In Briskin v. Shopify, Inc., No. 22-15815, 2023 WL 8225346, at *1–3 (9th Cir. Nov. 28, 2023), the Court of Appeals for the 9th Circuit found no jurisdiction over a web-based payment processing platform sued under California’s privacy laws. The facts were as follows:
The defendants in this case offer a web-based payment processing platform to merchants nationwide. When processing payments, the defendants obtain the personal information of those merchants’ customers. In this case of first impression, we are asked to decide whether defendants’ extracting and retaining of consumer data and their tracking of customers exposes them to personal jurisdiction in California, where a consumer made his online purchase. We hold that the defendants are not subject to specific jurisdiction in California because they did not expressly aim their suit-related conduct at the forum state. When a company operates a nationally available e-commerce payment platform and is indifferent to the location of end-users, the extraction and retention of consumer data, without more, does not subject the defendant to specific jurisdiction in the forum where the online purchase was made. We affirm the dismissal of the plaintiff’s complaint. The plaintiff in this case is Brandon Briskin, a resident of California. In June 2019, Briskin, while present in California, used his iPhone’s Safari browser to navigate to the website of California-based retailer IABMFG to purchase fitness apparel. Although Briskin claims he did not know it at the time, IABMFG’s website used software and code from Shopify, Inc. to process customer orders and payments.
Shopify, Inc. is a Canadian corporation with its headquarters in Ottawa, Canada. Shopify provides participating merchants with a sales platform that enables the processing of online purchases. As part of its business, Shopify obtains, processes, stores, analyzes, and shares the information of consumers who complete transactions on Shopify’s merchant-customers’ websites. Although Briskin believed he was dealing only with IABMFG, in fact it was Shopify’s e-commerce platform that was operating behind the scenes to facilitate Briskin’s purchase. When completing his online order, Briskin input his personal identification information (name, address, etc.) and credit card number into IABMFG’s website. Shopify collected this information. Shopify also installed cookies onto Briskin’s phone, connected his browser to its network, generated payment forms requiring Briskin to enter private identifying information, and stored Briskin’s personal and credit card information for later use and analysis. Shopify also transmitted Briskin’s payment information to a second payment processor, Stripe, for additional storage, analysis, and processing. Shopify used the customer information it received to create consumer profiles, which Shopify also shared with its merchant and other business partners. In August 2021, Briskin filed this putative class action in the United States District Court for the Northern District of California, alleging that Shopify violated various California privacy and unfair competition laws because it deliberately concealed its involvement in the consumer transactions. The complaint defined the proposed class as “[a]ll natural persons who, between August 13, 2017 and the present, submitted payment information via Shopify’s software while located in California.”
Briskin’s complaint named as defendants Shopify, Inc. and two of its wholly owned subsidiaries, Shopify (USA) Inc. (“Shopify USA”) and Shopify Payments (USA), Inc. (“Shopify Payments”). Briskin alleges that Shopify USA is a Delaware corporation with its principal place of business in Canada.1 Shopify Payments is a Delaware corporation with its principal place of business in Delaware. In this opinion, we use “Shopify” to refer to all three defendants, collectively. In his operative complaint, Briskin provided additional allegations about Shopify’s contacts with California. Although the parties dispute the jurisdictional relevance of these contacts, Briskin alleges that Shopify not only reaches into California to extract consumers’ personal data, but also directly contracts with California merchants, including IABMFG. According to the complaint, some of the largest merchants on Shopify’s platform are California-based companies. In 2018, Shopify, Inc. opened a physical location in Los Angeles to expand its access to the California market and enhance relationships with Shopify’s over 80,000 merchant-customers in the state. Briskin further alleges that Shopify, Inc. has at least one fulfillment center in California that stores goods from merchants and ships them to consumers, including those located in California. The complaint also alleges some jurisdictional facts specific to the two Shopify subsidiaries. Shopify USA, which serves as a subprocessor of user data, is registered to do business in California, at one point had an office in San Francisco, has a quarter of its employees in California, and provides services to thousands of California businesses. Shopify Payments, meanwhile, contracts with thousands of California merchants to enable them to accept online credit and debit payments. Shopify Payments and its contractual partner Stripe, which has its principal place of business in California, then process those payments. As part of this collaboration, Shopify Payments shares California consumers’ personal information with Stripe, which then uses the information to create profiles on consumers.
After Briskin twice amended his complaint as part of bolstering his allegations about Shopify’s contacts with California, Shopify moved to dismiss the complaint for lack of personal jurisdiction. The district court agreed, dismissing the second amended complaint without leave to amend.
The Court of Appeals found that the web-based payment service’s California-related activities were not related to the (mis)conduct for which it was sued.
