Hospitality & Retail -


Are mandatory arbitration provisions recognized in your state? If so, are there any limitations to its enforcement?

In Florida, mandatory arbitration provisions are recognized.  Such provisions, however, are not automatically valid and enforceable. Although parties may agree to arbitrate statutory claims, even ones involving important social policies, arbitration must provide the prospective litigant with an effective way to vindicate his or her statutory cause of action in the arbitral forum.[i]  Accordingly, Florida courts, when reviewing motions to compel arbitration, determine: “‘(1) whether a valid written agreement to arbitrate exists; (2) whether an arbitrable issue exists; and (3) whether the right to arbitration was waived.’”[ii]

What is your state’s law, if any, regarding gift cards, subscription services and loyalty programs?

Fla. Stat. s. 501.95(1)(a) and (b) defines a “credit memo” and “gift certificate.”[iii]

Then, subsection (2)(a) provides that: “A gift certificate or credit memo issued in this state may not have an expiration date, expiration period, or any type of post-sale charge or fee imposed on the gift certificate or credit memo, including, but not limited to, services charges, dormancy fees, account maintenance fees, or cash-out fees.  However, a gift certificate may have an expiration date of not less than 3 years if it is provided as a charitable contribution, or not less than 1 year if it is provided as a benefit pursuant to an employee-incentive program, and the expiration date is prominently disclosed in writing to the consumer at the time it is provided.  In addition, a gift certificate may have an expiration date if it is provided to the recipient, or to a purchaser for transfer to the recipient, as pay of a loyalty or promotional program when the recipient does not pay a separate identifiable charge for the certificate, or if it provided in conjunction with a convention, conference, vacation, or sporting or fine arts event having a limited duration so long as the majority of the value paid by the recipient is attributable to the convention, vacation, or event.”[iv]

Notably, subsection (2)(b) states that “Paragraph (a) does not apply to a gift certificate or credit memo sold or issued by a financial institution, as defined in s. 655.005, or by a money services business, as defined in s. 560.103, if the gift certificate or credit memo is redeemable by multiple unaffiliated merchants.”[v]

And finally, subsection (2)(c) states that “Enforcement of this section shall be as provided in s. 501.142(3), (4), and (5) for violations of this section.”[vi]

What is your state’s law, if any, regarding safeguarding consumer credit card or other private data (i.e., cyber security)?

Florida Statute § 501.171 et sec. a/k/a The Florida Information Protection Act of 2014 (“FIPA”) requires certain data protection measures to be performed by entities that acquire, use, store or maintain the personal information of Florida residents.  The law also mandates that Covered Entities take certain steps in the event of a data breach involving personally identifying information (“PII”).  The statute defines PII as the combination of the following:  first initial or first name, last name and any of the following:  an ID number present on a government document which can be used to verify the identity of an individual; social security number; financial account number in combination with the password, access code, or security code; medical diagnosis; medical history; health insurance policy or subscriber ID numbers; other identification numbers that can be used by health insurers to identify an individual; email addresses or usernames in combination with passwords.

Covered Entities are defined as all associations, cooperatives, estates, trusts, corporations, sole proprietorships, NGO’s commercial entities and governmental organizations (whether or not they have a physical footprint in Florida) that acquire, use, store, or maintain the PII of individuals in the state.

The statute requires each Covered Entity or third party agent to take “reasonable measures” to protect and secure data in electronic form containing PII.  Once there has been a breach an organization must report that breach to the Department of Legal Affairs no later than 30 days after the determination of the breach.  An additional 15 days can be obtained to provide notice if good cause for the delay is provided in writing within the original 30 day time period.

Such notice must include the following:

  • The number of individuals in Florida who were or potentially have been affected;
  • Any services being offered or scheduled to be offered without charge by the Covered Entity to the affected individuals along with instructions regarding  how to use the services.
  • The name, address, telephone number and email address of the employee or agent of the Covered Entity from whom additional information may be obtained about the breach.
  • For breaches affecting 500 persons or more, the statue mandates organizations to provide notice of particular facts.  For breaches affecting 1,000 or more individuals, Covered Entities should also send notices to nationwide consumer credit reporting agencies.

