This Tuesday, the Eight Circuit Court of Appeals affirmed a Minnesota federal district court’s dismissal of a website user’s lawsuit and prospective class action involving the privacy policy and information sharing practices of video game retailer and magazine publisher GameStop, Inc. d/b/a Game Informer (“GameStop”).

How important are website privacy policies?

Game Informer Privacy Policy and Facebook SDK

Plaintiff Matthew Carlsen subscribed to print and online versions of GameStop’s Game Informer Magazine. The terms of service for Carlsen’s online subscription included Game Informer’s privacy policy, which provided that “Game Informer does not share personal information with anyone.”

Notwithstanding the foregoing, Carlsen alleged that GameStop shared his personal information with Facebook, Inc. (“Facebook”) by adding a Facebook Software Development Kit (“SDK”) to the source code on the Game Informer website. According to Carlsen, the Facebook SDK:

  • allowed users to log into the Game Informer website using their Facebook accounts and use Facebook’s “Like,” “Share” and “Comment” functions; and
  • subsequently transmitted each such user’s unique Facebook ID and Game Informer browsing history to Facebook.

Privacy Policy Lawsuit

In August 2014, Carlsen sued GameStop in the U.S. District Court for the District of Minnesota (Case No. 0:14-cv-03131-DWF-SER), alleging that GameStop breached the Game Informer privacy policy and violated Minnesota’s consumer fraud statute by sharing Carlsen’s Facebook ID and browsing history with Facebook. Plaintiff’s counsel also sought class certification on behalf of all paid Game Informer subscribers who had created an account and had their information disclosed to Facebook while visiting Game Informer’s website.

Last June, the district court granted GameStop’s motion to dismiss Carlsen’s claims for lack of subject-matter jurisdiction, finding that Carlsen lacked standing for failing to allege an injury-in-fact because the Game Informer privacy policy applied equally to both paid and non-paid Game Informer subscriptions.

On August 16, 2016, the Eight Circuit affirmed the district court’s dismissal (Case No. No. 15-2453), albeit for failure to state a claim rather than on standing grounds. The Court held that Game Informer users’ Facebook IDs and browsing history did not constitute “personal information” because they:

  • did not appear in the privacy policy’s list of what personal information might include; and
  • were not specifically solicited by Game Informer or voluntarily submitted in response to such solicitation, as specified in the privacy policy.

Privacy Policies: A Penny of Prevention Is Worth a Pound of Cure

As the above-referenced case demonstrates, it makes good business and legal sense to craft a privacy policy that is well-suited to the needs of your business and provides your users with all of the necessary information to make an informed decision regarding the disclosure of their personal information. Further, once a privacy policy is put in place, it is imperative that you strictly adhere to the applicable terms and obtain appropriate user consent to any material changes. Failure to adhere to privacy policy terms could expose your business to significant liability, including regulatory action and private litigation.