We think it clear that Briskin’s claims do not “arise out of” Shopify’s broader forum-related activities in the state (its contracts with California merchants, physical Shopify offices, and so on). The “arising out of” portion of the specific jurisdiction formula “asks about causation.” Ford Motor Co., 141 S. Ct. at 1026. In other words, an injury arising “out of a defendant’s forum contacts require[s] ‘but for’ causation, in which ‘a direct nexus exists between a defendant’s contacts with the forum state and the cause of action.’ ” Yamashita v. LG Chem, Ltd., 62 F.4th 496, 504 (9th Cir. 2023) (quoting In re W. States Wholesale Nat. Gas Antitrust Litig., 715 F.3d 716, 742 (9th Cir. 2013)) (brackets omitted). There is no such causal relationship between Shopify’s broader California business contacts and Briskin’s claims because these contacts did not cause Briskin’s harm. Indeed, Briskin himself acknowledges in his opening brief that “[t]he direct, unmediated interactions between Shopify and California shoppers through an interactive web-based payment platform are what form the basis for [his] claims.” It is readily apparent there will be causes of action that do arise out of Shopify’s broader business contacts with California (such as claims by a California merchant). But Briskin’s claims are not among them. Nor do Briskin’s claims “relate to” Shopify’s broader business activities in California outside of its extraction and retention of Briskin’s data. Focusing on the disjunctive “or” in the doctrinal formulation, the Supreme Court in Ford clarified that “relate to” in the phase “arising out of or relate to” does “contemplate[ ] that some relationships will support jurisdiction without a causal showing.” 141 S. Ct. at 1026; see also Impossible Foods, 80 F.4th at 1093–94, 1097. Briskin passingly suggests that Shopify’s broader California contacts “relate to” his claims under Ford, but that is wrong. The Supreme Court in Ford was clear that the “related to” test still “incorporates real limits, as it must to adequately protect defendants foreign to a forum.” 141 S. Ct. at 1026. At minimum, the plaintiff must show “that the instant litigation ‘relate[s] to’ ” the contacts in question. LNS Enters., 22 F.4th at 864 (alteration in original).
Because there is an insufficient relationship between Briskin’s claims and Shopify’s broader business contacts in California, the activities relevant to the specific jurisdiction analysis in this case are those that caused Briskin’s injuries: Shopify’s collection, retention, and use of consumer data obtained from persons who made online purchases while in California. Briskin argues that Shopify through these activities effectively “reached into” California (electronically) and inserted itself (technologically) into a transaction between a California consumer and a California merchant. The issue is whether Shopify, which provides web-based payment processing services to online merchants throughout the nation (and the world), thereby expressly aimed its conduct toward California. This type of personal jurisdiction question involving an online payment platform is novel. We have never addressed such a situation, nor, to our knowledge, have other circuits. In the sections below, we first explain why our focus here cannot be either Briskin’s presence in California or the fact that he sustained an alleged injury there. We next turn to our personal jurisdiction cases involving claims against out-of-state interactive websites, explaining why these precedents—and not precedents involving the distribution of physical products—provide the right foundation for analyzing personal jurisdiction in this case. From our interactive website cases, we then derive core principles to govern the personal jurisdiction inquiry in cases such as this based on the extraction of consumer data. . . .Having bracketed out what our analysis cannot turn on, we now move to the principles that we think should govern our review. Because Shopify operates a web-based platform, and for reasons we will explain below, our personal jurisdiction cases involving interactive websites provide the closest analogy to the case at hand. The parties effectively agree on this point, as they have devoted the bulk of their briefing to these precedents. A careful discussion of our circuit’s precedent in this area is therefore important to understanding the contours of the personal jurisdiction problem in this case. Almost as soon as the internet became a thing, we were confronted with personal jurisdiction questions involving internet-based businesses. Because websites can be viewed from anywhere, we had to resolve whether and when web-based operations were sufficiently “purposeful” to generate specific jurisdiction. Our approach to that problem has not been to allow personal jurisdiction anywhere that a web platform can be accessed. Instead, we have recognized that there are due process constraints on the assertion of personal jurisdiction over non-resident defendants who operate through the internet. Over the course of decades, we have gone about delineating and refining legal rules to govern when an assertion of personal jurisdiction over an out-of-state internet platform exceeds the bounds of due process. We made clear early on that a purely “passive” website that merely hosts information “does not qualify as purposeful activity invoking the benefits and protections” of the fora in which the website may be viewed. Cybersell, Inc. v. Cybersell, Inc., 130 F.3d 414, 420 (9th Cir. 1997); see also Herbal Brands, 72 F.4th at 1091 (“It is well settled that ‘[m]ere passive operation of a website is insufficient to demonstrate express aiming.’ ” (quoting Will Co., 47 F.4th at 922) (alteration in original)). But an “interactive website”—in which “users can exchange information with the host computer,” Cybersell, 130 F.3d at 418—presents different considerations. That kind of web platform, our cases instruct, can satisfy the express aiming requirement. But not always. Driving our decision-making in this area has been the need to draw some lines to avoid subjecting web platforms to personal jurisdiction everywhere. Were it otherwise, “every time a seller offered a product for sale through an interactive website, the seller would be subjecting itself to specific jurisdiction in every forum in which the website was visible ….” Herbal Brands, 72 F.4th at 1091. “That result,” we have said, “would be too broad to comport with due process.” Id. (citing CollegeSource, Inc. v. AcademyOne, Inc., 653 F.3d 1066, 1075–76 (9th Cir. 2011)); see also Cybersell, 130 F.3d at 420 (similar). For this reason, “operation of an interactive website does not, by itself, establish express aiming.” Herbal Brands, 72 F.4th at 1091. What is needed is “something more.” Id. at 1092. Thus, we have held that “operating a website ‘in conjunction with “something more”—conduct directly targeting the forum—is sufficient’ ” to satisfy the express aiming requirement. Id. (quoting Mavrix Photo, 647 F.3d at 1229). And “[w]hen the website itself is the only jurisdictional contact, our analysis turns on whether the site had a forum-specific focus or the defendant exhibited an intent to cultivate an audience in the forum.”
