California courts are increasingly handling class action lawsuits alleging that cookies and other web technologies violate privacy laws by collecting personal data without consent.

A key issue in these cases is whether California courts can exercise personal jurisdiction over out-of-state companies operating location-neutral websites.

A recent ruling from the Ninth Circuit Court of Appeals is raising the stakes for any business that operates a website collecting user data. In Briskin v. Shopify, decided in April 2025, the court held that California courts can exercise personal jurisdiction over an out-of-state company—Shopify—for allegedly collecting personal data from a California resident without proper disclosure or consent. This decision signals a significant shift in how courts view digital jurisdiction in the age of online commerce and widespread data collection.

The case centered on Shopify’s role in providing backend e-commerce services. A California consumer claimed that Shopify secretly collected and stored his payment and personal information while he was transacting with a third-party merchant, creating a marketing profile without his knowledge. Despite Shopify’s lack of physical presence in California, the court ruled that its intentional collection of data from California users was enough to justify specific personal jurisdiction. Crucially, the court rejected previous legal precedent requiring a website to have a “forum-specific focus” in order to be subject to a state’s jurisdiction. Normally, California courts require that plaintiffs suing an out-of-state defendant establish “certain minimum contacts” with the state. The defendant must be subject to either general jurisdiction based on citizenship or continuous contacts within the state, or specific jurisdiction based on a connection with the forum. It is now sufficient that a company collects data from users it knows are located in the state—even if the website is available to users everywhere.

The district court initially dismissed the case due to lack of jurisdiction, but the Ninth Circuit reversed using a three-part test for analyzing specific jurisdiction:

1. Purposeful direction: Shopify targeted California consumers by knowingly collecting their personal data for profit. This analysis pulled from the Calder v. Jones case, which required intentional conduct by the defendant that is expressly aimed at the forum state. The Ninth Circuit concluded that Shopify’s actions were expressly aimed at collecting data from California users for its own commercial gain. Under this prong, the Court also overruled Ninth Circuit precedent that required a showing of forum-specific focus, even with websites that operate globally. The Court noted that this requirement essentially allowed a loophole argument, where companies could avoid specific personal jurisdiction from state to state, all the while focusing on the collection of data from all 50 states. 
2. Claims related to forum activities: The plaintiff’s claims arose from Shopify’s conduct directed at California merchants and consumers. The Court characterized these forum activities in two ways, noting that plaintiff’s claims “arise out of” Shopify’s direct contact with plaintiff’s phone, which the Company allegedly knew was operating within California, and that plaintiff’s claims “relate to” Shopify’s California contacts because the injuries alleged “would tend to be caused” by Shopify’s contacts with California merchants and consumers. The Court specifically noted that the Company’s installation of software on the devices of Californians and extraction of personal data is the kind of direct contact that satisfies this prong.
3. Reasonableness: It was fair to subject Shopify to California jurisdiction, even if it operates nationally because, under the Court’s seven-factor balancing test to determine the reasonableness of asserting personal jurisdiction, the mere fact that there are alternative forums does not outweigh the other factors that demonstrate reasonableness.

This ruling has major implications for businesses operating online. Companies can no longer rely on the assumption that a location-neutral website will shield them from being sued in a specific state, or at least in California. If your business collects data from California residents, you may now be exposed to lawsuits in that state—even if you’ve never conducted targeted marketing there or established a physical presence. The decision also underscores the importance of transparency and consent in data collection. A lack of clear disclosures and compliant cookie practices was central to the plaintiff’s allegations.

 “Brick and Mortar” laws continue to lose their power in an ever-changing tech world, especially as companies continue to globalize, and automated transactions continue to rely on applications and websites that can be used virtually anywhere. As courts continue to modernize the rules around digital conduct and jurisdiction, legal exposure is increasingly tied to where your users are—not where your company is.

Still, due to this case’s fact-specific nature, its broader applicability remains uncertain and more decisions in this area will likely continue to shape the law for e-commerce.

Companies are advised to ensure compliance with privacy laws through transparent privacy policies and properly implemented cookie consent banners.

América Garza, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s New York office, contributed to the preparation of this post.