Hospitality & Retail -

Georgia

Are mandatory arbitration provisions recognized in your state? If so, are there any limitations to its enforcement?

Arbitration provisions in Georgia are governed by the Georgia Arbitration Code. Arbitration clauses for the foregoing are not subject to the Georgia Arbitration Code and therefore, unenforceable:

  • Agreements coming within the purview of Article 2 of this chapter, relating to arbitration of medical malpractice claims;
  • Any collective bargaining agreements between employers and labor unions representing employees of such employers;
  • Any contract of insurance, as defined in Code Section 33-1-2; provided, however, that nothing in this paragraph shall impair or prohibit the enforcement of or in any way invalidate an arbitration clause or provision in a contract between insurance companies;
  • Any other subject matters currently covered by an arbitration statute;
  • Any loan agreement or consumer financing agreement in which the amount of indebtedness is $25,000.00 or less at the time of execution;
  • Any contract for the purchase of consumer goods, as defined in Title 11, the “Uniform Commercial Code,” under subsection (1) of Code Section 11-2-105 and subsection (a) of Code Section 11-9-102;
  • Any contract involving consumer acts or practices or involving consumer transactions as such terms are defined in subsection (a) of Code Section 10-1-392, relating to definitions in the “Fair Business Practices Act of 1975”;
  • Any sales agreement or loan agreement for the purchase or financing of residential real estate unless the clause agreeing to arbitrate is initialed by all signatories at the time of the execution of the agreement. This exception shall not restrict agreements between or among real estate brokers or agents;
  • Any contract relating to terms and conditions of employment unless the clause agreeing to arbitrate is initialed by all signatories at the time of the execution of the agreement; or
  • Any agreement to arbitrate future claims arising out of personal bodily injury or wrongful death based on tort.[i]

What is your state’s law, if any, regarding gift cards, subscription services and loyalty programs?

Gift Cards:

The Georgia legislature enacted the Gift Card Integrity Act of 2005. The Act requires the purveyors of all such gift cards or certificates sold in Georgia on or after the effective date to:

  • Include the terms of the card in the accompanying packaging, make these available upon request, and honor the card in exchange for merchandise or services in accordance with those terms;
  • Conspicuously print the expiration date, if any, on the card; and
  • Conspicuously print the amount of any dormancy or nonuse fees on the card or a sticker affixed to it.[ii]
Subscription Services:

Georgia has passed legislation aimed at regulating the use of automatic renewal provisions in service contracts. The Law expressly provides that:

  • Any seller that sells, leases, or offers to sell or lease any service to a consumer pursuant to a service contract that has an automatic renewal provision shall disclose the automatic renewal provision clearly and conspicuously in the contract or contract offer.[iii]
  • Any seller that sells, leases, or offers to sell or lease any service to a consumer pursuant to a service contract for a specified period of 12 months or more and that automatically renews for a specified period of more than one month, unless the consumer cancels the contract, shall provide the consumer with written or electronic notification of the automatic renewal provision. Notification shall be provided to the consumer no less than 30 days or no more than 60 days before the cancellation deadline pursuant to the automatic renewal provision. Such notification shall disclose clearly and conspicuously:
    • That unless the consumer cancels the contract, the contract will automatically renew; and
    • The methods by which the consumer may obtain details of the automatic renewal provision and cancellation procedure, including contacting the seller at a specified telephone number or address, referring to the contract, or any other method.
  • For any contract for service to a consumer that automatically renews for a specified period of more than 24 months, the seller shall, in addition to providing the notification required under subsection (a) of this Code section, obtain the following for the automatic renewal provision of such contract to be enforceable:
    • Written or electronic acknowledgment from the consumer of receipt of the notification required under subsection (a) of this Code section; and
    • An affirmative written or electronic response that the consumer does not intend to terminate the service contract.[iv]
Loyalty Programs:

Georgia does not have a law regarding loyalty programs.

What is your state’s law, if any, regarding safeguarding consumer credit card or other private data (i.e., cyber security)?

