In Briskin v. Shopify, Inc., the Court held that Shopify, despite being headquartered in Canada, could be sued in California because it allegedly engaged in tortious actions that deliberately targeted the plaintiff, a California resident. The decision could mean a significant expansion of the scope of personal jurisdiction over e-commerce platforms that operate in multiple jurisdictions.   

Background

California resident, Brandon Briskin, purchased athletic wear from a California clothing brand whose website was hosted and operated by Shopify, Inc. To complete the credit card transaction, Mr. Briskin was required to submit personal information, including his name, delivery and billing addresses, phone number, and credit card information. In his lawsuit, Mr. Briskin alleged that Shopify surreptitiously installed tracking cookies on his iPhone, permitting Shopify to track his geolocation, browser type, IP address, payment information, and the location of his completed online transaction. Believing his privacy rights were violated, Briskin initiated class action proceedings against the Canadian corporation in federal court in California. He asserted claims for invasion of privacy under the California Invasion of Privacy Act and other California privacy statutes. 

Shopify got the lawsuit dismissed on the grounds that the California court lacked personal jurisdiction over Shopify. Mr. Briskin appealed, and a three-judge panel of the Ninth Circuit agreed that dismissal was proper. However, Mr. Briskin petitioned to have his appeal heard by all of the judges on the Ninth Circuit, and his petition was granted. After the full court heard the appeal, it reversed, concluding that the court did have jurisdiction over Shopify.

The reversal

In analyzing the issue of personal jurisdiction, the Ninth Circuit applied the “Calder effects” test, derived from the decision of the U.S. Supreme Court in Calder v. Jones. Applying that decision, the full Ninth Circuit found that the lawsuit alleged that Shopify engaged in intentional conduct that it knew would harm California customers. Specifically, according to the allegations in the lawsuit, Shopify engaged in activities that were aimed at targeting California customers in an effort to obtain and use their personal data for commercial gain. However, the court clarified that there could be jurisdiction even if the company did not specifically target California residents. Instead, for jurisdictional purposes, it was enough for the lawsuit to allege that Shopify knowingly collected data from California users and that the alleged harms occurred in California. 

Implications

The Briskin decision could have significant legal implications for e-commerce companies. Plaintiffs are now in a stronger position to assert CIPA claims even if the companies they are suing are not based in California. Companies are now subject to the jurisdiction of California courts if they collect the data of California residents.

Conclusion

The Briskin decision illustrates how the law is adapting to the realities of evolving technology, specifically in the context of online platforms and their data collection practices. Digital platforms should take heed of the Briskin decision and evaluate their practices to ensure compliance with all applicable federal and state privacy laws.

The Constangy Cybersecurity & Data Privacy Team regularly defends businesses of all sizes and industries in against privacy lawsuits. With experience in jurisdictions across the nation, we are happy to help defend your organization. If you’d like to learn more please contact us at cyber@constangy.com.