Summary
finding no standing reasoning, “Plaintiff further fails to allege that Defendants disclosed any highly sensitive financial information such as credit card or social security data, but rather alleges that Defendants disclosed Plaintiff's Facebook ID and browsing patterns. This alone does not suffice to establish injury or imminent injury stemming from disclosure and differs substantially from injuries such as identity theft or costs to change account information.”
Summary of this case from In re BPS Direct, LLCOpinion
Civil No. 14–3131 (DWF/SER).
06-04-2015
Matthew CARLSEN, individually and on behalf of other similarly situated, Plaintiff, v. GAMESTOP, INC., a Minnesota corporation; and Sunrise Publications, Inc. d/b/a Game Informer, a Minnesota corporation, Defendants.
Alicia E. Hwang, Esq., Ari J. Scharg, Esq., Benjamin S. Thomassen, Esq., and Rafey S. Balabanian, Esq., Edelson PC; and Robert K. Shelquist, Esq., Lockridge Grindal Nauen PLLP, counsel for Plaintiffs. Casie D. Collignon, Esq., Paul G. Karlsgodt, Esq., and Theodore J. Kobus, III, Esq., Baker & Hostetler LLP; Mathew M. Wrenshall, Esq., Reed Smith LLP; and Teresa J. Kimker, Esq., Nilan Johnson Lewis PA, counsel for Defendants.
Alicia E. Hwang, Esq., Ari J. Scharg, Esq., Benjamin S. Thomassen, Esq., and Rafey S. Balabanian, Esq., Edelson PC; and Robert K. Shelquist, Esq., Lockridge Grindal Nauen PLLP, counsel for Plaintiffs.
Casie D. Collignon, Esq., Paul G. Karlsgodt, Esq., and Theodore J. Kobus, III, Esq., Baker & Hostetler LLP; Mathew M. Wrenshall, Esq., Reed Smith LLP; and Teresa J. Kimker, Esq., Nilan Johnson Lewis PA, counsel for Defendants.
MEMORANDUM OPINION AND ORDER
DONOVAN W. FRANK, District Judge.
INTRODUCTION
This matter is before the Court on Defendants GameStop, Inc. (“GameStop”) and Sunrise Publications, Inc. d/b/a Game Informer's (“Game Informer”) (collectively, “Defendants”) motion to dismiss. (Doc. No. 32.) For the reasons set forth below, the Court grants Defendants' motion.
BACKGROUND
Plaintiff Matthew Carlsen (“Carlsen” or “Plaintiff”), individually and on behalf of others similarly situated (collectively, “Plaintiffs”), are users of print and online materials published by Game Informer (“Game Informer Magazine”) and other content. (Doc. No. 31, Am. Compl. ¶¶ 1, 8, 23.) Game Informer Magazine offers news, reviews, and commentary about the video game industry. (Id. ¶ 1.) Registered subscribers can access digital versions of the Game Informer Magazine through the website www.gameinformer.com and they can also manage their subscriptions and access enhanced content and message boards. (Id. ¶¶ 1, 17.) A one-year subscription costs between $14.99 and $19.98. (Id. ¶¶ 15–16, 50.) Plaintiff paid for a one-year digital subscription to receive access to the Game Informer Magazine and other enhanced content; he paid $14.99 in January 2014. (Id. ¶¶ 2, 50.)
The Terms of Service for the online subscription include Game Informer's Privacy Policy (the “Privacy Policy”). (Id. ¶ 3.) The Privacy Policy includes a provision that, with certain exceptions, “Game Informer does not share personal information with anyone.” (Id. ¶¶ 4, 27; Doc. No. 39 (“Privacy Policy”) § 5.)
The court may consider the complaint, matters of public record, materials necessarily embraced by the complaint, and exhibits attached to the complaint. See Porous Media Corp. v. Pall Corp., 186 F.3d 1077, 1079 (8th Cir.1999). Here, the Court considers the Privacy Policy as embraced by the complaint.
