In a 10-1 decision last Monday, the 9th US Circuit Court of Appeals in San Francisco ruled that Shopify can be sued in California for collecting personal identifying data from people who make purchases on websites of retailers in the state.
Quick Backstory: In August 2021, Brandon Briskin alleged that Shopify unlawfully collected and retained customer information when they made purchases through third-party websites powered by its platform. The lawsuit claimed that Shopify failed to adequately disclose to consumers that it was gathering and storing their personal data including names, addresses, order histories, and payment information, and that consumers thought they were only dealing with the individual merchant.
Shopify said it should not be sued in California because it operates nationwide and did not aim its conduct toward that state, and that Briskin could only sue in Delaware, New York or Canada. A lower court judge initially agreed that the case should be dismissed, but the full appeals court later determined that Shopify did in fact “expressly aim” its conduct toward California.
Matt McCrary, a lawyer for Briskin, rejected the argument that “a company is jurisdictionally ‘nowhere' because it does business ‘everywhere'” and was able to convince the court to do the same.
Circuit Judge Kim McLane Wardlaw wrote:
“Shopify deliberately reached out … by knowingly installing tracking software onto unsuspecting Californians' phones so that it could later sell the data it obtained, in a manner that was neither random, isolated, or fortuitous. We conclude that Shopify is subject to specific personal jurisdiction in California.”
A Shopify spokesperson said the decision leaves online retailers exposed to lawsuits in any jurisdiction and “undermines the fundamentals of how the Internet operates.”
The ruling revives Briskins's class-action lawsuit and marks a significant precedent for holding Internet companies accountable in states where their users reside.