The Georgia legislature has not acted to establish a standard of conduct to protect the security or collection of personal information, unlike other jurisdictions with data protection and data breach laws. Consequently, Georgia does not have a unified statutory approach to the collection and safeguarding consumer credit card or other private data (i.e., cyber security).

The Georgia Personal Identity Protection Act (GPIPA), O.C.G.A. § 10-1-910 et seq., applies to cybersecurity breaches involving data collectors and information brokers, but is more limited than the Fair Credit Reporting Act (FCRA) , 15 U.S.C. § 1681 et seq., which governs access to consumer credit report records and promotes accuracy, fairness, and the privacy of personal information assembled by Credit Reporting Agencies (CRAs). Unlike the FCRA, GPIPA does not provide for monetary damages or any other relief. It simply requires notice of a breach in limited circumstances. Further, the GPIPA did not impose any standard of conduct in implementing and maintaining data security practices; thus, it could not serve as the source of a statutory duty to safeguard personal information. McConnell v. Department of Labor, 337 Ga. App. 457, 787 S.E.2d 794 (2016), vacated, 302 Ga. 18, 805 S.E.2d 79 (2017). Since it cannot serve as the source of a statutory duty regarding the collection and safeguarding of  personal information, it cannot serve as a basis for a claim for negligence per se under Georgia law.

The Georgia Fair Business Practices Act (GFBPA), O.C.G.A. §§ 10-1-390 et seq., may also be used to address the safeguarding consumer credit card or other private data (i.e., cyber security). The GFBPA allows private parties who have been injured by violations of the law to sue offending businesses. However, these lawsuits may only be filed individually and not in a representative capacity. Thus, GFBPA does not permit class actions lawsuits. Violations of the GFBPA include “engaging in unfair and deceptive acts and practices in the credit and debit card processing services,” by “misrepresenting” that its services had sponsorship, approval, or certification with Payment Card Industry Security Standards Council (PCI DSS), and by “misrepresenting” that its services complied with those PCI DSS standards. GFBPA incorporates Section 5 of the Federal Trade Commission Act (FTCA), 15 U.S.C. § 41 et seq. To establish liability under Section 5 of the FTCA, 15 U.S.C. § 45, the FTC “must establish that (1) there was a representation; (2) the representation was likely to mislead customers acting reasonably under the circumstances; and (3) the representation was material.” Fed. Trade Comm’n v. USA Fin., LLC, 415 F. App’x 970, 973 (11th Cir.2011) (quoting Fed. Trade Comm’n v. Tashman, 318 F.3d 1273, 1277 (11th Cir. 2003)). Section 5 can provide a standard of conduct, upon which a claim for safeguarding consumer credit card or other private data can be premised.

In addition to Section 5 of the FTCA, the Safeguards Rule, 16 C.F.R. § 314, that implements the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6801(a), by setting forth “standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information,.” 16 C.F.R. § 314.1(a), can also provide a standard of conduct that supports a claim for negligence per se under Georgia law.

Under Georgia law, a statute can serve as the basis of a negligence per se claim even if it does itself provide a private right of action. These statutes merely provide the source of duty that is owed, but do not govern the right of action available or the course of the proceedings. To state a cause of action for negligence in Georgia, a plaintiff must allege (1) a legal duty to conform to a standard of conduct recognized by the law for the protection of others against unreasonable risks of harm; (2) a breach of this standard; (3) a legally attributable causal connection between the conduct and the resulting injury; and (4) some loss or damage flowing to the plaintiff’s legally protected interest as a result of the alleged breach of the legal duty. See, e.g., City of Douglasville v. Queen, 270 Ga. 770, 514 S.E.2d 195, 197 (1999). The duty can arise either by statute or be imposed by a common law principle recognized by case law. Rasnick v. Krishna Hospital, Inc., 289 Ga. 565, 713 S.E.2d 835, 837 (2011).

