The Ninth Circuit Court of Appeals recently expanded the limits of personal jurisdiction by holding that e-commerce companies can be sued in any state where their platforms interact with users.
The Court’s en banc ruling in Briskin v. Shopify, Inc. holds that federal courts in California have specific personal jurisdiction over the Canadian e-commerce platform based on its alleged data tracking and targeting practices of a California consumer, even though Shopify had no physical presence in the state and was not the merchant in the transaction. The ruling seems to significantly expand claims that may support jurisdiction under a “purposeful direction” theory, especially those employing cookies, geolocation tools, and embedded code to gather user data for monetization.
Background
Briskin, who was a California resident, used his iPhone's Safari browser to purchase clothing from the brand IABMFG at https://www.iambecoming.com. When he hit the "Pay now" button, he had no indication that by doing so, he submitted his personal data to Shopify, an e-commerce platform that facilitates online sales for merchants with whom it contracts rather than IABMFG. The Plaintiff filed a putative class action alleging privacy-related torts in the Northern District of California against the Canadian company Shopify and two of its wholly-owned U.S. subsidiaries, Shopify (USA), Inc., and Shopify Payments (USA), Inc., Delaware corporations.
Shopify is an e-commerce platform that facilitates online sales for merchants with whom it contracts. These merchants pay to access Shopify's software and infrastructure, which they use to design, set up, and manage their own online stores. The merchants use Shopify's website to provide Shopify with their product offerings, prices, shipping options, and other business preferences. Some merchants opt to embed Shopify assets, such as payment forms, into their own websites, while Shopify—which creates all the code necessary to implement the product catalogue and accept payment—hosts others. In either case, Shopify collects and validates the consumer's payment. And together with Stripe, a third-party payment processer, Shopify processes the payment, indefinitely storing the sensitive personal information it collects through the payment form. Shopify also ships products to consumers for the merchants through its fulfillment centers and logistics partners, and advertises its product offerings to merchants through its physical stores.
Shopify sends executable JavaScript code to consumers' computers or mobile devices, which then load and execute the code to display the payment form. However, the merchant whose product or service the consumer is purchasing appears to generate the payment form itself on the consumer's computer screen, and the screen doesn’t identify Shopify's role in the transaction. Here, neither the IABMFG checkout nor payment form mentions Shopify. As such, only an individual with technical knowledge and specialized software tools could discover that Shopify generated the forms (which here involved downloading eight separate files onto Briskin's cell phone to generate the form, which he didn’t know about). And when Briskin clicked the "Pay now" button, the newly installed Shopify software code sent his name and payment details to Shopify's servers. Shopify then sent a purchase confirmation email to Briskin, which again didn’t mention Shopify.
Moreover, when Briskin first viewed one of the items he later purchased, Shopify installed tracking cookies onto his device, enabling it to track his behavior across Shopify's vast merchant network, including geolocation data, the identity of his browser, the IP address, along with the payment information, and where the transaction was completed. And Briskin alleged that after collecting all of his personal identifying information, Shopify or Stripe, stores the data. Shopify also assesses the financial risks associated with individual consumers and their transactions and creates user profiles using the collected data for the benefit of its merchants. Likewise, Stripe uses the shared collected data to create user risk profiles, which it then markets to its own customers. Briskin claimed that Shopify shared his personal information with other third parties who also store, analyze, and market that information to their customers.
The Decision of the Ninth Circuit
The Court found that Shopify purposefully directed its tortious conduct toward California by knowingly installing tracking software on California users’ devices to collect and sell their personal data for commercial gain, in violation of California laws. The Court held that an interactive platform "expressly aims" its wrongful conduct toward a forum state when its contacts are its "own choice and not 'random, isolated, or fortuitous,'" quoting an earlier decision—"even if that platform cultivates a ‘nationwide audience for commercial gain.’”
Because none of the Shopify entities reside in the State of California, and Briskin didn’t attempt to make a showing that Shopify's contacts with California are so substantial, continuous, and systematic that it would be consistent with "traditional notions of fair play and substantial justice" to hale Shopify into California courts for any of its activities across the nation, the Court turned to longstanding principles governing the exercise of specific personal jurisdiction.
The U.S. Supreme Court has long interpreted this question of whether a forum state may assert specific jurisdiction over a nonresident defendant to require that courts focus on the relationship among the defendant, the forum, and the litigation. Circuit Judge Kim McLane Wardlaw, in her opinion for the Court, said that the analysis of specific personal jurisdiction involves a three-part test:
- The non-resident defendant must purposefully direct his activities or consummate some transaction with the forum or resident thereof; or perform some act by which he purposefully avails himself of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws;
- the claim must be one which arises out of or relates to the defendant's forum-related activities; and
- the exercise of jurisdiction must comport with fair play and substantial justice, i.e., it must be reasonable.
The plaintiff has the burden of satisfying the first two prongs of the test. If he fails to meet this burden, California courts lack specific personal jurisdiction; however, if he succeeds, the burden shifts to the defendant to present a compelling case that the presence of some other considerations would render jurisdiction unreasonable.
An important part of the decision was the Ninth Circuit panel’s rejection of the need for “differential targeting,” which refers to the idea that a defendant’s actions within a forum state create specific personal jurisdiction only if the defendant acted with “some prioritization of the forum state,” instead of a general, nationwide focus. The Court’s ruling suggests that a business model like Shopify’s, which operates nationwide and utilizes consumer data, can be subject to jurisdiction in any state where it (i) collects information from a resident of that state; and (ii) the business has some idea of the resident’s physical location when interacting with the business.
Takeaway
This decision is a significant change to personal jurisdiction of businesses involved in e-commerce. It serves as a caution to e-commerce businesses to examine their customer interactions in various states because their business activities may subject them to those jurisdictions’ courts.
Make sure your business complies with California privacy laws if it collects California consumer data. You should include California-centric privacy terms and disclosures on your website and prepare for CIPA or CCPA claims targeting jurisdiction.
Reach out to us to if you have questions about CIPA compliance or are facing a claim or lawsuit.