GameStop's Privacy Policy Beats Class Action Lawsuit

GameStopNearly every business with a website has a privacy policy, and the average consumer has theoretically "agreed to" the terms of hundreds of them — just by visiting by visiting the websites.

But what exactly IS a privacy policy and why do websites have them?

According to our good friends at Wikipedia,

A privacy policy is a statement or a legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. It fulfills a legal requirement to protect a customer or client's privacy.

There's no general federal law that requires websites to have privacy policies, but some federal laws deal with specific narrow privacy issues. For example,

States have their own laws for dealing with privacy. California is considered the most influential state when it comes to privacy, and under the California Online Privacy Protection Act of 2003

any commercial web sites or online services that collect personal information on California residents through a web site to conspicuously post a privacy policy on the site.

Terms of Use

A privacy policy is just a statement of how a website owner handles privacy issues. But a privacy policy can become part of a contract when it's incorporated into a website's terms of use.

Most website terms of use (also called "terms of service") are what's called "browsewrap" — a visitor to the site is "bound" to the terms just by visiting the site, whether or not they've actually read or even noticed the terms.

(Learn more about browsewrap in this recent blog post.)

The whole point of terms of use and privacy policies, from the point of view of the website owners, is to avoid getting sued — or to avoid or limit liability if they do get sued.

A recent case from the Eight Circuit shows how that works.


Matthew Carlsen was a subscriber to both the print and online versions of GameStop’s Game Informer Magazine. The terms of service for the online version included a statement that “Game Informer does not share personal information with anyone.”

Carlsen claimed that GameStop had shared his information with Facebook. Specifically,

He alleged that GameStop shared this information through the Game Informer website, which includes features that allow Game Informer users to log in to the website using their Facebook accounts and to use Facebook’s “Like,” “Share,” and “Comment” functions through the Game Informer site.

He also claimed that GameStop had breached its privacy policy by disclosing his Facebook ID and browsing information.

Class Action

Carlsen's lawsuit sought damages for breach of contract, among other causes of action, and he sought class action certification so that he could proceed on behalf of other consumers in the same position.

The district court granted GameStop's motion to dismiss, and Carlsen appealed.

The Eight Circuit affirmed the dismissal, saying that Facebook IDs and browsing history were not "personal information" — in part because they weren't listed in the privacy policy itself as personal information.

The privacy policy only said that the personal information that it collected (and wouldn't disclose) included:

your name, home address and zip code, telephone number, e-mail address and (for those purchasing products online) credit card or checking account information including billing and shipping addresses and zip codes.


If your business has a website with a privacy policy, make sure you're actually protecting what you say you're protecting. By drafting a definition of "personal information" narrowly rather than broadly, you may be protecting yourself from claims such as the one brought in the GameStop case.

Photo Credit: Mike Mozart, GameStop, CC By 2.0)

comments powered by Disqus

Find the Right Lawyer for Your Legal Issue!

Fast, Free, and Confidential

Call us today for a free consultation (855) 466-5776