Simple common sense tells us that a corporation’s decision to operate in every state shouldn’t mean it can’t be sued in most of them. Sadly, U.S. law doesn’t always follow common sense. That’s why we were so pleased with a recent holding from the Ninth Circuit Court of Appeals. Setting a crucial precedent, the court held that consumers can sue national or multinational companies in the consumers’ home courts if those companies violate state data privacy laws.

The case, Briskin v. Shopify, stems from a California resident’s allegations that Shopify, a company that offers back-end support to e-commerce companies around the U.S. and the globe, installed tracking software on his devices without his knowledge or consent, and used it to secretly collect data about him. Shopify also allegedly tracked users’ browsing activities across multiple sites and compiled that information into comprehensive user profiles, complete with financial “risk scores” that companies could use to block users’ future purchases. The Ninth Circuit initially dismissed the lawsuit for lack of personal jurisdiction, ruling that Shopify did not have a close enough connection to California to be fairly sued there. Collecting data on Californians along with millions of other users was not enough; to be sued in California, Shopify had to do something to target Californians in particular.  

Represented by nonprofit Public Citizen, Briskin asked the court to rehear the case en banc (meaning, review by the full court rather than just a three-judge panel). The court agreed and invited further briefing. After that review, the court vacated the earlier holding, agreeing with the plaintiff (and EFF’s argument in a supporting amicus brief) that Shopify’s extensive collection of information from users in other states should not prevent California plaintiffs from having their day in court in their home state.   

The key issue was whether Shopify’s actions were “expressly aimed” at California. Shopify argued that it was “mere happenstance” that its conduct affected a consumer in California, arising from the consumer’s own choices. The Ninth Circuit rejected that theory, noting:

Pre-internet, there would be no doubt that the California courts would have specific personal jurisdiction over a third party who physically entered a Californian’s home by deceptive means to take personal information from the Californian’s files for its own commercial gain. Here, though Shopify’s entry into the state of California is by electronic means, its surreptitious interception of Briskin’s personal identifying information certainly is a relevant contact with the forum state.

The court further noted that the harm in California was not “mere happenstance” because, among other things, Shopify allegedly knew plaintiff's location either prior to or shortly after installing its initial tracking software on his device as well as those of other Californians.

Importantly, the court overruled earlier cases that had suggested that “express aiming” required the plaintiff to show that a company “targeted” California in particular. As the court recognized, such a requirement would have the

perverse effect of allowing a corporation to direct its activities toward all 50 states yet to escape specific personal jurisdiction in each of those states for claims arising from or relating to the relevant contacts in the forum state that injure that state’s residents.

Instead, the question is whether Shopify’s own conduct connected it to California in a meaningful way. The answer was a resounding yes, for multiple reasons:

Shopify knows about its California consumer base, conducts its regular business in California, contacts California residents, interacts with them as an intermediary for its merchants, installs its software onto their devices in California, and continues to track their activities.

In other words, a company can’t deliberately collect a bunch of information about a person in a given state, including where they are located, use that information for its own commercial purposes, and then claim it has little or no relationship with that state.

As states around the country seek to fill the gaps left by Congress’ failure to pass comprehensive data privacy legislation, this ruling helps ensure that those state laws will have real teeth. In an era of ever-increasing corporate surveillance, that’s a crucial win.