Plaintiff alleges that Defendants shared personally identifiable information (“PII”) with Facebook, a third party, in violation of the Privacy Policy. (Am. Compl. ¶¶ 29, 43.) Plaintiff alleges that Defendants did so through Game Informer's website, which includes features that allow users to log in to Game Informer's website using their Facebook accounts or use Facebook's “Like,” “Share,” or “Comment” functions through the site. (Id. ¶ 32.) In order to provide these features, Game Informer adds a Facebook Software Development Kit (“SKD”) to the source code on their website. (Id. ¶ 34.) Plaintiff alleges that the programming of this SKD on Game Informer's website results in the transmission of a user's unique Facebook ID to Facebook, along with information about Game Informer content viewed by the user. (Id. ¶¶ 39–43.) The information is only transmitted if the user has previously opted to remain “logged in” to Facebook, which places a “cookie” on the user's computer. (Id. ¶¶ 37–38.)
Game Informer website's “Privacy Policy applies to all Website(s) and Mobile Application(s) operated by Game Informer (collectively, with Game Informer Online, referred to as the ‘Site’).” (Privacy Policy § 1.1.) The Privacy Policy states:
[The] Privacy Policy applies only to information submitted and collected online through the Site.... In addition, [the] Privacy Policy does not extend to Websites that may be maintained by our international affiliates or other companies or organizations to which we link, or to websites that contain links to the Site and/or the Service.
(Id. § 1.2.) The Privacy Policy further states:
The Site provides video game related content for all visitors as well as enhanced content and message boards, among other items, for registered users (such enhanced content and message boards, among other items, are referred to as the “Service”). All visitors and registered users are referred to in this Policy as “Users.” This Policy (i) covers Game Informer's treatment of personally identifiable information collected when you are on the Site and when you use the Service, and (ii) discloses Game Informer's information gathering and dissemination practices for the Site and Service.
(Id. § 1.4.) Under the Privacy Policy, users of Game Informer's website agree to the Privacy Policy's terms when they use the site. (Id. § 1.3 (“Please note that by using the Site, you signify your assent to this Privacy Policy. If you do not agree to this Privacy Policy, please do not use the Site.”).) Game Informer also incorporates this Privacy Policy into its subscription Terms of Service. (Id. ¶ 3.) Plaintiff alleges that the purchase of a Game Informer subscription requires registration through Game Informer's website and agreement to the Terms of Service to gain access to its subscription-only online content. (Am. Compl. ¶¶ 17, 26, 53, 54, 68, 70.)
According to Plaintiffs, the Privacy Policy also describes the types of information collected about its users and how and with whom this information gets shared. (See generally Privacy Policy.) Game Informer collects both so-called “personal” and “aggregate information” through voluntary submission, as well as use of the website. (Id.) The Privacy Policy states: “Except as stated above or disclosed in this Policy, or otherwise as may be authorized or permitted by a User, Game Informer does not share personal information with anyone.” (Id. § 5.) “[P]ersonal information may include: your name, home address and zip code, telephone number, email address and (for those purchasing products online) credit card or checking account information including billing and shipping addresses and zip codes.” (Id. § 2.1.) The Privacy Policy excludes operational uses, promotions sponsored by third parties, government requirements, and use of “cookies” and “Web beacons” by third-party advertisers that may collect “non-personally identifiable information.” (Id. §§ 2.4, 3.2, 3.3, 4.5, 8.)
Plaintiff alleges Defendants breached a paid-for contract term by disclosing Plaintiff's Facebook ID and information about content Plaintiff accessed on Game Informer's website. (Am. Compl. ¶¶ 76, 79.) Plaintiff also alleges this disclosure constitutes a material misrepresentation regarding Game Informer subscriptions. (Id. ¶ 104.) Plaintiff alleges that he believed his PII would not be disclosed and that this belief was “confirmed” by the Privacy Policy. (Id. ¶ 56.) Plaintiff alleges “a portion of the money [members] pay for their membership goes toward the protection of their sensitive information.” (Id. ¶ 20.) Plaintiff further alleges that, had he known about the disclosures in question, he would either have not paid for the subscription or not accessed the online content for which he had paid. (Id. ¶ 58.)
