Ninth Circuit Takes a Wrecking Ball to Internet Personal Jurisdiction Law–Briskin v. Shopify

Let’s start with a tiny piece of good news. The majority says: “The parties agree among themselves that we need not develop an internet-specific standard for personal jurisdiction. We also agree.” No need for Internet exceptionalist rules. Yay!

With that out of the way, bring on the tissues.

Briskin made a purchase at an online retailer, IABMFG. Shopify processed the order fo0r IABMFG. Along the way, Shopify downloaded javascript to Briskin’s computer to enable the purchase and placed a cookie on Briskin’s computer when Briskin first visited the storefront. Briskin claims that Shopify aggregates Briskin’s data into its consumer database for nefarious purposes.

Briskin sued Shopify for a variety of privacy violations in California. Shopify said California courts lack personal jurisdiction over it. (Shopify is a Canadian company with US headquarters in New York and ties to Delaware). The district court agreed with Shopify, as did a three-judge panel of the Ninth Circuit. On further appeal, the Ninth Circuit reverses en banc, concluding that Briskin established personal jurisdiction over Shopify in California. The en banc court issues a total of four opinions, and collectively they show Shopify was never close. None of the judges would have supported Shopify’s position.

* * *

The Ninth Circuit’s framework for establishing specific personal jurisdiction involves three elements:

• purposeful availment in California;
• the claim arises from those contacts; and
• personal jurisdiction is reasonable.

The first factor is sometimes further subdivided into three subfactors reflecting the Calder v. Jones “Effects Test.” Purposeful availment can occur if a “defendant (1) commit[s] an intentional act, that is (2) expressly aimed at the forum state, and (3) which causes harm that the defendant knows will be suffered in the forum state.” This case focuses on the second subfactor, i.e., did Shopify “expressly aim” an intentional act at California through its interactions with Briskin?

The Majority Opinion

Purposeful Availment

The majority says that Shopify purposely directed itself to California:

Shopify is alleged to target California consumers to extract, collect, maintain, distribute, and exploit for its own profit, not only the California consumers’ payment information that it diverts to its own servers, but also all of the other personal identifying information that it extracts from the software it permanently installs on their devices without their knowledge or consent. Thus, Shopify’s business model is to perform the payment processing services it contracts to provide for its merchants and, in the course of doing so, to obtain valuable personal data about California consumers for its own commercial gain. Accordingly, through those business activities, Shopify allegedly tortiously violated consumers’ privacy through its collection, maintenance, and sale of valuable personal data from California consumers, like Briskin….

it is clear that Shopify expressly aimed its conduct at California through its extraction, maintenance, and commercial distribution of the California consumers’ personal data in violation of California laws

In a footnote, the majority adds: “The SAC alleges that Shopify knew that the consumer is in California before it actually transacts the payment process because its software secures geolocation information when the consumer clicks on an item to simply view it on IABMFG’s website.”

To bolster its purposeful availment point, the majority makes a (painful) analogy to an offline burglary (ugh). This leads to the court’s payoff: “though Shopify’s entry into the state of California is by electronic means, its surreptitious interception of Briskin’s personal identifying information certainly is a relevant contact with the forum state.”

Shopify argued that it operates nationwide, so everything Briskin alleged was not unique to California. In support of this, Shopify cited AMA Multimedia, LLC v. Wanat, which discussed how specific personal jurisdiction required the defendant to have a “forum-specific focus.” The en banc majority rejects this argument and overrules Wanat, Will Co. v. Lee, Doe v. WebGroup Czech Republic, and “and any other cases that require some sort of differential treatment of the forum state for a finding of “express aiming” of the defendant’s allegedly tortious conduct.” The court explains: “requiring differential targeting would have the perverse effect of allowing a corporation to direct its activities toward all 50 states yet to escape specific personal jurisdiction in each of those states for claims arising from or relating to their relevant contacts in the forum state that injure that state’s residents.”

[Note the implicit entitlement allocation in the “escape” verb. And there will always be at least one state that has personal jurisdiction over every defendant, so the court’s 50-state claim is overstated/misleading.]

Despite the abandonment of the “differential treatment” standard, in a footnote, the court says that the Cybersell opinion, which required “something more” than passive publishing, survives this wrecking ball: “The principle of requiring “something more” to demonstrate “express aiming” has been carefully developed by our court over almost three decades, applying it to new and evolving forms of technology, which continue to change.” Yes, 30 years of jurisprudence has rendered the “something more” standard crystal clear. 🙄

The court then states its holding:

an interactive platform “expressly aims” its wrongful conduct toward a forum state when its contacts are its “own choice and not ‘random, isolated, or fortuitous,’” even if that platform cultivates a “nationwide audience[] for commercial gain.

