Shopify faces a data privacy class action lawsuit in the US that could change the way globally active companies can be held accountable.
The proposed class action is a revival of a case that had been dismissed by a lower court judge and a three-judge 9th Circuit Court of Appeals panel. But now it’s been brought back after a decision by the full 9th Circuit.
Shopify is a global commerce platform headquartered in Ottawa, Canada. It provides the infrastructure and tools that businesses of all sizes use for retail operations, both online and offline.
To provide these services, Shopify collects personally identifiable information (PII) from buyers, primarily to facilitate and improve their commerce experience. This data includes names, email addresses, phone numbers, shipping and billing addresses, IP addresses, device information, and behavioral data. That is, all the information needed for processing orders, managing payments, shipping products, and communicating with end customers effectively.
With this collection of PII comes responsibility. Shopify acknowledges the data belongs to the users and is collected only to the extent necessary to provide its services. It claims to implement robust security measures to protect this data from unauthorized access and complies with relevant privacy laws such as GDPR.
But Brandon Briskin, a California resident claims Shopify installed tracking cookies on his iPhone without his consent when he bought athletic wear from a retailer, and used his data to create a profile it could sell to other merchants.
The case was at first dismissed after Shopify argued it should not be sued in California because it operates nationwide and did not aim its conduct toward that state.
The dismissal was revoked because the judges found that:
“Shopify deliberately reached out … by knowingly installing tracking software onto unsuspecting Californians’ phones so that it could later sell the data it obtained, in a manner that was neither random, isolated, or fortuitous.”
A Shopify spokesman told Reuters that the decision makes online retailers vulnerable to lawsuits anywhere and “attacks the basics of how the internet works,” and that it drags entrepreneurs who run online businesses into distant courtrooms regardless of where they operate.
Briskin’s lawyer said the court bolstered accountability for internet-based companies by rejecting the argument that a company is jurisdictionally ‘nowhere’ because it does business ‘everywhere.’
And many US states agreed they need an ability to enforce their own consumer protection laws against companies that avail themselves of local marketplaces through the internet.
The general expectation is that this decision could make it easier for American courts to assert jurisdiction over internet-based platforms. The majority of the 9th Circuit, which includes nine western US states, Guam, and the Northern Mariana Islands, adhered to the “traveling cookie rule” because it “impermissibly manufactures jurisdiction wherever the plaintiff goes.”
We don’t just report on data privacy—we help you remove your personal information
Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.
