The US District Court for the District of Minnesota recently dismissed a data breach class action against GameStop, Inc. and Sunrise Publications, Inc. (d/b/a Game Informer) for lack of constitutional standing because the named plaintiff did not allege injury in fact.

Plaintiff Matthew Carlsen purchased a one-year digital subscription to Game Informer Magazine, a video game magazine published and owned by GameStop. The plaintiff alleged that the defendants shared personally identifiable information (his unique Facebook ID and Game Informer browsing history) with Facebook in violation of Game Informer’s privacy policy. That policy states that “Game Informer does not share personal information with anyone.”

To establish standing, the plaintiff argued two theories of injury that had been used with varying degrees of success in other privacy policy cases. First, the plaintiff alleged an “overpayment theory”––that he paid for a service with substantial privacy protections but actually received a less valuable service without such protections. Second, the plaintiff alleged a “would not have shopped” theory – that he would not have purchased the subscription had he known his information would be shared with Facebook. The plaintiff did not allege that he suffered any monetary or out-of-pocket loss arising from the alleged breach of the privacy policy, or that Facebook did anything with the information obtained from the defendants.

The District Court dismissed the claim for lack of standing because neither theory of damages alleged an injury in fact capable of surviving a motion to dismiss. The District Court recognized that an “overpayment” theory is potentially viable in certain limited circumstances. The plaintiff’s claim, however, failed because (1) he did not allege misuse of highly sensitive financial information such as credit card or social security data, and (2) he did not allege that he paid additional compensation for any privacy features (the same privacy policy applied to both paying and non-paying users).

The court rejected the plaintiff’s “would not have shopped” theory of injury because the plaintiff could not plausibly allege that reasonable consumers would expect Game Informer to protect their Facebook ID and Game Informer browsing history while logged into Game Informer’s website and Facebook at the same time.

Carlsen v. GameStop, Civil No. 14-3131 (D. Minn. June 4, 2015).