The majority distinguishes the Supreme Court’s Walden precedent because of Shopify’s interactions with California:

Shopify knows about its California consumer base, conducts its regular business in California, contacts California residents, interacts with them as an intermediary for its merchants, installs its software onto their devices in California, and continues to track their activities…

Shopify deliberately reached out beyond its home state by knowingly installing tracking software onto unsuspecting Californians’ phones so that it could later sell the data it obtained, in a manner that was neither “random, isolated, [n]or fortuitous.”

Claims Arise from California Contacts

Having established purposeful availmement of California, the court turns to the other two elements of specific jurisdiction:

Briskin’s claims “arise out of” Shopify’s contact with Briskin’s device, which Shopify allegedly knew was in California. Briskin’s claims also “relate to” Shopify’s California contacts because Briskin alleges the kind of injury that would “tend to be caused” by Shopify’s contacts with California merchants and consumers. In particular, Shopify’s installation of software onto unsuspecting Californians’ devices and extracting personal data from them is the kind of contact that would tend to cause privacy injuries.

Reasonableness

Having established the first two elements, the court shifts the burden to Shopify to disprove the reasonableness of exercising jurisdiction.

Shopify also argues that it is unfair to assert jurisdiction because that “could lead to specific jurisdiction in all 50 states.” That may be true, but not unfair, if the contacts Shopify makes in all 50 states are like its California contacts. But it may not be true, depending on whether all 50 states have laws, like California, protecting their citizens from what Shopify allegedly does in its regular course of business, laws which Briskin claims Shopify violated here.

Collins’ Concurrence

Judge Collins says “this is not a particularly difficult case”:

there is no serious dispute, on the current record, that the alleged conduct that assertedly violated California law occurred, in substantial part, in California. Several of the alleged violations of California law occurred when Defendants’ software connected with Briskin’s cellphone in California, intercepted data that he was led to believe he was transmitting from his cellphone in California to a California retailer, and implanted a tracking cookie onto his cellphone in California…

When a State specifically regulates the conduct of electronic systems with respect to transactions within its borders, the as-intended operation of those systems within that State is the relevant tortious conduct for minimum-contacts purposes, and that conduct is attributable to those persons who deliberately intended that such systems reach into that State and operate in that manner when they do so…

Defendants knew and fully intended that their software would be used in conducting transactions in every State of the country, including California. The occurrence of the foregoing conduct in California was thus in no sense “random, fortuitous, or attenuated.”

Judge Collins would go further and overturn the “something more” language in Cybersell: “I am at a loss to understand why there should be any such safe harbor. If a company develops a web-based business for the purpose of conducting online transactions in all 50 States, it should not be surprised that it may be sued in any State for unlawful transactions that may occur within that State.” As a result, he would permit a defamation claim in any state where the content is published, even if the publication occurred passively. Chilling.

Judge Butamay’s Concurrence

Judge Butamay, a TAFS judge, does TAFS judge things and concludes that “our en banc court was right to jettison our differential-targeting rule for personal jurisdiction.” This opinion contained 7 references to Pennoyer v. Neff (1878).

Judge Callahan’s Dissent

The majority’s rule means that “when a company attaches cookies to a person’s electronic device, jurisdiction attaches wherever that person happens to be, and indeed, wherever that person happens to travel thereafter.” This seemed like a debater’s point at best. If Briskin is a California resident, and personal jurisdiction attaches in California, I’m not sure how much the traveling point really matters. This certainly didn’t strike me as the strongest reason to dissent from the majority’s view.

The dissent does note the essentially opt-out nature of the majority’s personal jurisdiction standard, i.e., “Companies can “expressly avoid” a forum by “geoblocking,” which restricts access to Internet content based on a user’s geographic location…Requiring companies operating to “expressly avoid” forums may have a chilling effect on Internet activity and interstate commerce.”

To be clear, the dissent is not trying to help defendants. In a footnote, she intimates that Shopify should have been subject to GENERAL jurisdiction because of its “virtual presence” in California. No. Just no.

Implications

I imagine Shopify will appeal this ruling to the US Supreme Court. If it were my call, I absolutely would appeal this ruling. It’s hard to imagine how the Supreme Court could issue a worse opinion for Shopify.

What’s the Holding?

The majority clearly stated its legal rule:

an interactive platform “expressly aims” its wrongful conduct toward a forum state when its contacts are its “own choice and not ‘random, isolated, or fortuitous,’” even if that platform cultivates a “nationwide audience[] for commercial gain.

The majority then added that “something more” than passive publishing is required to establish jurisdiction in a remote state, but “differential treatment” of that remote state isn’t a prerequisite to specific jurisdiction.

While it’s easy enough to cut-and-paste the majority’s legal rule, what exactly does this legal rule mean? Applying it to the Shopify facts raises more questions than answers.

The narrowest possible interpretation of this ruling is that California jurisdiction applied to Shopify because it had geolocated Briskin in California, giving it the requesite geographic scienter, and processed Briskin’s e-commerce transaction knowing that he was in California. This basically would establish a categorical rule that e-commerce retailers can be sued in every jurisdiction they transact in (so long as the claims relate to the sale).

