Data Breach Class Action against videogame magazine website that shared information in violation of its own privacy policy dismissed

On June 4, 2015, the Minnesota District Court dismissed a data breach class action for lack of constitutional standing because the plaintiffs did not allege injury in fact. Carlsen v. GameStop.

In this class action, Plaintiffs subscribed to a videogame magazine accessible through the web. The terms of service for the online subscription included a privacy policy provision according to which, subject to certain exceptions, none of the subscribers’ personal information would be shared with anyone. However, according to Plaintiffs’ complaint, Defendants did share personally identifiable information (“PII”) with Facebook, a third party, in violation of its privacy policy. Plaintiffs alleged that Defendants breached a paid-for contract term by disclosing such information and if they had known about the disclosure, they would either have not paid for the subscription or not accessed the online content for which they had paid. Plaintiffs sought damages and injunctive relief.

Defendants challenged the court’s subject matter jurisdiction under Rule 12(b)(1) of Federal Rules of Civil Procedure and sought dismissal on the grounds that Plaintiffs lack Article III standing for failure to allege any economic injury at all.

The Court agreed and dismissed the complaint pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure for lack of subject matter jurisdiction holding that Plaintiffs “failed to allege an injury in fact and as a result has not established standing under Article III of the Constitution”.

To reach this conclusion, the Court noticed that courts “have generally found “overpayment” theories insufficient to establish injury, even in situations involving highly sensitive PII”. In this case non-paying and paying users received the same Privacy Policy.

In addition, according to the Court, the disclosure of Facebook ID and browsing patterns is not suffice to establish injury as would the disclosure of any highly sensitive financial information such as credit card or social security data. In any case, the Court noted that Plaintiffs failed to allege that Facebook, or anyone, actually did anything with the information it received.

Finally, the Court held that Plaintiffs failed to allege Article III injury also in light of the fact that they did “not adequately claim an unjust enrichment injury under a “would not have shopped” theory or injury based upon reasonable expectations of privacy”.

Carlsen v. GameStop, Civil No. 14-3131 (D. Minn. June 4, 2015) is available at…                Open Pdf

For more information: Francesca Giannoni-Crystal

Follow us on& Like us on