Generally, there is no duty to prevent the unforeseeable “intervening criminal act of a third person.” Bradley Ctr., Inc. v. Wessner, 250 Ga. 199, 296 S.E.2d 693, 695 (1982). But a person may still have a duty to protect against a criminal act of a third person if it is alleged that he had “reason to anticipate” the criminal act. Id.; see also Wade v. Findlay Mgmt., Inc., 253 Ga. App. 688, 560 S.E.2d 283, 285 (2002) (“Simply put, without foreseeability that a criminal act will occur, no duty on the part of the proprietor to exercise ordinary care to prevent that act arises.”). Thus, the concept of “foreseeability” in Georgia plays a role in defining the existence of a legal duty:

Negligence consists of exposing someone to whom a duty of care is owed to a foreseeable, unreasonable probability of harm. Foresight requires the ability to anticipate a risk of harm from the conduct in some form. Negligence is predicated on what should be anticipated…

Amos v. City of Butler, 242 Ga. App. 505, 529 S.E.2d 420, 422 (2000). “The legal duty to exercise ordinary care arises from the foreseeable, unreasonable risk of harm from [negligent] conduct.” Amos, 529 S.E.2d at 422. In the absence of a foreseeable risk, no general duty to safeguard personal information exists under Georgia common law, the GPIPA, or the GFBPA.

In addition to claims based on negligence, plaintiffs have also used common-law causes of action based on negligent misrepresentation, implied-in-fact contracts, and unjust enrichment to seek redress for failing to safeguard consumer credit card or other private data.

The essential elements of a negligent misrepresentation claim under Georgia law are “(1) the defendant’s negligent supply of false information to foreseeable persons, known or unknown; (2) such persons’ reasonable reliance upon that false information; and (3) economic injury proximately resulting from such reliance.” Hardaway Co. v. Parsons, Brinckerhoff, Quade & Douglas, Inc., 267 Ga. 424, 426, 479 S.E.2d 727 (1997).

Where no express written contract exists, Georgia recognizes the theory of a contract implied in fact. Dawes Min. Co. v. Callahan, 154 Ga. App. 229, 267 S.E.2d 830, 832 (1980), aff’d sub nom. 246 Ga. 531, 272 S.E.2d 267 (1980). The common law claim of implied-in-fact contract is based on O.C.G.A. § 9-2-7, which provides that “when one renders service or transfers property which is valuable to another, which the latter accepts, a promise is implied to pay the reasonable value thereof.” See John K. Larkins, Jr., Ga. Contracts: Law and Litigation, § 5:8, p. 137 (2nd ed., 2011 and Supp. 2016-17). “Contracts implied-in-fact are inferred from the facts and circumstances of the case and are not formally or explicitly stated in words.” Dawes Min. Co., 267 S.E.2d at 832.

Under Georgia law, “[t]he theory of unjust enrichment applies when there is no legal contract and when there has been a benefit conferred which would result in an unjust enrichment unless compensated.” Clark v. Aaron’s, Inc., 914 F. Supp. 2d 1301, 1309 (N.D. Ga. 2012). A party can only recover for a claim of unjust enrichment if there is not an express contract that governs the dispute. See Fed. Ins. Co. v. Westside Supply Co., 264 Ga. App. 240, 590 S.E.2d 224, 232 (2003) (“Recovery under [the theory of unjust enrichment] presupposes the absence of a contractual agreement.”). “While a party, indeed, cannot recover under both a breach of contract and unjust enrichment theory, a plaintiff may plead these claims in the alternative.” Clark, 914 F. Supp. 2d at 1309.

Under Georgia law, common-law causes of action based on negligent misrepresentation, implied-in-fact contracts, and unjust enrichment to seek redress for failing to safeguard consumer credit card or other private data are not well suited to redress consumer losses, but they are possible vehicles for doing so.

What is your state’s law, if any, regarding the collection and handling of financial information?

Georgia does not have a unified statutory approach to collection and handling of financial information. See Number 3 above for more information relating to this topic.

[i] O.C.G.A. § 9-9-2(c)

[ii] O.C.G.A. § 10-1-393(33)(A)

[iii] O.C.G.A. § 13-12-2

[iv] O.C.G.A. § 13-12-3