Ninth Circuit expands specific jurisdiction for e-commerce platforms

In Briskin v. Shopify, Inc., the Ninth Circuit Court of Appeals, sitting en banc, reversed a district court’s dismissal of a proposed data privacy class action for lack of personal jurisdiction. In applying traditional specific personal jurisdiction precedent to e-commerce, the appellate court concluded that jurisdiction was proper because defendants’ allegedly tortious actions had deliberately targeted the plaintiff in California.

Key takeaway:

Nationwide e-commerce companies that engage in data mining, even without differentiating among the physical location of its consumer targets, may nonetheless still be subject to personal jurisdiction in forums in which they do not physically operate or to which their conduct is not overtly aimed. Thus, this decision could result in more plaintiffs being able to successfully plead claims against non-resident e-commerce defendants with internet-based platforms where it can be demonstrated that the conduct at issue was expressly aimed at consumers in the forum state.

Summary of case and holding:

Plaintiff Brandon Briskin, a resident of the state of California, asserted privacy-related torts arising from Shopify’s activity in connection with his online purchase in California of athletic wear from a retailer in California. Briskin alleged that in the process of facilitating his credit card transaction for the merchant, Shopify took the opportunity to install “cookies” on the device he used to buy the athletic wear, and that Shopify did so without his knowledge or consent. According to the complaint, while knowing that the device Briskin was using to shop was located in California, Shopify surreptitiously implanted cookies that permanently remained on Briskin’s device, tracked its physical location, and collected data regarding Briskin’s online shopping activity. Briskin alleged that Shopify used the resulting data to compile a consumer profile that Shopify marketed widely, including to many California merchants.

A three-judge appellate panel of the Ninth Circuit had initially affirmed the district court’s ruling that it lacked specific personal jurisdiction over Shopify. However, the en banc court reversed, and applying the traditional personal jurisdiction precedent to the context of e-commerce, it concluded that jurisdiction was proper because Shopify’s allegedly tortious actions deliberately targeted Briskin in California. The key facts for the court were (1) Shopify’s concession that its geolocation technology allowed it to know that Briskin’s device was located in California when it installed cookies on Briskin’s device; and (2) the complaint alleged that Shopify used the data gathered by its cookies to compile consumer profiles and then sold them without the consumer’s knowledge or consent.

Rationale for decision

In its holding, the en banc Briskin court overruled applicable precedent that required a showing that defendants’ conduct evinced “differential targeting” of a specific forum to establish specific personal jurisdiction in that forum. The court concluded that Briskin had made a prima facie showing of jurisdictional facts sufficient to establish that Shopify had purposely directed its conduct toward California. As a part of its regular course of business, Shopify allegedly targeted California consumers to extract, collect, maintain, distribute, and exploit for its own profit, not only the California consumers’ payment information that it diverted to its own servers, but also all of the other personal identifying information that it extracted from the software it permanently installed on their devices without their knowledge or consent. Thus, Shopify’s business model was to perform the payment processing services it contracted to provide for its merchants and, in the course of doing so, to also obtain valuable personal data about California consumers for its own commercial gain. Accordingly, through those business activities, Shopify allegedly violated consumers’ privacy through its collection, maintenance, and sale of valuable personal data from California consumers, like Briskin.

Shopify had contended that the relevant jurisdictional contacts must be “the defendant’s contacts with the forum State itself, not its contacts with persons who reside there,” and cited the Supreme Court case of Walden v. Fiore in support. However, the panel found this to be an overly strict reading, if not a misreading of Walden, and the Supreme Court’s view that “although physical presence in the forum is not a prerequisite to jurisdiction, physical entry into the State— either by the defendant in person or through an agent, goods, mail, or some other means—is certainly a relevant contact.” Here, though Shopify’s entry into the state of California was by electronic means, its surreptitious interception of Briskin’s personal identifying information certainly was a relevant contact with the forum state.

Moreover, the en banc court concluded, Walden expressly did not address the situation presented here, “where intentional torts are committed via the Internet or other electronic means (e.g., fraudulent access of financial accounts or ‘phishing’ schemes.)” Rather, the Walden Court emphasized that “this case does not present the very different questions whether and how a defendant’s virtual ‘presence’ and conduct translate into ‘contacts’ with a particular State. . . . We leave questions about virtual contacts for another day.”

The crux of the parties’ dispute here was whether Shopify’s conduct was expressly aimed at California or its residents or, as Shopify contends, the effect of the conduct was mere happenstance arising from the California consumers’ choice to do business with a merchant that had contracted with Shopify. This “effects test” is drawn from the Supreme Court’s decision in Calder v. Jones, with the key prong of that test being the determination of when internet contacts between a defendant and a given forum state are sufficient to show express aiming at that forum state.

Shopify had argued that it did not expressly aim its conduct at California because it operates nationwide and thus was ‘agnostic’ as to the location in which it data mines the consumers’ personal identifying information. However, the Briskin court concluded that express aiming does not require differential targeting, and noted that the Supreme Court has considered and rejected the argument that because a nationwide company is everywhere, it is jurisdictionally nowhere except in its principal place of business and state of incorporation.

Thus, the Briskin court held, Shopify had deliberately reached out beyond its home state by knowingly installing tracking software onto unsuspecting Californians’ phones so that it could later sell the data it obtained, in a manner that was neither “random, isolated, [n]or fortuitous.” The court concluded that Shopify expressly aimed its conduct at California through its extraction, maintenance, and commercial distribution of the California consumers’ personal data, allegedly in violation of California laws. The court was not persuaded by the argument that the effect on Briskin was mere “happenstance” because Shopify allegedly knew the location of consumers like Briskin either prior to or shortly after installing its initial tracking software onto their devices. Shopify’s intentional activities constituted express aiming toward California and its consumers in order to obtain and use their personal data for its own commercial gain.

Thus, under this decision, an interactive platform “expressly aims” its wrongful conduct toward a forum state when its contacts are its “own choice and not ‘random, isolated, or fortuitous,’” even if that platform cultivates a “nationwide audience[] for commercial gain.”

The lone dissenting Judge in the Briskin case would have held that Supreme Court precedent precluded the majority’s expansive view of specific personal jurisdiction in this case and that Shopify’s allegedly tortious conduct was in fact not expressly aimed at California.

The dissent reasoned that “a company knowing where we happen to be when using its service, and then attaching a cookie to our device, has nothing to do with the State we’re in. That interaction forms a relationship between the company and the individual that is not “tethered” to the State [citing Walden]. By holding that California courts can exert specific jurisdiction over Shopify because Briskin used his iPhone while “located in California,” the majority opinion departs from the longstanding principle that jurisdiction turns on “the defendant’s contacts with the forum State itself, not the defendant’s contacts with persons who reside there” [citing Walden.]

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.