We now apply those principles to this case and hold that Shopify has not expressly aimed its suit-related conduct toward California. Shopify’s web payment platform does not have a “forum-specific focus.” AMA, 970 F.3d at 1210. Nor has Briskin alleged facts showing that Shopify is specifically “appeal[ing] to … an audience in” California, Mavrix, 647 F.3d at 1231, or “actively target[ing]” the forum state, Will Co., 47 F.4th at 923. Shopify’s platform is accessible across the United States, and the platform is indifferent to the location of either the merchant or the end consumer. No one has alleged that Shopify alters its data collection activities based on the location of a given online purchaser. It did not prioritize consumers in California or specifically cultivate them. Briskin would have suffered the same injury regardless of whether IABMFG was a California company and regardless of whether Briskin was physically located in California when he made his purchase. As Briskin acknowledged in his opening brief, Shopify “chose to extract personal data from IABMFG’s customer’s—wherever located—through the payment portal it created and maintained.” (Emphasis added).
Shopify, to be sure, no doubt benefits from consumers who are present in California. But that California is a large market does not answer the purposeful direction question because a defendant foreseeably profiting from persons making online purchases in California does not demonstrate express aiming. See Walden, 571 U.S. at 289, 134 S.Ct. 1115 (“Petitioner’s actions in Georgia did not create sufficient contacts with Nevada simply because he allegedly directed his conduct at plaintiffs whom he knew had Nevada connections.”); AMA, 970 F.3d at 1210 (“Although [the defendants] may have foreseen that ePorner would attract a substantial number of viewers in the United States, this alone does not support a finding of express aiming.”). And while Shopify does have a sizeable merchant base in California, its extraction and retention of consumer data depends on the actions of third-party merchants who are engaged in independent transactions that themselves do not depend on consumers being present in California. Cf. AMA, 970 F.3d at 1210 (“ePorner’s content is primarily uploaded by its users, and the popularity or volume of U.S.-generated adult content does not show that [the defendants] expressly aimed the site at the U.S. market.”). Briskin offers some inventive hypotheticals in response, but they are off target. Briskin asserts that what Shopify did here was no different than physically placing a surveillance device at a cash register in a California store and using it to intercept customers’ payment details. He also analogizes Shopify to a hypothetical food truck with a surveillance device that operates in both California and Nevada but is agnostic as to which state the truck is located.
These hypotheticals fail to grasp the significance of Shopify operating a broadly accessible web-based platform. The nature of such an operation leads to due process concerns when the implication of Briskin’s position is that Shopify is subject to specific jurisdiction in every state. Contrary to Walden’s clear command, Briskin would effectively tie personal jurisdiction to the unilateral activity of consumers or Shopify’s contacts with individual persons. See Walden, 571 U.S. at 284, 134 S.Ct. 1115. And unlike Briskin’s hypotheticals, Shopify, by the allegations of the complaint, did not place any kind of physical device in California. Cf. Herbal Brands, 72 F.4th at 1093. It did not focus its efforts on any particular location. And it did not interact with consumers except as a result of the third-party decisions of its merchants. Briskin’s hypotheticals involve a degree of express aiming that is simply not present on the facts alleged. In holding that Shopify is not subject to specific jurisdiction for Briskin’s claims, we do not suggest that the extraction and retention of consumer data can never qualify as express aiming. As we discussed above, the nature and structure of a defendant’s business can affect the personal jurisdiction analysis. In view of the “fact-intensive nature” of the personal jurisdiction inquiry, Herbal Brands, 72 F.4th at 1096, we have set forth the governing legal principles and applied them to the facts alleged. But we do not purport to decide how these principles may apply to online payment platforms that are set up differently.