Online payment processor Shopify can be sued for allegedly violating a California privacy law by allegedly installing tracking cookies on customers' devices, after a split federal appeals court reversed their judicial colleagues.
In November 2023, three U.S. Ninth Circuit Court of Appeals judges — Daniel Bress, Consuelo Callahan and Bridget Bade — upheld a dismissal of the class action from U.S. District Judge Phyllis Hamilton, explaining an online shopper in California cannot file lawsuits in state court against every company involved in obtaining personal information in connection with an online transaction.
The lawsuit originated with named plaintiff Brandon Briskin, who accused Ontario, Canada-based Shopify of intentionally concealing its role in certain transactions in violation of state privacy and unfair competition laws.
Briskin alleged he used his phone in June 2019 to buy fitness apparel from IABMFG, a California-based retailer that used Shopify technology to process orders and payments. Briskin said Shopify installed cookies on his phone, connected his Safari browser to its network, stored his credit card information and sent it to Stripe, also a payment processor, then used his transaction to create a consumer profile it shared with business partners.
Although Briskin offered several examples of Shopify conducting business in California, the three-judge panel said, he failed to connect the specific nature of his allegations to his state of residence as distinct from other shoppers who use Shopify platforms.
A majority of Ninth Circuit active judges agreed that a larger panel of judges should review the case en banc.
Judge McLane Wardlaw wrote the new majority opinion, filed April 21; Judges Mary Murguia, Johnnie Rawlinson, Morgan Christen, Michelle Friedland, Mark Bennett and Roopali Desie concurred. Judges Daniel Collins and Patrick Bumatay wrote concurring opinions. Judge Callahan wrote a dissent.
According to Wardlaw, the majority applied “traditional personal jurisdiction precedent to the ever-evolving world of e-commerce” to reverse the dismissal, notably finding Shopify knew Briskin was in California when it installed the cookies and that Briskin alleged collection and sale of personal data without consent.
Briskin wasn’t attempting to show Shopify could be sued in California for its nationwide business practices, Wardlaw said, but his complaint adequately alleged specific personal jurisdiction in part owing to geolocation technology that identified Briskin as a state resident and shopper and more broadly the notion that alleged corporate knowledge of a customer base exploited for commercial gain is sufficient to survive a motion to dismiss.
“Each of Shopify’s actions in its regular course of business is an intentional act, which Shopify knows will cause harm to California consumers by violating the very laws that the California legislature has enacted to protect California consumers’ rights to data privacy and security, and from unfair business practices,” Wardlaw wrote. “It is clear that Shopify expressly aimed its conduct at California through its extraction, maintenance and commercial distribution of the California consumers’ personal data in violation of California laws.”
Shopify argued it shouldn’t be subject to specific jurisdiction lawsuits in all 50 states, but the majority said not all states necessarily have the same privacy laws.
In his concurrence, Judge Collins noted “there is no serious dispute, on the current record, that the alleged conduct that assertedly violated California law occurred, in substantial part, in California,” and a state has interests in enforcing laws enacted to protect its residents. Although Shopify insisted its conduct was automated, Collins said it is important that California specifically regulated e-commerce systems operating within its border.
“If a company develops a web-based business for the purpose of conducting online transactions in all 50 States, it should not be surprised that it may be sued in any state for unlawful transactions that may occur within that state,” Collins wrote.
Judge Bumatay’s concurrence examined the question of 14th Amendment due process protections and said “determining personal jurisdiction over out-of-state corporate defendants” in a modern commercial climate focuses on analogies to the physical presence of a store and not whether a company targets one state more than another.
In her dissent, Judge Callahan said the majority took an “expansive view of specific personal jurisdiction,” adding that “a company knowing where we happen to be when using its service, and then attaching a cookie to our device, has nothing to do with the state we’re in. That interaction forms a relationship between the company and the individual that is not ‘tethered’ to the state.”
Callahan said the majority effectively created a “traveling cookie” rule such that “when a company attaches cookies to a person’s electronic device, jurisdiction attaches wherever that person happens to be, and indeed, wherever that person happens to travel thereafter.” She suggested a California resident could sue under Nevada laws if making a purchase through a retailer using Shopify while driving through Nevada or similarly in Oregon.
The problem, Callahan continued, is such a policy clashes with her reading of U.S. Supreme Court precedent that jurisdictional questions orbit around a defendant’s contacts within the state, not the location of plaintiffs at the point of their commercial transactions.
“I share the majority’s concern that plaintiffs like Brandon Briskin have a convenient forum to vindicate their claims against large multinational corporations like Shopify,” Callahan wrote. “However, I fundamentally disagree with the majority’s approach, which subjects Shopify to specific jurisdiction in California simply because Shopify placed a cookie on Briskin’s device while he was ‘located in California.’ ”
However, Callahan said, Briskin possibly could have advanced a general jurisdiction argument because of “Shopify’s contractual agreements with California merchants, its fulfillment center and physical store” pointing to a physical presence in the state. As such, she suggested the majority perhaps didn’t go far enough because a focus on one customer’s smartphone “dodges the more pressing question” of all-purpose jurisdiction.
“In other words, today’s opinion tries to place a square cookie into a round hole,” Callahan wrote. “The majority’s traveling cookie rule sweeps together all companies with websites accessible ‘in California.’ Not once has the Supreme Court endorsed such an expansive view of jurisdiction.”
Representing Briskin were attorneys from Public Citizen Litigation Group, of Washington, D.C., and Gutride Safier, of San Francisco.
Shopify’s representatives included attorneys from the Hueston Hennigan firm's offices in Los Angeles, Newport Beach and New York.