In Carlsen v. GameStop Inc., plaintiff – a paid subscriber to defendant’s online gaming magazine – brought a putative class action lawsuit against defendant for alleged breach of its privacy policy by disclosing plaintiff’s Facebook ID and his browsing information for the defendant’s online content to Facebook. Plaintiff asserted claims for breach of contract, unjust enrichment, money had and received, and violation of Minnesota’s Consumer Fraud Act. Defendant moved to dismiss for lack of subject matter jurisdiction under Rule 12(b)(1) and failure to state a claim under Rule 12(6)(6). The Minnesota federal district court granted the motion to dismiss for lack of subject matter jurisdiction, finding that the case was analogous to identity theft and data breach class actions and hence failed for lack of standing. The court reasoned that that plaintiff’s theory of damages – that he would not have paid as much for or would not have bought the subscription had he known defendant would violate its privacy policy – did not show a cognizable injury in fact under Article III of the United States Constitution.

On appeal, the Eighth Circuit panel viewed the district court’s standing analysis as erroneous, stating that it conflated the issue of standing with a decision on the merits. Rather, the appellate court said, the standing inquiry was more limited: because plaintiff alleged he was party to a valid contract (the terms of service and privacy policy) and that defendant breached this contract by sharing his personal information, causing him monetary damages that were traceable to this disclosure and which could be redressed in court, he had Article III standing.

Having cleared this first hurdle, however, plaintiff fell at the second: the court examined his case on the merits and dismissed for failure to state a claim. The court viewed the allegations as facially deficient, stating there was simply no basis for finding that plaintiff’s Facebook ID and browsing information constituted the kind of “personal information” protected under the privacy policy. Rather, that policy stated personal information “may include” information such as name, address, zip code, and credit card information. Though “may include” suggested a non-exclusive list, the court looked elsewhere in the policy and found that “personal information” was only information that defendant “ask[ed] [plaintiff] to submit . . . in connection with” its services. Further, defendant’s policy stated that it did not “extend to Websites maintained by other companies to which we link” and recommended users consult the privacy policies of those other websites. Thus, defendant’s privacy policy did not preclude disclosure of the information at issue. In addition, plaintiff failed to allege that a specific portion of his subscription fee went to privacy and data protection services or to allege that defendant agreed to provide greater privacy protections to paid versus free subscribers.

The two-judge panel opinion thus agreed that the claims were subject to dismissal, albeit for failure to state a claim under rule 12(b)(6). One justice concurred in the result, but dissented with the reasoning; that justice agreed with the district court that dismissal should have been under Rule 12(b)(1) – obviating any need to address the merits of the claims. This case illustrates that even if privacy and data breach class plaintiffs clear the standing hurdle, they may still be vulnerable to 12(b)(6) motions.

Carlson v. GameStop, Inc., No. 15-2453 (8th Cir. Aug. 16, 2016).