California courts continue to wrestle with scores of putative class actions filed by individuals alleging cookies and other web-based technologies violated privacy laws by harvesting their personal information without consent. Many such cases have been brought against nonresident companies, raising difficult personal jurisdiction questions. 

To satisfy constitutional due process requirements, a California plaintiff suing an out-of-state defendant in a California court must establish the defendant had “certain minimum contacts” with the state, i.e., that the defendant is subject to either (1) general jurisdiction based on California citizenship or systematic and continuous contacts with California, or (2) specific jurisdiction based on the relationship between the defendant, the forum, and the litigation. 

But in the context of a publicly available website that operates in a location-agnostic manner— and that users can access from virtually anywhere—what forms of conduct are sufficient for specific personal jurisdiction purposes? Is accessing the site from a device in California enough?

On April 21, 2025, in Briskin vs. Shopify, an en banc Ninth Circuit panel addressed these and other questions in a long-awaited opinion. Shopify is an e-commerce platform that provides software and infrastructure to merchants for payment processing. The plaintiff, a California resident, used his iPhone while in California to purchase apparel on the website of a merchant that had contracted with Shopify to facilitate purchase transactions on the merchant’s website. The plaintiff alleged that he thought personal information he submitted to complete his purchase—including his name, address, and credit card information—went to the merchant but instead was collected and stored by Shopify, which failed to disclose its role in the process. The plaintiff further asserted that Shopify secretly installed tracking cookies on his device, allowing Shopify to follow him across its merchant network. Further, Shopify purportedly created a risk profile on the plaintiff for marketing purposes and shared his information with third parties, who also marketed his information. 

The plaintiff filed suit in the Northern District of California against three Shopify entities based in Canada, Delaware and New York, alleging violations of California data privacy and access laws, including the California Invasion of Privacy Act, as well as unfair and deceptive practices. The district court granted the Shopify defendants’ motions to dismiss, finding, inter alia, that it lacked personal jurisdiction over them. A three-judge panel affirmed the dismissal, and the Ninth Circuit reheard the appeal en banc. 

“Applying [its] traditional personal jurisdiction precedent to the ever-evolving world of e-commerce,” the court reversed 10 to 1, concluding that specific personal jurisdiction over Shopify was proper. The court analyzed specific jurisdiction under a longstanding three-part test: (1) the nonresident defendant must purposefully direct its activities toward the forum or purposely avail itself of the privilege of conducting activities in the forum; (2) the claim must arise out of or relate to the defendant's forum activities, and (3) the exercise of jurisdiction must comport with fair play and substantial justice, i.e., it must be reasonable. For the first prong, the court applied the U.S. Supreme Court's purposeful direction analysis from Calder v. Jones because the privacy claims sounded in tort. Calder requires intentional conduct by the defendant that is expressly aimed at the forum state and which causes harm the defendant knows will be suffered in that state. 

Here, the parties' dispute focused on the express aiming requirement, prompting the court to review nearly three decades of Ninth Circuit precedent applying personal jurisdiction tests in e-commerce settings to determine when internet contacts are sufficient to show express aiming. The court noted that while electronic contacts may be enough to establish jurisdiction, the plaintiff must show “something more” than mere passive nationwide accessibility to satisfy due process. Ultimately, the court concluded that Shopify had expressly aimed its conduct toward California because its payment processing business model involved intentionally obtaining “valuable personal data about California consumers," including payment information and other personal identifying information, "for its own commercial gain.” 

The court rejected Shopify’s contention that its connection to California was “mere happenstance” arising from the user’s decision to do business with a Shopify-contracted merchant, finding that, through use of geolocation technology, Shopify “allegedly knew the location of consumers like Briskin either prior to or shortly after installing its initial tracking software onto their devices.” The court also dispatched Shopify’s argument that it did not aim its conduct toward California because its nationwide operations were location-agnostic. Indeed, the court went on to overrule Ninth Circuit precedents requiring plaintiffs to show that globally accessible websites have a “forum-specific focus” or engage in “differential targeting,” holding that this standard “would have the perverse effect of allowing a corporation to direct its activities toward all 50 states yet to escape specific personal jurisdiction in each of those states . . . ” The court likewise rejected arguments that a finding of jurisdiction would improperly focus on the plaintiff’s contacts with the forum and not Shopify's, reasoning that Shopify’s knowledge of and actions toward “its California consumer base” meaningfully connected Shopify to California for jurisdictional purposes such that its contacts were not “random, isolated or fortuitous.” 

Regarding the second factor, the court held the plaintiff’s claims “[arose] out of” Shopify’s forum contacts because it contacted the plaintiff’s device, which it allegedly knew was in California. And the claims “relate[d] to” Shopify’s California contacts because the plaintiff alleged privacy injuries of the type that would “tend to be caused” by Shopify’s software installation and data extraction activities.

On the third prong, the court rejected Shopify’s arguments that personal jurisdiction was improper given the limited extent of its business activities in California and the possibility of jurisdiction in all 50 states. On the first point, the court cited its purposeful direction analysis. As to the second point, the court reasoned that whether Shopify was subject to national jurisdiction was uncertain and would turn on the privacy laws of each state. And in any event, nationwide jurisdiction would not be unfair, said the court, if Shopify’s national contacts resembled its California contacts.  

Notably, one judge dissented from the opinion, referencing the transient nature of people and devices and arguing that the majority’s analysis was administratively infeasible because it improperly focused on the connection between the defendant and the plaintiff, who could hop from state to state (the “traveling cookie rule”), as opposed to Shopify’s purposeful direction of conduct toward the forum state. Two concurring opinions, on the other hand, focused on purposeful availment and analogs to physical presence, as opposed to purposeful direction.    

As reflected by Briskin, courts continue to struggle to apply “brick and mortar” legal principles to evolving technologies and platforms. Despite the opinion's length, significant uncertainty remains regarding its import and future application. Some plaintiff lawyers will cite Briskin and its elimination of the “differential targeting” standard to support the extension of specific personal jurisdiction beyond vendors to website owners/operators who utilize more common cookie technologies, and to itinerant web surfers or “tester plaintiffs” whose site interactions and disclosures are more limited. To be sure, strong counterarguments exist for limiting Briskin's express aiming analysis to its specific facts, which include a vendor's allegedly surreptitious role in consumer purchases, its marketing of consumer information, and its use of geolocation technology. However, the best risk-mitigation strategy for website operators and vendors in this fluid legal environment remains compliance, including (depending on the circumstances) functional cookie banners and transparent disclosures of privacy policies and terms of use.