Ninth Circuit revives CIPA suit, broadens jurisdiction over out-of-state data collectors
The Ninth Circuit Court of Appeals recently issued a groundbreaking decision in Briskin v. Shopify, a case involving the California Invasion of Privacy Act (CIPA) and the scope of personal jurisdiction over out-of-state companies that collect and use data from California consumers. The en banc court reversed the district court's dismissal of the case for lack of personal jurisdiction, holding that Shopify, a Canadian e-commerce platform that facilitates online sales for merchants, deliberately targeted California resident Brandon Briskin and violated his privacy rights under CIPA. The court also overruled its prior precedent that required plaintiffs to show that defendants had a "forum-specific focus" or "differential targeting" of the forum state to establish personal jurisdiction. The court's ruling has significant implications for businesses that operate on the internet and interact with California consumers, as well as for plaintiffs who seek to enforce their privacy rights under CIPA.
Background:
At the heart of the case is Brandon Briskin, a California resident who purchased athletic wear from a California-based retailer, IABMFG, using his iPhone’s Safari browser. Unbeknownst to Briskin, when he completed his purchase, his personal data—including sensitive payment information—was not just transmitted to the merchant, but also to Shopify, the e-commerce platform facilitating the transaction.
Briskin’s complaint, brought as a putative class action, alleged that Shopify: installed tracking cookies on his device without his knowledge or consent; collected a wide array of personal identifying information, including geolocation data, browser identity, IP address, and payment details; and compiled consumer profiles using this data and sold them to third parties, all without consumer disclosure or consent.
Shopify moved to dismiss the case for lack of personal jurisdiction, arguing that it did not have sufficient contacts with California to justify being sued there. Shopify contended that it did not target California consumers or merchants, but rather operated a global platform that was accessible to anyone with an internet connection. Shopify also argued that Briskin's claims did not arise from or relate to Shopify’s contacts with California, but rather from his own unilateral decision to purchase from a California merchant. The district court agreed with Shopify and dismissed the case, finding that Shopify did not expressly aim its conduct at California or have a forum-specific focus. Briskin appealed to the Ninth Circuit, which initially affirmed the district court's ruling in a three-judge panel decision. However, the Ninth Circuit later granted rehearing en banc and reversed the dismissal in a 9-2 decision.
Key takeaways:
The Ninth Circuit’s en banc panel reversed, holding that the district court has specific personal jurisdiction over Shopify for the following reasons:
1. Purposeful direction and express aiming
The court found that Shopify’s actions were deliberately targeted at California residents because Shopify’s use of geolocation technology allowed it to know when a consumer’s device was located in California at the time it installed tracking cookies and collected data. The court emphasized that Shopify’s business model—extracting, maintaining, and monetizing personal data from California consumers—constituted intentional acts expressly aimed at the forum state.
2. No requirement for “Differential Targeting”
Importantly, the court overruled prior Ninth Circuit precedent that required a defendant’s conduct to show “differential targeting” of a specific forum (i.e., treating California differently from other states) to establish specific personal jurisdiction. The court clarified that it is sufficient if the defendant’s contacts with the forum are not “random, isolated, or fortuitous,” even if the business operates nationwide.
3. Claims arise out of forum-related conduct
Briskin’s claims arose directly from Shopify’s conduct in California—namely, the installation of tracking software and the collection of personal data from a device known to be in California. The court found that these contacts were the type that would tend to cause the privacy injuries alleged.
4. Fair play and substantial justice
The court concluded that exercising jurisdiction over Shopify in California was reasonable, given the state’s strong interest in enforcing its privacy laws and protecting its residents. Shopify did not demonstrate that defending the case in California would be unduly burdensome or unfair.
The bottom line:
This decision broadens the risk of litigation and regulatory scrutiny for companies handling consumer data, making it essential to assess exposure to state privacy regulations and implement best practices for data collection, storage, and sharing. E-commerce platforms and online businesses can be sued in California—and likely other states—for privacy violations if they knowingly collect, use, or sell personal data from residents, even if their operations are nationwide and not specifically focused on California.
Any company using tracking tools, analytics, tags, or third-party plugins that interact with devices in California should carefully review their web technologies, consent flows, and privacy disclosures to ensure compliance.
If you have questions about how this decision impacts your company’s risk profile or concerns about compliance with privacy regulations, vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.