Categories: Class Actions, Practice of Law
,

California courts are increasingly handling class action lawsuits alleging that cookies and other web technologies violate privacy laws by collecting personal data without consent.

A key issue in these cases is whether California courts can exercise personal jurisdiction over out-of-state companies operating location-neutral websites.

A recent ruling from the Ninth Circuit Court of Appeals is raising the stakes for any business that operates a website collecting user data. In Briskin v. Shopify, decided in April 2025, the court held that California courts can exercise personal jurisdiction over an out-of-state company—Shopify—for allegedly collecting personal data from a California resident without proper disclosure or consent. This decision signals a significant shift in how courts view digital jurisdiction in the age of online commerce and widespread data collection.

The case centered on Shopify’s role in providing backend e-commerce services. A California consumer claimed that Shopify secretly collected and stored his payment and personal information while he was transacting with a third-party merchant, creating a marketing profile without his knowledge. Despite Shopify’s lack of physical presence in California, the court ruled that its intentional collection of data from California users was enough to justify specific personal jurisdiction. Crucially, the court rejected previous legal precedent requiring a website to have a “forum-specific focus” in order to be subject to a state’s jurisdiction. Normally, California courts require that plaintiffs suing an out-of-state defendant establish “certain minimum contacts” with the state. The defendant must be subject to either general jurisdiction based on citizenship or continuous contacts within the state, or specific jurisdiction based on a connection with the forum. It is now sufficient that a company collects data from users it knows are located in the state—even if the website is available to users everywhere.

The district court initially dismissed the case due to lack of jurisdiction, but the Ninth Circuit reversed using a three-part test for analyzing specific jurisdiction:

  1. Purposeful direction: Shopify targeted California consumers by knowingly collecting their personal data for profit. This analysis pulled from the Calder v. Jones case, which required intentional conduct by the defendant that is expressly aimed at the forum state. The Ninth Circuit concluded that Shopify’s actions were expressly aimed at collecting data from California users for its own commercial gain. Under this prong, the Court also overruled Ninth Circuit precedent that required a showing of forum-specific focus, even with websites that operate globally. The Court noted that this requirement essentially allowed a loophole argument, where companies could avoid specific personal jurisdiction from state to state, all the while focusing on the collection of data from all 50 states. 
  2. Claims related to forum activities: The plaintiff’s claims arose from Shopify’s conduct directed at California merchants and consumers. The Court characterized these forum activities in two ways, noting that plaintiff’s claims “arise out of” Shopify’s direct contact with plaintiff’s phone, which the Company allegedly knew was operating within California, and that plaintiff’s claims “relate to” Shopify’s California contacts because the injuries alleged “would tend to be caused” by Shopify’s contacts with California merchants and consumers. The Court specifically noted that the Company’s installation of software on the devices of Californians and extraction of personal data is the kind of direct contact that satisfies this prong.
  3. Reasonableness: It was fair to subject Shopify to California jurisdiction, even if it operates nationally because, under the Court’s seven-factor balancing test to determine the reasonableness of asserting personal jurisdiction, the mere fact that there are alternative forums does not outweigh the other factors that demonstrate reasonableness.

 This ruling has major implications for businesses operating online. Companies can no longer rely on the assumption that a location-neutral website will shield them from being sued in a specific state, or at least in California. If your business collects data from California residents, you may now be exposed to lawsuits in that state—even if you’ve never conducted targeted marketing there or established a physical presence. The decision also underscores the importance of transparency and consent in data collection. A lack of clear disclosures and compliant cookie practices was central to the plaintiff’s allegations.

 “Brick and Mortar” laws continue to lose their power in an ever-changing tech world, especially as companies continue to globalize, and automated transactions continue to rely on applications and websites that can be used virtually anywhere. As courts continue to modernize the rules around digital conduct and jurisdiction, legal exposure is increasingly tied to where your users are—not where your company is.

Still, due to this case’s fact-specific nature, its broader applicability remains uncertain and more decisions in this area will likely continue to shape the law for e-commerce.  

Companies are advised to ensure compliance with privacy laws through transparent privacy policies and properly implemented cookie consent banners.


América Garza, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s New York office, contributed to the preparation of this post.



* * * *

More from Epstein Becker Green

Questions or Ideas for Our Podcast?

Please take our two-question survey to help guide our Speaking of Litigation video podcast!

If you could ask a litigator one question on behalf of your organization, what would it be? Click for our quick survey!

Tags: California, class action, class action lawsuits, Ninth Circuit Court of Appeals
Back to Commercial Litigation Update Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Commercial Litigation Update posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.