In a game-changing decision, the US Court of Appeals for the Ninth Circuit broadened the scope of specific personal jurisdiction as applied to e-commerce and other online platforms.

An en banc panel last month delivered a 10–1 decision holding that Shopify can be sued in California due to its use of web tracking technology to collect a California consumer’s location, device, and shopping history data.

This stark departure from prior rulings means that e-commerce platforms may be subject to personal jurisdiction (and lawsuits) in states in the Ninth Circuit simply by making their online services available to consumers located in those jurisdictions.

In Briskin v. Shopify, Inc., California resident Brandon Briskin alleged Shopify violated his privacy rights by installing web tracking technologies on his iPhone without his knowledge or consent.

Briskin filed a putative class action in 2021 in California federal court against Shopify Inc., a Canadian corporation headquartered in Canada, and two of its US subsidiaries. That court dismissed the case.

On appeal, a three-judge panel of the Ninth Circuit affirmed the district court’s ruling that it lacked specific personal jurisdiction. The Ninth Circuit subsequently voted to rehear the personal jurisdiction determination en banc.

The Ninth Circuit analyzed whether the district court had specific personal jurisdiction using a three-part test:

As to each of these questions, the en banc Ninth Circuit responded with a very clear “yes.”

First, the court found that Shopify intentionally directed its wrongful conduct toward California “through its extraction, maintenance, and commercial distribution” of personal data. Importantly, the court found that the requirement of “express aiming” of conduct doesn’t require a finding of “differential targeting” (conduct focusing on the forum state).

This holding dramatically expands specific personal jurisdictional in the Ninth Circuit by overruling prior case law that required some sort of differential treatment of the forum state for a finding of “express aiming” of the defendant’s allegedly tortious conduct. It also creates a jurisdictional split as many other federal circuits require a defendant’s conduct to be expressly aimed at the forum state for specific personal jurisdiction.

Instead, “an interactive platform expressly aims its wrongful conduct toward a forum state when its contacts are its own choice and not random, isolated, or fortuitous.” The court held that Shopify expressly aimed at California because it “allegedly knew the location of consumers like Briskin either prior to or shortly after installing its initial tracking software onto their devices” and “deliberately reached out beyond its home state by knowingly installing tracking software onto unsuspecting Californians’ phones so that it could later sell the data it obtained.”

Second, the court held that Briskin’s claims arose from “Shopify’s contact with Briskin’s device, which Shopify allegedly knew was in California” and related to Shopify’s conduct in California because its “installation of software onto unsuspecting Californians’ devices and extracting personal data from them is the kind of contact that would tend to cause privacy injuries.”

Third, the court found that its exercise of jurisdiction was reasonable because Shopify had purposefully directed its business activities toward California and hadn’t raised any grounds demonstrating exercising personal jurisdiction would be unreasonable. In so doing, the court rejected Shopify’s arguments that the exercise of jurisdiction was unfair “because that could lead to specific jurisdiction in all 50 states” and other forums had general jurisdiction over the claims—namely, Delaware, New York, and Canada.

E-commerce platforms and other online businesses should be mindful of this decision and consider the risks associated with their current business operations given that operating a nationwide or globally accessible platform, or collecting consumer data from websites, may now suffice to establish jurisdiction. Companies should take several steps.

Data governance is particularly important for companies whose practices involve collecting information of consumers in the US.

Companies can’t understand their risk levels, or the jurisdictions that they may be subject to regulatory scrutiny or litigation in, without clear insight into their collection and use of data and supporting technology. To optimize business decision-making, companies must understand and must have documented their assets, the data they consume, the software they use, and the products and services they support.

Companies should review and categorize the web tracking technologies they are using to understand their purpose and evaluate whether the benefits outweigh the risks for use cases that may subject the company to unfavorable forums for litigation.

The Ninth Circuit’s analysis focused on Shopify’s collection of location data. Refraining from collecting this data would support an argument that the company isn’t expressly aiming at a state because it isn’t aware of consumers’ locations.

More lawsuits regarding the type of data collection seen in Briskin will likely be filed in states with robust, consumer-friendly data privacy laws, such as California. Companies that interact with consumers in the Ninth Circuit should be prepared to defend their compliance with various privacy laws and regulations that are frequently relied upon by plaintiffs in courts in those states.

By holding that e-commerce companies can be sued in any state where their platforms interact with users, even without differential targeting and without an in-state physical presence, the Ninth Circuit has greatly expanded the reach of personal jurisdiction for e-commerce and other online platforms. This holding lowers the bar for establishing personal jurisdiction at the pleadings stage, which will likely embolden plaintiffs to file privacy and other consumer protection class actions in California and other states that are viewed as plaintiff-friendly.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Wynter Deagle is a partner and co-leader of Sheppard Mullin’s intellectual property practice, and a member of the firm’s privacy and cybersecurity team.

Anne-Marie Dao and Samuel Hyams-Millard are associates in the firm’s intellectual property practice and members of the privacy and cybersecurity team.