Plaintiff seeks damages and injunctive relief for the alleged violation of the Privacy Policy by the disclosure of users' content access of the Game Informer website, along with their Facebook IDs, to Facebook. (Id. ¶¶ 81, 87, 93, 107.) In his Amended Complaint, Plaintiff seeks class certification and asserts the following claims: (1) breach of contract; (2) unjust enrichment; (3) money had and received; and (4) violation of Minnesota's Prevention of Consumer Fraud Act, Minn.Stat. §§ 325F.68 et seq. (Id. ¶¶ 67–107.) Defendant now moves to dismiss Plaintiff's claims in their entirety. (Doc. No. 32.)
DISCUSSION
I. Legal Standard—Rule 12(b)(1)
A motion to dismiss under Federal Rule of Civil Procedure 12(b)(1) challenges the Court's subject matter jurisdiction. To survive a motion to dismiss for lack of subject matter jurisdiction, the party asserting jurisdiction has the burden of proving jurisdiction. VS Ltd. P'ship v. Dep't of Hous. & Urban Dev., 235 F.3d 1109, 1112 (8th Cir.2000) (citation omitted). “Subject matter jurisdiction is a threshold requirement which must be assured in every federal case.” Kronholm v. Fed. Deposit Ins. Corp., 915 F.2d 1171, 1174 (8th Cir.1990).
A motion to dismiss for lack of subject matter jurisdiction may challenge a plaintiff's complaint either on its face or on factual truthfulness of its averments. Osborn v. United States, 918 F.2d 724, 729 n. 6 (8th Cir.1990) (citations omitted). When a defendant brings a facial challenge—a challenge that, even if truthful, the facts alleged in a claim are insufficient to establish jurisdiction—a court reviews the pleadings alone, and the non-moving party receives the same protections as it would defending against a motion brought pursuant to Rule 12(b)(6). Id. (citation omitted). In a factual challenge to jurisdiction, the court may consider matters outside the pleadings, and the non-moving party does not benefit from the safeguards of Rule 12(b)(6). Id. at 728–30 n. 4 (citations omitted) (holding that on a Rule 12(b)(1) motion challenging subject-matter jurisdiction, the court “has authority to consider matters outside the pleadings”).
II. Article III Standing
Defendants seek dismissal of Plaintiff's claims, pursuant to Rule 12(b)(1), on the grounds that Plaintiffs lack Article III standing for failure to allege an injury in fact.
To establish standing under Article III of the Constitution, a plaintiff must have a “justiciable case or controversy,” which requires: (1) injury in fact; (2) a causal connection between the injury and the conduct at issue; and (3) likelihood that the remedy the plaintiff seeks will redress the alleged injury. Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998) (quotations and citation omitted); Iowa League of Cities v. E.P.A., 711 F.3d 844, 869 (8th Cir.2013); see also Clapper v. Amnesty Int'l, USA, ––– U.S. ––––, 133 S.Ct. 1138, 1147, 185 L.Ed.2d 264 (2013).
To establish an injury in fact, the plaintiff must allege “an invasion of a legally protected interest which is (a) concrete and particularized and (b) ‘actual or imminent, not conjectural or hypothetical.’ ” Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) (quotations and citations omitted). The party invoking federal jurisdiction bears the burden of proof for each element of standing. Id. at 561, 112 S.Ct. 2130. The burden corresponds with the degree of evidence required at the relevant stage of litigation. Id. “At the pleading stage ... general factual allegations of injury ... may suffice.” Id.; Iowa League of Cities, 711 F.3d at 869.
Defendants argue that Plaintiff has failed to satisfy the first prong of the standing test—that there is an injury in fact. Defendants assert that Plaintiff has failed to allege any economic injury at all. Specifically, Defendants argue that: the disclosure of personal information alone does not constitute a cognizable injury; Plaintiff's subscription payment, as an “overpayment,” does not constitute injury; and there is no “impending” injury.
Plaintiff, however, contends that he has sufficiently alleged injury in the form of monetary damages based on a theory of “overpayment.” Plaintiff further appears to assert that he has adequately alleged injury under a “would not have shopped” theory.
