A panel of the Ninth Circuit Court of Appeals recently affirmed a district court's dismissal due to lack of specific personal jurisdiction in a putative class action that claimed Shopify violated California privacy and unfair competition laws because it deliberately concealed its involvement in certain consumer transactions.
Background
Shopify offers a web-based payment processing platform to merchants around the country. When processing payments, they obtain personal information of merchants' customers.
Here, the plaintiff is a California resident, who, while in California, used his iPhone's Safari browser to access the website of California-based retailer IABMFG to buy fitness apparel. Although he claimed he didn’t know it at the time, the retailer’s website used software and code from Shopify to process its orders and payments.
Shopify is a Canadian corporation with its headquarters in Ottawa, Canada. It provides participating merchants with a sales platform that enables the processing of online purchases. As part of its business, the company collects, processes, stores, analyzes, and shares the information of consumers who complete transactions on its merchant-customers' websites. Although the plaintiff thought he was dealing only with IABMFG, it was actually Shopify's e-commerce platform that was operating behind the scenes to facilitate his purchase.
When completing his order, the plaintiff input his personal information (name, address, etc.) and credit card number into IABMFG's website. Shopify collected this information and installed cookies onto his phone. Shopify also connected his browser to its network, generated payment forms requiring him to enter private identifying information, and stored his personal and credit card info for later use and analysis. Shopify also transmitted his payment information to a second payment processor (Stripe) for additional storage, analysis, and processing. Shopify used the customer information it received to create consumer profiles, which it shared with its merchants and business partners.
In August 2021, the plaintiff filed this class action in the U.S. District Court for the Northern District of California, alleging that Shopify violated certain California privacy and unfair competition laws because it deliberately concealed its involvement in the consumer transactions. The plaintiff provided additional allegations about Shopify's contacts with California. Although the parties disputed the jurisdictional relevance of these contacts, the plaintiff alleged that Shopify not only reaches into California to extract consumers' personal data, but also directly contracts with California merchants, including IABMFG. According to the complaint, some of the largest merchants on Shopify's platform are California-based companies. Also, Shopify opened a physical location in Los Angeles in 2018 to expand its access to the California market and enhance relationships with its more than 80,000 merchant-customers in the state. The plaintiff further alleged that Shopify has at least one fulfillment center in California that stores goods from merchants and ships them to consumers, including those located in California.
Shopify moved to dismiss the complaint for lack of personal jurisdiction. The district court agreed, and the plaintiff subsequently appealed.
What are General and Specific Jurisdiction?
Judge Daniel A. Bress first explained that personal jurisdiction comes in two varieties: general and specific. General jurisdiction extends to any and all claims brought against a defendant but is appropriate only "when a defendant is essentially at home in the State. A corporate defendant is considered at home in its state of incorporation and the state where it maintains its principal place of business. The plaintiff didn’t argue that Shopify is subject to general jurisdiction in California. However, for specific jurisdiction to exist over a non-resident defendant, three conditions must be met:
- The defendant must either purposefully direct its activities toward the forum or purposefully avail itself of the privileges of conducting activities in the forum;
- The claim must be one that arises out of or relates to the defendant's forum-related activities; and
- The exercise of jurisdiction must comport with fair play and substantial justice (It must be reasonable.)
The plaintiff bears the burden on the first two prongs. If they’re met, the defendant must present a compelling case that the exercise of jurisdiction wouldn’t be reasonable.
Judge Bress explained that the Court evaluates the first prong (purposeful direction) under the Calder effects test, which focuses on whether the effects of the defendant's actions were felt in the forum state. Under this test, a defendant allegedly must have committed the following:
- An intentional act;
- Expressly aimed at the forum state;
- Causing harm the defendant knows is likely to be suffered in the forum state.
The judge found that Shopify's conduct satisfied the first Calder element and said that the Court construes intent in the context of the intentional act test as referring to an intent to perform an actual, physical act in the real world. To that end, the judge said that acts undertaken using technology can qualify as intentional acts. By generating payment forms, executing code on consumers' devices, creating consumer profiles, processing consumer information, installing cookies, and sharing payment information, Shopify has committed intentional acts. Also, the Court concluded that the plaintiff fairly alleged the third Calder element as well, namely, that Shopify caused privacy-related harm that it knew was likely to be suffered in the forum state.
As such, the issue here was prong two: whether Shopify "expressly aimed" its activities at the forum state. Judge Bress said that for specific jurisdiction to exist over Shopify, the plaintiff's claim must be one which arises out of or relates to the defendant's forum-related activities. As a consequence, the Court examined the plaintiff's specific injury and its connection to the forum-related activities in question. It was clear that his claims didn’t "arise out of" Shopify's broader forum-related activities in the state (its contracts with California merchants, physical Shopify offices, and so on).
There was no such causal relationship between Shopify's broader California business contacts and the plaintiff's claims because these contacts didn’t cause his harm. Nor did his claims "relate to" Shopify's broader business activities in California outside of its extraction and retention of his data. At minimum, the plaintiff must show that the instant litigation relates to the contacts in question.
