Eighth Circuit rules that GameStop did not violate its privacy policy by sharing information

The United States Court of Appeals for the Eighth Circuit has upheld a judgment in favor of GameStop, Inc. and Sunrise Publications, Inc. (collectively “GameStop”), finding that a district court properly dismissed a putative class action filed by a consumer alleging that GameStop wrongly disclosed personal information to a third party. The district court dismissed the case on the ground that the named consumer plaintiff lacked legal standing to sue, particularly finding the consumer’s theories of damages to be dubious. On appeal, a majority of the three-justice panel upheld the dismissal on other grounds; namely, the plaintiff’s failure to state a plausible privacy policy violation upon which relief could be granted. Matthew Carlsen, individually and on behalf of others similarly situated v. GameStop, Inc., et al., No. 15-2453 (8th Cir. 8/16/16).

In the complaint, the plaintiff alleged that GameStop shared his personally identifiable information (“PII”) with Facebook in violation of GameStop’s privacy policy. Plaintiff alleged that GameStop shared this information through a website that allows users to log in through their Facebook accounts and to use Facebook’s “Like,” “Share” and “Comment” functions. Plaintiff contended that this practice resulted in the sharing of a user’s unique Facebook ID and GameStop browsing history to Facebook in contravention of GameStop’s privacy policy representation that it “does not share personal information with anyone.”

Rejecting the lower court’s dismissal on standing grounds, the Eighth Circuit’s majority found that the plaintiff had alleged sufficient facts of a binding contract—the privacy policy—and sufficient damage theories associated with the alleged breach (e.g., a subscription payment that was devalued by an alleged compromised privacy protection). Nonetheless, the majority was not persuaded that the claims stated any plausible theory to support an alleged privacy policy violation.

The majority’s analysis focused on the unambiguous wording of protected PII under the privacy policy, noting that PII “may include name, home address and zip code, telephone number and (for those purchasing products online) credit card or checking account information including billing and shipping address and zip codes.” While the phrase “may include” could suggest a non-exhaustive list, the definition is placed within a policy section entitled, “What Information does Game Informer Collect.” The provision makes clear that, in order to constitute PII, the information must have been specifically solicited by GameStop and voluntarily provided by the user. The majority ruled that PII as set forth in GameStop’s privacy policy does not encompass a user’s Facebook ID and browsing history for two reasons: (1) neither appear on the list of what PII might include and (2) those data are neither specifically solicited by GameStop nor voluntarily submitted in response to such solicitation. The policy further urged users to read the respective privacy policies of other websites that linked to GameStop’s sites.

The Eighth Circuit concluded “the protection that Carlsen argues GameStop failed to provide was not among the protections for which he bargained by agreeing to the terms of service, and GameStop thus could not have breached its contract with Carlsen.” The dissenting opinion, while agreeing with the dismissal of the claims, believed that the case failed due to a lack of standing because the alleged damages were too speculative or imprecise.

This case demonstrates the importance of precise and carefully worded privacy policies, including the specific delineation of what information will be collected and how it may be used.