A. Overpayment
First, Plaintiff alleges monetary injury based on a theory of “overpayment.” Plaintiff alleges that he would not have paid as much for the Game Informer subscription if he had known how his PII would be handled and that the Privacy Policy was being violated. (Doc. No. 38 at 13–16.) Specifically, Plaintiff alleges that “because Defendants failed to disclose their actual practice, they delivered to Plaintiff and the Class a fundamentally less useful and less valuable service than the one they paid for,” and it is this difference in value that constitutes Plaintiff's damages. (Am. Compl. ¶¶ 6, 77.)
Courts have generally found “overpayment” theories insufficient to establish injury, even in situations involving highly sensitive PII. See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1177–78 (D.Minn.2014) (holding that where the plaintiffs alleged that they were overcharged for the goods they purchased, which they alleged included a premium for adequate data security, “Plaintiffs' ‘overcharge’ theory ha[d] no merit,” and “the fact that all customers regardless of payment method pay the same price renders Plaintiffs' overcharge theory implausible”); see also, e.g., In re Barnes & Noble Pin Pad Litig., Civ. No. 12–8617, 2013 WL 4759588, at *5 (N.D.Ill. Sept. 3, 2013) (finding no merit to the plaintiffs' “overpayment” theory in which plaintiffs alleged that there was a diminished value to the products and services purchased at the retailer because the security measures were inadequate, “particularly as Plaintiffs have not pled that [the retailer] charged a higher price for goods whether a customer pays with credit, and therefore, that additional value is expected in the use of a credit card”). Further, as the court explained in In re Science Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig.:
To the extent that Plaintiffs claim that some indeterminate part of their premiums went toward paying for security measures, such a claim is too flimsy to support standing. They do not maintain, moreover, that the money they paid could have or would have bought a better policy with a more bullet-proof information-security regime. Put another way, Plaintiffs have not alleged facts that show that the market value of their insurance coverage (plus security services) was somehow less than what they paid. Nothing in the Complaint makes a plausible case that Plaintiffs were cheated out of their premiums. As a result, no injury lies.
45 F.Supp.3d 14, 30 (D.D.C.2014) (emphasis added).
Moreover, courts have held that to establish standing, a claim must include allegations relating to monetary losses or “any other injuries such as identity theft, identity fraud, medical fraud, or phishing.” See, e.g., In re Horizon Healthcare Servs. Inc. Data Breach Litig., Civ. No. 13–7418, 2015 WL 1472483, at *4–5 (D.N.J. Mar. 31, 2015) (emphasis added) (citing Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir.2012)) (holding that the plaintiffs had failed to sufficiently allege an “economic injury” sufficient to establish standing because they did not allege any monetary loss or other injuries); cf., e.g., In re Target, 66 F.Supp.3d at 1159 (finding injury adequately alleged for standing to the extent plaintiffs' allegations included injuries for “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees”). Likewise, to the extent plaintiffs allege future harm, that harm must be imminent and not speculative. See, e.g., In re Adobe Sys., Inc. Privacy Litig., 66 F.Supp.3d 1197, 1206–08, 1214–15 (N.D.Cal.2014) (finding injury was sufficiently alleged where hackers deliberately accessed customer PII that included names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing and e-mail addresses because the risk that the “personal data will be misused by the hackers who breached Adobe's network is immediate and very real”); see also Doe 1 v. AOL, LLC, 719 F.Supp.2d 1102, 1113 (N.D.Cal.2010) (finding injury where AOL disclosed “highly sensitive personal information ... include[ing] members' names, addresses, telephone numbers, credit card numbers, social security numbers, financial account numbers, user names and passwords ... [and] information regarding members' personal issues, including sexuality, mental illness, alcoholism, incest, rape, adultery and domestic violence”).
