A recent decision by the Ninth Circuit Court of Appeals in Briskin v. Shopify, Inc., No. 22-15815, could impact the scope of personal jurisdiction over e-commerce and other entities that utilize cookies to collect personal information from visitors to the entities’ websites, particularly in California. Although the impact of the case remains to be seen, the decision is one to watch.
In Briskin, the Ninth Circuit, sitting en banc, reversed the district court’s dismissal for lack of personal jurisdiction, holding that Shopify’s e-commerce conduct specifically targeted Briskin in California such that personal jurisdiction over Shopify in California is proper.
Plaintiff Brandon Briskin, a resident of California, asserted privacy-related tort claims against Defendant Shopify, Inc., a Canadian corporation with headquarters in Ottawa, and two of its wholly-owned United States subsidiaries, Shopify (USA), Inc., a Delaware corporation with its principal place of business in New York, and Shopify Payments (USA), Inc., a Delaware corporation with its principal place of business in Delaware. Briskin alleged that when he used his iPhone’s Safari browser to make a purchase from a third-party website, his personal information was submitted to Shopify, which installed tracking cookies onto his mobile device allowing Shopify to track his behavior across its merchant network, including his geolocation, IP address, and payment information. Briskin further alleged that Shopify stored that personal data, created user profiles, and marketed and sold those profiles to its customers. Briskin brought a putative class action in the Northern District of California, which dismissed the action for lack of personal jurisdiction. The Ninth Circuit originally affirmed the district court’s ruling, but the court voted to rehear the appeal en banc.
In the Complaint, Briskin alleged that Shopify specifically targeted California consumers by collecting payment information and other personal identifying information, extracted from cookies installed on consumers’ devices without their knowledge or consent, for Shopify’s own profit. Shopify argued that the court lacked personal jurisdiction because its conduct was not expressly aimed at California residents but rather was “mere happenstance” resulting from California consumers’ decision to engage with merchants that contract with Shopify.
Shopify relied on AMA Multimedia, LLC v. Wanat, 970 F.3d 1201 (9th Cir. 2020), asserting that personal jurisdiction was lacking in California courts because it operates nationwide rather than focusing on a specific forum and its business is “agnostic as to the location in which it data-mines” any particular customer’s personal identifying information. In AMA, the Ninth Circuit required the plaintiff to establish that the defendant’s website had a “forum-specific focus” or “differential targeting” of a particular forum in order to establish specific personal jurisdiction. In Briskin, the en banc court expressly overruled AMA’s requirement of “differential treatment of the forum state,” finding it inconsistent with Supreme Court precedent. The court determined that this requirement of differential treatment would have the unintended effect of allowing corporations to direct business activities nationwide while escaping specific personal jurisdiction in any particular state.
The Ninth Circuit instead held that “an interactive platform ‘expressly aims’ its wrongful conduct toward a forum state when its contacts are its ‘own choice’ and not ‘random, isolated, or fortuitous,’ . . . even if that platform cultivates a ‘nationwide audience[] for commercial gain.’” The court found that by extracting, maintaining, and distributing California consumers’ personal data, Shopify expressly aimed its conduct at California in violation of the state’s privacy laws. The Ninth Circuit rejected Shopify’s argument that its conduct was “mere happenstance,” finding that Briskin sufficiently alleged that Shopify knew the location of consumers prior to or shortly after Shopify’s tracking software was installed on those consumers’ devices. Because Shopify “deliberately reached out beyond its home state by knowingly installing tracking software onto unsuspecting Californians’ phones so that it could later sell the data it obtained,” its conduct was neither “random, isolated, or fortuitous.”
Judge Callahan was the lone dissenter, asserting that the majority’s holding is contrary to Supreme Court precedent. Judge Callahan explained: “[u]nder our circuit’s newly divined rule, when a company attaches cookies to a person’s electronic device, jurisdiction attaches wherever that person happens to be, and indeed, wherever that person happens to travel thereafter.”