A Covered Entity is also required to give notice to each individual in the state whose PII was, or is reasonably believed to have been accessed as a result of the breach.  Such notice must be made as expeditiously as practicable and without unreasonable delay.  Such notice to the affected individuals is not required if the Covered Entity reasonably determines, after appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies that the breach has not and will not likely result in identity theft or other financial harm to the individuals whose PII was accessed.

While there is no private right of action by an individual against a Covered Entity, the statue authorizes Florida’s Legal Affairs Department to bring enforcement actions against organizations which commit statutory violations.  Failure to provide the required notices is a violation of Florida’s Deceptive and Unfair Trade Practices Act and subject the organization to civil penalties of $1,000 a day for the first 30 days, $50,000 subsequently for any 30 day period up to 180 days, and $550,000 as the maximum penalty for violations exceeding 180 days.

What is your state’s law, if any, regarding the collection and handling of financial information?

There are no specific laws in Florida addressing the legal basis for processing personal or financial data.  However, in addition to FIPA discussed above, there are various regulations relating to privacy notices and policies, data security and risk management, data retention/record keeping, banking secrecy and confidentiality and certain limits on data protection in relation to payment services.

Regulations under the Florida Department of Financial Services, specifically Chapter 690-128 of the Florida Administrative Code, require customers and consumers to be provided with a clear, conspicuous, and accurate privacy notice at the initial collection of personal information.  Such notice must be sent annually during the continuation of the customer relationship.

Florida Statutes § 655.91 sets out specific retention and destruction requirements for records of financial institutions.  “Records” include all books of account and other books of every kind, journals, ledgers, statements, instruments, documents, files messages, writings of every kind and other internal data and other information of every description, made or received by an institution in the regular course of its business or otherwise, regardless of the mode in which it is recorded. Financial institutions are not required to preserve or retain any of their records or copies thereof for longer than is expressly required by an applicable statute, rule or regulation.  If there is no such statute, rule or regulation records should be retained for five years.

Florida Statutes § 662.146 requires the books and records pertaining to customers, members and stockholders of a family trust company or licensed family trust company be kept confidential.  The family trust company must not release the books and records of customers, members and stockholders except upon the express authorization from the individual.  However, information may be released, without prior authorization, in a manner prescribed by the board of directors, or managers if a limited liability company, in order to verify or corroborate the existence or amount of a customer’s account if that information is reasonably provided to meet the needs of commerce and to ensure accurate credit information.

There are no specific laws in Florida linked to data protection in relation to payment services.  However, Florida law does impose certain limitations of the use of payment device numbers.  For example, Florida’s Consumer Protection Act, Florida Statutes § 501.0118 limits the printing of a payment card number on receipts that are electronically printed in connection with a purchase of consumer goods or services.  A merchant who accepts a payment card for the transaction of business may not print more than the last five digits of the payment card’s account number or print the payment card’s expiration date on a receipt provided to the cardholder.

Under FIPA (discussed above), third party agents that have been contracted to maintain, store or process personal information on behalf of a Covered Entity or government entity have flow-down obligations to take reasonable measures to protect and secure personal information in electronic form.  FIPA does not specifically define what constitutes “reasonable measures”; however, in practice, a written information security policy is recommended.

[i] See, Romano ex rel. Romano v. Manor Care, Inc., 861 So. 2d 59 (Fla. 4th DCA 2003)

[ii] Id., citing Seifert v. U.S. Home Corp., 750 So. 2d 633 (Fla. 1999).

[iii] Fla. Stat. s. 501.95(1)

[iv] Fla. Stat. s. 501.95(2)(a)

[v] Fla. Stat. s. 501.95(2)(b)

[vi] Fla. Stat. s. 501.95(2)(c)