Here, Plaintiff only alleges a general theory of overpayment. Plaintiff does not allege that he paid anything specific for the Privacy Policy. As in Horizon and SAIC, Plaintiff merely alleges an indeterminate “portion of the money [members] pay for their membership goes toward the protection of their sensitive information.” (Am. Compl. ¶ 20.) Plaintiff also does not allege any specific monetary losses or “other injuries such as identity theft, identity fraud, [etc.].” In re Horizon Healthcare, 2015 WL 1472483, at *4–5. For example, Plaintiff does not include facts that show the market value of the subscription was less than the amount paid, which could perhaps show economic injury. See, e.g., SAIC, 45 F.Supp.3d at 30. Instead, Plaintiff solely asserts the general allegation that “Defendants' services were fundamentally less useful and valuable” than what he paid for. (Am. Compl. ¶ 77.) Plaintiff further fails to allege that Defendants disclosed any highly sensitive financial information such as credit card or social security data, but rather alleges that Defendants disclosed Plaintiff's Facebook ID and browsing patterns. This alone does not suffice to establish injury or imminent injury stemming from disclosure and differs substantially from injuries such as identity theft or costs to change account information. See, e.g., Target, 66 F.Supp.3d at 1158–59. Further, because non-paying and paying users received the same Privacy Policy in this case, Plaintiff cannot establish that the Privacy Policy has intrinsic monetary value attributed to it that was paid for and not received. See, e.g., Remijas v. Neiman Marcus Grp., LLC, Civ. No. 14–1735, 2014 WL 4627893 (N.D.Ill. Sept. 16, 2014) (reasoning that the “overpayment” theory was not applicable to a case involving the disclosure of PII due to insufficient data security because security was not “intrinsic” to the products purchased by the customers). Importantly, Plaintiff also fails to allege that Facebook, or anyone for that matter, actually did anything with the information it received.
Similarly, Plaintiff also cannot establish that the lack of data privacy/security constituted injury because Plaintiff did not bargain for data privacy/security. In In re LinkedIn User Privacy Litig., the court held that “[t]he [complaint] does not sufficiently demonstrate that included in Plaintiffs' bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership.” 932 F.Supp.2d 1089, 1092–95 (N.D.Cal.2013). The same is true here—there is no dispute that the same Game Informer Privacy Policy applies to “all [non-paying] visitors as well as enhanced content, [etc.] for [paying] registered users.” (Privacy Policy § 1.4.) Put another way, Plaintiff's consideration was for enhanced content and he received the benefit of that bargain—the enhanced content. Therefore, security failures or misrepresentations relating to data security, even if true as alleged, cannot be a breach and thus cannot result in a breach-of-contract injury. Plaintiff could not have “overpaid” for the service he purchased because he received what he paid for.
To the extent Plaintiff argues that, “where a plaintiff alleges that he paid for a good or service and did not receive the full benefit of the bargain, the plaintiff alleges economic injury in the form of overpayment” (Doc. No. 38 at 10), Plaintiff correctly states that the “benefit of the bargain” method for measuring damages is standard in contract cases. (See id. (citing Coghlan v. Wellcraft Marine Corp., 240 F.3d 449, 452 (5th Cir.2001) and Gen. Mills. Ops., LLC v. Five Star Custom Foods, Ltd., 789 F.Supp.2d 1148, 1156 (D.Minn.2011) aff'd, 703 F.3d 1104 (8th Cir.2013)).) However, this theory still fails to suffice to establish injury in this case. Even using the “benefit of the bargain” theory, Plaintiff needs to allege some form of damage because breach of contract claims require allegations of damages. See, e.g., Parkhill v. Minn. Mut. Life Ins. Co., 174 F.Supp.2d 951, 961 (D.Minn.2000) (citations omitted) (stating elements of a breach of contract claim which includes damages). In fact, in each of the cases cited by Plaintiff in support of this argument, the courts examined whether plaintiff had to show that a defect existed in a bargained-for product, but whether there was economic damage was not specifically in question because some injury was clearly stated. See, e.g., Gen. Mills, 789 F.Supp.2d at 1156.
