On August 16, 2016, the US Court of Appeals for the Eighth Circuit issued an opinion in Carlsen v. GameStop, Inc., affirming the US District Court for the District of Minnesota's dismissal of Carlsen's claims that GameStop, Inc. breached its own privacy policy by sharing Carlsen's personal information with Facebook through a Facebook Software Development Kit (SDK) ( (8th Cir. Aug 16, 2016)).

On behalf of himself and other similarly situated people, Matthew Carlsen filed suit against GameStop for breach of contract and other causes of action, based on GameStop's alleged disclosure of their personal information to a third party in violation of GameStop's stated privacy policy terms. In particular, Carlsen alleged the following facts:

The district court granted GameStop's motion to dismiss for lack of subject matter jurisdiction, finding that Carlsen lacked standing and did not adequately allege an injury-in-fact.

On appeal, the Eighth Circuit considered the subject matter jurisdiction issue de novo. While it disagreed with the district court's standing decision, it ultimately upheld the dismissal on the grounds that Carlsen's pled facts failed to properly state a claim.

The court reasoned that while GameStop's privacy policy promised not to disclose personal information, the policy's definition of that term did not include a user's Facebook ID and browser history. Those items did not appear in the policy's non-exclusive list of details considered personal information, such as name, address, or credit card information, and were not similar to those listed items. The personal information definition also limited it to items that were both:

The court further noted that the policy:

The court found that, as a third-party service, GameStop's privacy notice excluded Facebook's social media plug-in from the policy's protection against personal information sharing. Accordingly, the court declined to find that GameStop breached any privacy protections promised by its privacy policy.

Circuit Judge Beam concurred in the court's holding, but disagreed on the reasoning. His dissent argued that the district court correctly found that Carlsen lacked standing and should be affirmed on that ground, without considering whether Carlsen properly stated a claim.

The Eight Circuit's decision reminds businesses that clearly drafted privacy policy scopes and definitions, particularly around any website plug-ins or features operated by third-parties, remain important tools for managing and mitigating privacy-related business risks. Businesses should routinely review their website privacy notices and ensure the disclosures and caveats reflect the website's current features.