While that sounds like a broad legal standard, it has been the de facto rule in many jurisdictions for a quarter-century, ever since Zippo articulated its stupid interactivity scale. For example, I used to teach the 7th Circuit’s Hemi case, which basically held that if an e-commerce site had a pulldown menu for the buyer’s state, every state listed in the pulldown menu was appropriate for specific jurisdiction.

However, I don’t think this narrow interpretation is supportable. In particular, the majority repeatedly mentioned that Shopify allegedly permanently installed “software” on Briskin’s computer. I wasn’t sure if this “software” was Shopify’s cookies; javascripts normally should delete from RAM when the user leaves the website. If the harm is the “interception” of private data, then the opinion reaches far beyond e-commerce retailing.

The broadest possible interpretation of this ruling is that any website that downloads any digital asset–cookies, javascript, heck maybe even HTML–onto a California resident’s computer can be sued in California, even if the website doesn’t know where the users are. If this is correct, the majority effectively would be saying: if you place a cookie on a reader’s device, you’ve done something more than passive publishing (i.e., you can passively publish without the cookie) and must accept the jurisdictional consequences. After all, the court says there’s purposeful availment when the defendants’ “contacts are its own choice,” and delivering a digital asset to a reader is a choice to make contact. In other words, if a website chooses to get onto the Information Superhighway, jurisdiction goes wherever wherever the road takes it.

It is a defect of the court’s drafting that I’m not sure exactly what interpetation applies. Surely somewhere in between the two extremes I explored. Nevertheless, regardless of the details, I can say with confidence that lower courts will get the takeaway message that specific jurisdiction applies broadly online. Thus, I expect courts to interpret this ruling to find jurisdiction in most Internet cases.

What Could Shopify Have Done Differently?

Another way of testing the scope of this ruling is by asking: what Shopify could have done differently if it wanted to avoid jurisdiction in California? All of my answers seem to involve a major restructuring of Shopify’s business.

Shopify is a backend service provider to its storefront-retailers. The retailers will be less interested in working with a backend vendor who imposes geographic restrictions on its offerings. For example, I doubt many retailers would be interested in working with Shopify if Shopify said it can service the US market excluding California.

For this reason, I don’t think Shopify can geoblock any jurisdiction without changing its business model. Also, do we want to encourage more splinternets anyway? That is a logical conclusion of the court’s ruling, but it’s not good for the Internet.

In theory, Shopify could turn off its geolocation efforts, so that it doesn’t know customers like Briskin are in California. I’m not sure what problem that solves. First, it’s unclear if the court would have denied jurisdiction with this fact change. Second, Shopify will surely learn the customer’s location by the time of checkout, so this change wouldn’t eliminate the jurisdiction problem.

The majority might have two further answers to my question. First, the majority might say that Shopify should not engage in privacy-invasive activities. I didn’t invest the energy to figure out the irreducible privacy elements of the plaintiffs’ claims, but if using cookies to track users is an essential part of the claim, then more privacy-protective option are not feasibly available to Shopify.

Second, the majority might say that Shopify must do a comprehensive legal audit before launching its privacy-invasive offerings and either opt-out of any jurisdictions where it’s violating the law, fix the offering so that it complies with the lowest-common-denominator law, or accept any jurisdictional risk. But note the impracticality of this. Shopify only needs to worry about laws that apply to jurisdictions it can be dragged into. Because the jurisdictional analysis is linked to the substantive claim elements, Shopify has to research every jurisdiction’s laws to figure out if it could be subject to jurisdiction sufficient to determine if it needs to research the laws. 🤔 The lawyers might cheer this built-in demand for their services, but it ensures businesses overspend on compliance issues.

Another option: Shopify could require its storefront-retailers to impose TOSes on their customers that choose a Shopify-friendly venue. Putting aside the anarchy that has overtaken TOS formation law (I have a blog post on another tough 9th Circuit ruling coming shortly), this seems impractical: (1) It requires its retailers to impose TOSes correctly, no small feat, or Shopify to interpose itself in its retailers’ checkout process, which its retailers do not want. (2) It doesn’t cure the jurisdictional risks associated with browsing shopper who never transact. (3) Shopify can’t get the shoppers to bind themselves to a TOS without screwing up their customers’ businesses.

The bottom line is that I can’t currently think of a way for Shopify to avoid this ruling. That’s why I think Shopify has to appeal this to SCOTUS.

As for businesses other than Shopify who want to avoid specific jurisdiction in the Ninth Circuit, I have no good news for you. Hope the lower courts start finding some safe harbors other than categorical geoblocking….?

Case Citation: Briskin v. Shopify Inc., No. 22-15815 (9th Cir. April 21, 2025)