Plaintiff's attempt to distinguish this case from LinkedIn by arguing that he never “upgraded” his account from an unpaid account in which he had previously agreed to the terms and conditions, but instead was solely presented with the terms “during his one and only online registration process” (Doc. No. 38 at 16), also fails. Here, the Privacy Policy unambiguously applies to all users and all content and, as a result, Plaintiff was explicitly informed that the conditions applying to his use did not differ from those of non-paying, unregistered users. Additionally, because the Privacy Policy plainly states that all users agree to the same Privacy Policy by function of using the site, all users are informed that they have all agreed to the same Privacy Policy. Thus, while the Privacy Policy may be required for purchase, no purchase—or even registration—is required for the Privacy Policy, thus, making this case just like LinkedIn. See LinkedIn, 932 F.Supp.2d at 1093 (holding that “[a]ny alleged promise LinkedIn made to paying premium account holders regarding security protocols was also made to non-paying members,” and therefore, “when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of LinkedIn's services,” and cannot constitute injury). Accordingly, Plaintiff's allegations make clear that, when purchasing a subscription, the only benefit received is enhanced content, and, again, none of the payment value can plausibly be attributed to the Privacy Policy to support monetary damages.
Overall, Plaintiff merely alleges that there is some difference between what he paid and what he received—essentially, a subscription that lets browsing information transfer to Facebook and one that does not. This is not enough. In each of the cases cited by Plaintiff in support of this theory, the value that plaintiffs did not receive is clearly alleged. For example, in Coghlan, the plaintiff alleges a clear difference in value between an all-fiberglass boat and a wood-fiberglass hybrid boat, which he purchased thinking it was all-fiberglass. Coghlan, 240 F.3d at 454; see also Gen. Mills, 789 F.Supp.2d at 1153, 1155–56 (plaintiffs alleged that they lost more than one million dollars as a result of a recall associated with potentially infected meat products that did not meet agreed upon terms); Aqua Dots Prods. Liab. Litig., 654 F.3d 748 (7th Cir.2011) (finding injury associated with the purchase of toys that were defective and for which plaintiffs sought refunds and which could make children seriously ill). Moreover, in Coghlan, injury was sufficiently pled in part because the purchase at issue largely involved reliance on marketing and product quality. Coghlan, 240 F.3d at 454 (noting that the defendants had emphasized the advantages of all-fiberglass construction and it was well-understood that fiberglass boats hold their value better); see also AOL, 719 F.Supp.2d at 1111 (finding injury sufficiently pled in part because “AOL held itself out to the market as being a leader in internet security and privacy and [AOL] represented that it assured members that its service was ‘safe, secure and private’ ”). The same cannot be said here. There was no identified or identifiable injury like lost dollars due to a recalled product or an identifiably less valuable product like a hybrid product. There is no discernable difference in value in this case. Further, Plaintiff does not adequately allege that the Privacy Policy was central to his subscription purchase like in AOL. In sum, Plaintiff fails to show any injury in the form of an overpayment or otherwise.
Thus, even accepting as true all of Plaintiff's allegations and construing all reasonable inferences in Plaintiff's favor, Plaintiff has failed to adequately plead facts relating to overpayment for Game Informer products or services or for any other injury that could establish Article III standing.
Because Plaintiff asserts the same “overpayment” theory of injury for all of Plaintiff's claims, the Court considers them together.
B. “Would Not Have Shopped” and Reasonable Belief
Plaintiff also appears to allege injury-in-fact based on a “would not have shopped” theory, in which he asserts that he would not have purchased the Gamer Informer subscription if he had known his data would be shared. Plaintiff further appears to contend that this theory supports a claim for unjust enrichment. For unjust enrichment, a plaintiff must show that the defendant “knowingly received or obtained something of value for which the defendant ‘in equity and good conscience’ should pay.” ServiceMaster of St. Cloud v. Sentry Ins., 544 N.W.2d 302, 306 (Minn.1996).
Plaintiff points to the Target case, in which the plaintiffs argued that they “would not have shopped at Target had they known about the [credit card] breach.” Target, 66 F.Supp.3d at 1177–79. In Target, a court in this District held that:
Plaintiffs' “would not have shopped” theory ... is plausible and supports their claim for unjust enrichment. If Plaintiffs can establish that they shopped at Target after Target knew or should have known of the breach, and that Plaintiffs would not have shopped at Target had they known about the breach, a reasonable jury could conclude that the money Plaintiffs spent at Target is money to which Target “in equity and good conscience” should not have received.
Id. Plaintiff further asserts that his belief that Defendant would protect his PII was reasonable and that the reasonableness of that belief supports his claims.