Because there was an insufficient relationship between the plaintiff's claims and Shopify's broader business contacts in California, the activities relevant to the specific jurisdiction analysis in this case were those that caused his injuries: Shopify's collection, retention, and use of consumer data obtained from persons who made online purchases while in California. The plaintiff argued that Shopify through these activities effectively "reached into" California (electronically) and inserted itself (technologically) into a transaction between a California consumer and a California merchant. But the issue was whether Shopify expressly aimed its conduct toward California.
Judge Bress wrote that the key authority is the U.S. Supreme Court case of Walden v. Fiore (2014). In Walden, a Georgia police officer deputized as a federal law enforcement agent seized nearly $100,000 in cash from two travelers at the airport in Atlanta. The travelers, residents of both California and Nevada who were en route to Las Vegas, sued the Georgia officer in Nevada, claiming the seizure violated their Fourth Amendment rights. They argued that a Nevada court had personal jurisdiction because the officer "knew his allegedly tortious conduct in Georgia would delay the return of funds to plaintiffs with connections to Nevada."
The Supreme Court disagreed. Applying Calder, the Court held that the district court couldn’t exercise personal jurisdiction over the Georgia defendant. The Court held that the relationship between a defendant and the forum state "must arise out of contacts that the 'defendant himself' creates with the forum…” Second, the "'minimum contacts' analysis looks to the defendant's contacts with the forum State itself, not the defendant's contacts with persons who reside there." As the Court explained,
A defendant's contacts with the forum State may be intertwined with his transactions or interactions with the plaintiff or other parties. But a defendant's relationship with a plaintiff or third party, standing alone, is an insufficient basis for jurisdiction.
For these reasons, it was insufficient that the plaintiffs in Walden experienced injury in Nevada or that the Georgia officer might have known that his conduct would produce foreseeable harm there.
The Ninth Circuit then turned to the principles that it believed should govern its review and felt that because Shopify operates a web-based platform, its personal jurisdiction cases involving interactive websites provided the closest analogy to the case at hand. In those cases, the Court held that "operating a website 'in conjunction with "something more"—conduct directly targeting the forum—is sufficient'" to satisfy the express aiming requirement. And "[w]hen the website itself is the only jurisdictional contact, our analysis turns on whether the site had a forum-specific focus or the defendant exhibited an intent to cultivate an audience in the forum."
The Court concluded that a broadly accessible web platform knowingly profits from consumers in the forum state is not sufficient to show that the defendant is expressly aiming its intentional conduct there.
Second, to establish the "something more" needed to demonstrate express aiming in suits against internet platforms, the plaintiff must allege that the defendant platform has a "forum-specific focus." That "substantial connection,” Judge Bress wrote, “must be something substantial beyond the baseline connection that the defendant's internet presence already creates with every jurisdiction through its universally accessible platform.”
Third, the specific nature and structure of the defendant's business matters. Thus, under Ninth Circuit cases, the way in which the defendant operates and organizes its web-based platform affects the "something more" analysis.
The Court believed that these precedents and principles should apply as well to a personal jurisdiction inquiry involving a broadly accessible back-end web platform like Shopify that processes consumer payments. Thus, the Ninth Circuit held that when analyzing whether a court has personal jurisdiction over a web-based payment processor in a suit alleging the unlawful extraction, retention, and sharing of consumer data, the legal framework and principles that should be brought to bear are those analyzing a purposeful direction. Applying those principles, Judge Bress and the Court of Appeals held that Shopify did not expressly aimed its suit-related conduct toward California.
Shopify's web payment platform doesn’t have a "forum-specific focus." Nor did the plaintiff allege facts showing that Shopify is specifically "appealing to an audience in California or actively targeting the forum state. Its platform is accessible across the United States, and the platform is indifferent to the location of either the merchant or the end consumer. The plaintiff would have suffered the same injury regardless of whether IABMFG was a California company and regardless of whether he was physically located in California when he made his purchase. As he acknowledged in his opening brief, Shopify "chose to extract personal data from IABMFG's customer's—wherever located—through the payment portal it created and maintained.” As a result, the judgment of the district court was affirmed. Brisk in v. Shopify, Inc. (U.S. Court of Appeals for the Ninth Circuit, 11/28/23).
Bottom Line
Companies are frequently being sued in California based on claims that their websites’ functionality and use of service providers for marketing or analytics run afoul of state consumer privacy rights. This Ninth Circuit decision sets out a possible defense for companies—lack of personal jurisdiction.
For the court to have specific jurisdiction over a vendor like Shopify, the plaintiff's claim must arise out of or relate to the company’s forum-related activities. Here, Shopify’s extracting and retaining of consumer data and their tracking of customers didn’t expose them to personal jurisdiction in California, where a consumer made his online purchase. That’s because Shopify didn’t expressly aim their suit-related conduct at the forum state.
When a company operated a nationally available e-commerce payment platform and was indifferent to the location of end-users, the extraction and retention of consumer data, without more, didn’t subject them to specific jurisdiction in the forum where the online purchase was made.