En Banc Ninth Circuit Overrules Case Authority That Personal Jurisdiction Over an Online Business Requires That Its Marketing Be Shown to Have a “Forum-Specific Focus”

In Briskin v. Shopify, No. 22-15815 (9th Cir. Apr. 21, 2025) (en banc), the Ninth Circuit considers a customer privacy claim by a California resident against a Canadian online retailer and its American subsidiaries. The court (10-1) reverses the lower court’s dismissal on personal jurisdiction grounds, overruling AMA Multimedia, LLC v. Wanat, 970 F.3d 1201 (9th Cir. 2020), which held that for personal jurisdiction a website must manifest a “forum-specific focus.”

Plaintiff Briskin, a resident of the state of California, alleges that defendant Shopify committed privacy-related torts “arising from Shopify’s activity in connection with his online purchase in California of athletic wear from a retailer in California. Briskin alleges that in the process of facilitating his credit card transaction for the merchant, Shopify took the opportunity to install ‘cookies’ on the device he used to buy the athletic wear and that Shopify did so without his knowledge or consent.”

The district court dismissed the action on two grounds. First, it held that under Federal Rule of Civil Procedure 8(a)(2), the complaint was defective “because it was collectively pleaded [against the three defendants] and therefore failed to specify which named defendant was responsible for which of Briskin’s alleged injuries. As for personal jurisdiction, the district court first noted that Briskin did not argue that the court has general personal jurisdiction over any of the three Shopify defendants.” The original three-court panel affirmed dismissal on personal jurisdiction grounds, declining to rule on the alleged Rule 8(a)(2) violation.

The en banc Ninth Circuit reverses, holding that court has specific personal jurisdiction over the defendants based on the online transaction with the plaintiff. The court uses the opportunity of this case to refine the circuit’s approach to personal jurisdiction as applied to out-of-state online businesses.

“None of the Shopify entities resides in the State of California, and Briskin does not attempt to make a showing that Shopify’s contacts with California are so substantial, continuous, and systematic that it would be consistent with ‘traditional notions of fair play and substantial justice’ to hale Shopify into California courts for any of its activities across the nation.”

Turning to specific personal jurisdiction, the court applies the “purposeful direction test” of Calder v. Jones, 465 U.S. 783 (1984), to this case. This “test requires that the defendant (1) commit an intentional act, that is (2) expressly aimed at the forum state, and (3) which causes harm that the defendant knows will be suffered in the forum state.”

Under this standard, plaintiff “Briskin has made a prima facie showing of jurisdictional facts sufficient to establish that Shopify purposely directed its conduct toward California. As a part of its regular course of business, Shopify is alleged to target California consumers to extract, collect, maintain, distribute, and exploit for its own profit, not only the California consumers’ payment information that it diverts to its own servers, but also all of the other personal identifying information that it extracts from the software it permanently installs on their devices without their knowledge or consent.”

“[T]he crux of the parties’ dispute is the second Calder factor: whether Shopify’s conduct is expressly aimed at California or its residents or, as Shopify contends, is mere happenstance arising from the California consumers’ choice to do business with a merchant that has contracted with Shopify. And here, it is clear that Shopify expressly aimed its conduct at California through its extraction, maintenance, and commercial distribution of the California consumers’ personal data in violation of California laws.””

“Shopify argues, relying upon AMA Multimedia, LLC v. Wanat, 970 F.3d 1201 (9th Cir. 2020), that because its business ‘lacks a forum-specific focus,’ it is not expressly aimed at California. Shopify points out that based on the numbers alleged in the [complaint], as of 2018, only 8% of its worldwide merchants are located in California . . . . We now take this opportunity to overrule AMA and any other cases that require some sort of differential treatment of the forum state for a finding of ‘express aiming’ of the defendant’s allegedly tortious conduct . . . . Moreover, requiring differential targeting would have the perverse effect of allowing a corporation to direct its activities toward all 50 states yet to escape specific personal jurisdiction in each of those states for claims arising from or relating to their relevant contacts in the forum state that injure that state’s residents.”

The court further holds that plaintiff’s claims arise from or relate to Shopify’s contacts with California, as required by Bristol-Myers Squibb Co. v. Superior Ct. of Cal., 582 U.S. 255 (2017). “In particular, Shopify’s installation of software onto unsuspecting Californians’ devices and extracting personal data from them is the kind of contact that would tend to cause privacy injuries. Briskin’s claims therefore satisfy the second requirement for specific jurisdiction.”

And the court holds that Spotify failed to “present a compelling case” that the exercise of personal jurisdiction in California is not reasonable. “Shopify . . . argues that it is unfair to assert jurisdiction because that ‘could lead to specific jurisdiction in all 50 states.’ That may be true, but not unfair, if the contacts Shopify makes in all 50 states are like its California contacts. But it may not be true, depending on whether all 50 states have laws, like California, protecting their citizens from what Shopify allegedly does in its regular course of business, laws which Briskin claims Shopify violated here.”

Finally, the court overrules the district court’s finding that the complaint was defective because it did not specify the basis of liability for each defendant separately.

“Here, Briskin alleges one course of conduct jointly pursued by three closely related corporate defendants: Shopify, Inc., a Canadian corporation, and its two wholly owned U.S. subsidiaries, Shopify (USA) Inc. and Shopify Payments, (USA) Inc. And, contrary to Shopify’s arguments, the [complaint] does generally describe each company’s role in the alleged data collection and monetization scheme, which Briskin alleges violates California law and California consumers’ rights to data access and privacy. The remainder of the [complaint] is highly detailed as to the technology used to do so. We therefore conclude that the [complaint] provides sufficient information to give the Shopify entities fair notice of the claims against them.”

Judges Collins and Bumatay file concurring opinions that find personal jurisdiction over the defendants on alternative grounds. Judge Callahan, dissenting, would affirm the district court. “[T]he majority opinion creates a new ‘traveling cookie’ rule for in personam jurisdiction. Under our circuit’s newly divined rule, when a company attaches cookies to a person’s electronic device, jurisdiction attaches wherever that person happens to be, and indeed, wherever that person happens to travel thereafter. Of course, this is nowhere close to the Supreme Court’s personal jurisdiction doctrine, as it ‘impermissibly allows a plaintiff’s contacts with the defendant and forum to drive the jurisdictional analysis,’” quoting Walden v. Fiore, 571 U.S. 277, 289 (2014).