Defendants counter that Plaintiff failed to allege “he relied on, or even read, Defendants' Privacy Policy,” and that,
Plaintiff has also not alleged that he has stopped using the online portion of his Game Informer subscription or that he quit staying logged in to Facebook while browsing the Game Informer website after he allegedly found out about Defendants' alleged practices in his investigation of this lawsuit.
(Doc. No. 44 at 12–13.) Defendants therefore assert that Plaintiff cannot establish injury through his “would not have shopped” theory.
The Court agrees. The “would not have shopped” theory fails to establish injury for purposes of standing. Here, the Court concludes that this case is distinguishable from Target because Plaintiff suffered no actual damages and did receive the full value of his purchase, as explained above. Plaintiff has not adequately identified money which Game Informer “in equity and good conscience” should not have received. Target, 66 F.Supp.3d at 1178. And, while not dispositive of this issue, as Defendants state, Plaintiff could have simply stopped being logged in to Facebook while using the Game Informer website, whereas plaintiffs in Target had no similar options within their control. Additionally, no purchase was necessary for a PII disclosure as alleged by Plaintiff. Without any change in disclosure of PII resulting from the purchase, Plaintiff's allegation that awareness of the disclosure would have been determinative in his purchase decision is speculative and cannot establish injury for purposes of standing. This case also differs from most data breach cases, where, due to the inherent risks to both consumer and retailer, an expectation for protection of certain PII such as credit card information is reasonable. See generally Target, 66 F.Supp.3d 1154; see also generally AOL, 719 F.Supp.2d 1102. In contrast, Plaintiff's complaint alleges his Facebook ID and Game Informer browsing information was disclosed by Defendants. Plaintiff does not plausibly allege the reasonableness of a consumer's belief that the PII at issue would not be disclosed if they were on Facebook while using Game Informer or that the PII is not normally disclosed on other sites using a Facebook SDK. Because Plaintiff does not allege disclosure of this type of PII is not standard practice for sites using a Facebook SDK, the complaint does not allege the reasonableness of any expectation that this type of PII would not be disclosed with a Game Informer subscription that could support injury.
Plaintiff essentially claims that he “believed that Defendants would not disclose his PII,” and that “Defendants confirmed that belief based upon [the Privacy Policy].” (Am. Compl. ¶ 56 (emphasis added).) However, without any claim that Plaintiff actually read and relied on the Privacy Policy, Plaintiff cannot allege that the Privacy Policy terms were determinative of his purchase. Plaintiff, therefore, fails to adequately plead causation and injury with regard to any alleged misrepresentations within that policy.
Therefore, Plaintiff does not adequately claim an unjust enrichment injury under a “would not have shopped” theory or injury based upon reasonable expectations of privacy in this case. Accordingly, Plaintiff fails to allege Article III injury on these grounds as well.
The Court acknowledges that the parties have also addressed whether the claims should be dismissed pursuant to Rule 12(b)(6) for failure to state claims for relief. In light of the Court's analysis regarding Article III standing, the Court does not examine this issue. The Court also notes that Plaintiff's arguments that Defendants waived their 12(b)(6) arguments would not succeed.
Similarly, the Court notes that because Plaintiff has failed to establish injury in a way that satisfies Article III standing requirements, the Court does not examine whether the terms of the Privacy Policy itself promised the security that Plaintiff asserts it does. Whether it does or does not, does not affect this Court's standing analysis. amend would be futile in this case, and, as a result, the Court dismisses the claims with prejudice.
CONCLUSION
Plaintiff has failed to allege an injury in fact and as a result has not established standing under Article III of the Constitution. Plaintiff's complaint is therefore dismissed pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure for lack of subject matter jurisdiction. Further, on the record before Court, the Court concludes that leave to amend would be futile in this case, and, as a result, the Court dismisses the claims with prejudice.
ORDER
Based on the foregoing, and all the files, records, and proceedings herein, IT IS HEREBY ORDERED that:
1. Defendant's Motion to Dismiss the First Amended Complaint (Doc. No. 31 ) is
GRANTED.
2. The claims in this matter are