement gift card or a replacement code or device associated with the gift card. If the gift card is an electronic gift card, the disclosure shall be in the message to the consumer that contains the card number or code.[v]

However, the statute does not apply to:

  • A gift card that is distributed to a consumer pursuant to a rewards, loyalty or promotional program when no money or other property with value has been given by the consumer in exchange for the gift card.
  • A gift card that is sold below face value to a nonprofit or charitable organization or that is donated to a nonprofit or charitable organization for fund raising purposes.
  • A card for prepaid telecommunication services, an electronic funds transfer card, or a bank-issued debit or general purpose reloadable prepaid card not marketed or labeled as a gift card or gift certificate.
Subscription Services:

The only law in Arizona relative to the sale of subscription services, A.R.S. § 13-3710, relates to penalties for unlawful misappropriation of subscription television services. Civil remedies may be pursued in the form of injunctive relief and/or damages, and attorney’s fees are recoverable.[vi]

Loyalty Pr3ograms:

Arizona has no dedicated law as to loyalty programs.

What is your state’s law, if any, regarding safeguarding consumer credit card or other private data (i.e., cyber security)?

Arizona does not require a business to implement security or privacy policies to safeguard consumer data. However, Arizona’s Data-Breach Notification Law imposes requirements on any “person” who conducts business in Arizona and owns, maintains, or licenses unencrypted and unredacted computerized personal information to act if and when a “security incident” has already occurred. A “Person” is defined to include any natural person, corporation, business trust, estate, trust, partnership, association, joint venture, government or governmental subdivision or agency, or any other legal or commercial entity. But the term does not include the department of public safety, a county sheriff’s department, a municipal police department, a prosecution agency or a court. In addition, entities covered by the federal Health Insurance Portability and Accountability Act (“HIPAA”) or Gramm-Leach-Bliley Act are exempt.[i]

If a covered person discovers a “security incident”—an event that creates reasonable suspicion that a person’s information systems or computerized data may have been compromised or that measures put in place to protect the person’s information systems or computerized data may have failed—the person is required to investigate to determine if a “breach” has occurred.[ii] If a breach has occurred, the owner or licensee of the breached personal information is required to notify affected individuals, unless the person, a law-enforcement agency, or an independent forensic auditor determines that the breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.[iii] Generally, the notification must be provided within 45 days and must be made using one of the following methods:

  • Written notice;
  • An e-mail notice if the person has e-mail addresses for the individuals who are subject to the notice; or
  • Telephonic notice, if telephonic contact is made directly with the affected individuals and is not through a prerecorded message.

For breaches involving more than 1,000 Arizona residents, notification must also be provided to the three largest nationwide consumer reporting agencies and to the Arizona Attorney General’s Office.[iv]

A knowing and willful violation of the law constitutes a violation of the Arizona Consumer Fraud Act, A.R.S. § 44-1521 et seq.  Only the Attorney General may enforce such a violation.  In doing so, the Attorney General may seek up to $500,000 in civil penalties, in addition to any restitution that may be owed to the affected individuals.

What is your state’s law, if any, regarding the collection and handling of financial information?

Under the Arizona Financial Information Privacy Act, a financial institution shall not sell, share, transfer or otherwise disclose personal financial information to or with any nonaffiliated party without the explicit prior consent of the customer to whom the nonpublic personal information relates. This may be called “opt in” consent.[v] Any person that receives personal financial information from a financial institution shall not disclose this information to any other person, unless the disclosure would be lawful if made directly to the other person by the financial institution.[vi]

A person that discloses or shares personal financial shall be liable, irrespective of the amount of damages suffered by the customer as a result of that violation, for a civil penalty of not more than $2,500 per violation.  However, if the negligent disclosure or sharing results in the release of personal financial information of more than one individual, the total civil penalty awarded pursuant to this subsection shall not exceed $500,000.[vii]

If disclosure of personal financial information results in the taking the identify of another person or entity or the aggravated taking the identity of another person or entity, the civil penalties will be doubled.[viii]

[i] A.R.S. §§  18-551-552

[ii] Id.

[iii] See, A.R.S. § 18-552

[iv] Id.

[v] A.R.S. § 6-1602(A)

[vi] A.R.S. § 6-1602(B)

[vii] A.R.S. § 6-1604

[viii] Id.

[i] See, A.R.S. § 12–3006(A)

[ii] See, Austin v. Austin, 348 P.3d 897, 237 Ariz. 201, (Ct. App. Div. 2, 2015)

[iii] See, Schoneberger v. Oelze, 96 P.3d 1078, 208 Ariz. 591 (Ct. App. Div. 1, 2004) (Superseded on other grounds)

[iv] See, A.R.S. § 12–3006(A)

[v] See, A.R.S. § 44-7402

[vi] See, A.R.S. § 13-3710