GameStop’s Privacy Policy Beats Class Action Lawsuit

Get Legal Help Today

 Secured with SHA-256 Encryption

Jeffrey Johnson is a legal writer with a focus on personal injury. He has worked on personal injury and sovereign immunity litigation in addition to experience in family, estate, and criminal law. He earned a J.D. from the University of Baltimore and has worked in legal offices and non-profits in Maryland, Texas, and North Carolina. He has also earned an MFA in screenwriting from Chapman Univer...

Full Bio →

Written by

UPDATED: Jul 16, 2021

Advertiser Disclosure

It’s all about you. We want to help you make the right legal decisions.

We strive to help you make confident insurance and legal decisions. Finding trusted and reliable insurance quotes and legal advice should be easy. This doesn’t influence our content. Our opinions are our own.

Editorial Guidelines: We are a free online resource for anyone interested in learning more about legal topics and insurance. Our goal is to be an objective, third-party resource for everything legal and insurance related. We update our site regularly, and all content is reviewed by experts.

GameStopNearly every business with a website has a privacy policy, and the average consumer has theoretically “agreed to” the terms of hundreds of them — just by visiting by visiting the websites.

But what exactly IS a privacy policy and why do websites have them?

According to our good friends at Wikipedia,

A privacy policy is a statement or a legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client’s data. It fulfills a legal requirement to protect a customer or client’s privacy.

There’s no general federal law that requires websites to have privacy policies, but some federal laws deal with specific narrow privacy issues. For example,

States have their own laws for dealing with privacy. California is considered the most influential state when it comes to privacy, and under the California Online Privacy Protection Act of 2003

any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site.

Terms of Use

A privacy policy is just a statement of how a website owner handles privacy issues. But a privacy policy can become part of a contract when it’s incorporated into a website’s terms of use.

Most website terms of use (also called “terms of service”) are what’s called “browsewrap” — a visitor to the site is “bound” to the terms just by visiting the site, whether or not they’ve actually read or even noticed the terms.

(Learn more about browsewrap in this recent blog post.)

The whole point of terms of use and privacy policies, from the point of view of the website owners, is to avoid getting sued — or to avoid or limit liability if they do get sued.

A recent case from the Eight Circuit shows how that works.


Matthew Carlsen was a subscriber to both the print and online versions of GameStop’s Game Informer Magazine. The terms of service for the online version included a statement that “Game Informer does not share personal information with anyone.”

Carlsen claimed that GameStop had shared his information with Facebook. Specifically,

He alleged that GameStop shared this information through the Game Informer website, which includes features that allow Game Informer users to log in to the website using their Facebook accounts and to use Facebook’s “Like,” “Share,” and “Comment” functions through the Game Informer site.

He also claimed that GameStop had breached its privacy policy by disclosing his Facebook ID and browsing information.

Class Action

Carlsen’s lawsuit sought damages for breach of contract, among other causes of action, and he sought class action certification so that he could proceed on behalf of other consumers in the same position.

The district court granted GameStop’s motion to dismiss, and Carlsen appealed.

The Eight Circuit affirmed the dismissal, saying that Facebook IDs and browsing history were not “personal information” — in part because they weren’t listed in the privacy policy itself as personal information.

The privacy policy only said that the personal information that it collected (and wouldn’t disclose) included:

your name, home address and zip code, telephone number, e-mail address and (for those purchasing products online) credit card or checking account information including billing and shipping addresses and zip codes.


If your business has a website with a privacy policy, make sure you’re actually protecting what you say you’re protecting. By drafting a definition of “personal information” narrowly rather than broadly, you may be protecting yourself from claims such as the one brought in the GameStop case.

Photo Credit: Mike Mozart, GameStop, CC By 2.0)

Get Legal Help Today

Find the right lawyer for your legal issue.

 Secured with SHA-256 Encryption