Liability Beyond Borders: Court expands scope of California privacy litigation
By and on Posted in California, Cybersecurity, Data Privacy

The U.S. Court of Appeals for the Ninth Circuit has issued a pivotal ruling that is likely to reshape privacy litigation for e-commerce platforms.

In Briskin v. Shopify, Inc., the Court held that Shopify, despite being headquartered in Canada, could be sued in California because it allegedly engaged in tortious actions that deliberately targeted the plaintiff, a California resident. The decision could mean a significant expansion of the scope of personal jurisdiction over e-commerce platforms that operate in multiple jurisdictions.   

Background

California resident, Brandon Briskin, purchased athletic wear from a California clothing brand whose website was hosted and operated by Shopify, Inc. To complete the credit card transaction, Mr. Briskin was required to submit personal information, including his name, delivery and billing addresses, phone number, and credit card information. In his lawsuit, Mr. Briskin alleged that Shopify surreptitiously installed tracking cookies on his iPhone, permitting Shopify to track his geolocation, browser type, IP address, payment information, and the location of his completed online transaction. Believing his privacy rights were violated, Briskin initiated class action proceedings against the Canadian corporation in federal court in California. He asserted claims for invasion of privacy under the California Invasion of Privacy Act and other California privacy statutes. 

Shopify got the lawsuit dismissed on the grounds that the California court lacked personal jurisdiction over Shopify. Mr. Briskin appealed, and a three-judge panel of the Ninth Circuit agreed that dismissal was proper. However, Mr. Briskin petitioned to have his appeal heard by all of the judges on the Ninth Circuit, and his petition was granted. After the full court heard the appeal, it reversed, concluding that the court did have jurisdiction over Shopify.

The reversal

In analyzing the issue of personal jurisdiction, the Ninth Circuit applied the “Calder effects” test, derived from the decision of the U.S. Supreme Court in Calder v. Jones. Applying that decision, the full Ninth Circuit found that the lawsuit alleged that Shopify engaged in intentional conduct that it knew would harm California customers. Specifically, according to the allegations in the lawsuit, Shopify engaged in activities that were aimed at targeting California customers in an effort to obtain and use their personal data for commercial gain. However, the court clarified that there could be jurisdiction even if the company did not specifically target California residents. Instead, for jurisdictional purposes, it was enough for the lawsuit to allege that Shopify knowingly collected data from California users and that the alleged harms occurred in California. 

Implications

The Briskin decision could have significant legal implications for e-commerce companies. Plaintiffs are now in a stronger position to assert CIPA claims even if the companies they are suing are not based in California. Companies are now subject to the jurisdiction of California courts if they collect the data of California residents.

Conclusion

The Briskin decision illustrates how the law is adapting to the realities of evolving technology, specifically in the context of online platforms and their data collection practices. Digital platforms should take heed of the Briskin decision and evaluate their practices to ensure compliance with all applicable federal and state privacy laws.

The Constangy Cybersecurity & Data Privacy Team regularly defends businesses of all sizes and industries in against privacy lawsuits. With experience in jurisdictions across the nation, we are happy to help defend your organization. If you’d like to learn more please contact us at cyber@constangy.com.

TAGS: California, California Invasion of Privacy Act, Cyber Team, CyberMonday, Cybersecurity, Data Privacy, Data Security, Privacy
Facebook Twitter/X Linkedin Email
  • Chasity Henry
    Chasity Henry
    Associate Attorney

    She has experience representing clients in matters involving complex litigation, including data privacy. As a member of our cyber litigation team, Chasity assists clients throughout the litigation the process, from preparation ...

    More from Chasity: Full Bio | Contact Author | LinkedIn | Blog Posts
  • Jennifer Lee, Cyber partner headshot, wears a light pink blazer over a white blouse, smiling against a light blue and white geometric background.
    Jennifer Lee
    Partner
    949.743.3924 |

    As a former privacy counsel and member of a data security response team, Jennifer brings unique insights to our cyber litigation team. She has extensive experience managing responses to data security incidents and representing ...

    More from Jennifer: Full Bio | Contact Author | LinkedIn | Blog Posts

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek