[HN Gopher] Ninth Circuit Takes a Wrecking Ball to Internet Pers...
___________________________________________________________________
Ninth Circuit Takes a Wrecking Ball to Internet Personal
Jurisdiction Law
Author : hn_acker
Score : 43 points
Date : 2025-04-23 19:09 UTC (3 hours ago)
(HTM) web link (blog.ericgoldman.org)
(TXT) w3m dump (blog.ericgoldman.org)
| hn_acker wrote:
| The full title is:
|
| > Ninth Circuit Takes a Wrecking Ball to Internet Personal
| Jurisdiction Law-Briskin v. Shopify
| topspin wrote:
| What law was wrecked? The outcome appears to be the upholding
| of a CA law.
| Aloisius wrote:
| Case law on internet-specific personal jurisdiction made by
| the district court, presumably.
| Alupis wrote:
| I suspect this has something to do with "Shop Pay", Shopify's own
| payment system used on most (all?) Shopify stores. It enables you
| to have saved payment information for any Shopify store you come
| across, facilitating one-click checkout even if you have never
| shopped on that particular brand/website before. Webshop
| operators love it because it is very good at fraud detection (due
| to the pooled data on the backend), and removes barriers at
| checkout (needing your wallet, fill out an address form, etc). As
| far as I'm aware, it's optional on the Shopify platform. Using
| Shop Pay for payment is optional on the consumer level.
|
| I suspect Shopify's terms inform their customers (webshop
| operators) that they are responsible for disclosure, etc and
| being compliant with state privacy laws - however since majority
| of web shops are exempt (due to small size, revenue, etc), these
| shops did not (knowingly or otherwise) publish these terms.
| That's just speculation on my part...
|
| If this is true, I find this case troubling and weak, and hope it
| is overturned. It is squarely on the shop operator to be
| compliant - Shopify is just a platform vendor and shoppers are
| not Shopify customers; rather, they are customers of the shop.
| This seems to be akin to suing Google because a website uses
| Google Analytics but didn't disclose it in their privacy
| statement - silly...
|
| This particular case gives me ADA and Prop65 vibes... lots of
| bottom-feeding lawyers using serial plaintiffs to extort
| businesses out of money. At least in this case they're going
| after someone with deep pockets and not just small businesses...
| chocolatkey wrote:
| Stripe also has a version of this called "Link", which uses SMS
| authentication. Based on Stripe data on multiple platforms I
| have access to, quite a high percentage of people use it,
| probably due to how hard it's pushed by the UI when adding a
| payment method
| ndriscoll wrote:
| I'm not familiar enough with California's law to know whether
| companies like Shopify/Google are meant to be liable (in the
| sense that the law says so), but certainly it would be a great
| thing if the companies actually performing the mass
| surveillance (Google, Shopify) _were_ liable even if the
| payload deliverer is small. Absolutely what is needed is law
| saying that Google can be sued (or better, held criminally
| liable for harassment /stalking) for spying on people through
| its Google Analytics program, among others.
|
| Relentlessly stalking millions of people makes it millions of
| times worse than stalking one person, not somehow okay.
| rkagerer wrote:
| Or hold enough of those small actors to account that nobody
| wants to do business with Google Analytics in its current
| form.
|
| It disgusts me that companies who want to transact with me
| don't vet their partners better. Off-Meta is another one
| that's despicable. Companies like my bank or their partners
| have NO business uploading lists of their users to third
| parties like that (even if it was induced by use of their
| analytics SDK's).
| pessimizer wrote:
| > It is squarely on the shop operator to be compliant - Shopify
| is just a platform vendor and shoppers are not Shopify
| customers; rather, they are customers of the shop.
|
| I disagree energetically. If Shopify wants to run a service
| identifying people between every site that it serves as a
| backend to, it should ask those people if they want to be
| included in that. The only alternative to stop the illegal
| activity otherwise is to print a list of Shopify's customers,
| and visit (and sue) them one by one in California. Shopify is
| running the service, and the shop owner probably doesn't even
| know how it works.
|
| I'd even think that a shop owner sued over this should in turn
| be able to sue Shopify. If Shopify knows that something it does
| is not legal in California, it should tell its clients who may
| do business in California.
| Alupis wrote:
| You opt-into using Shop Pay, as a consumer. By default you
| are in "guest" mode.
|
| > If Shopify knows that something it does is not legal in
| California
|
| This is what is being debated. This ruling is mostly expected
| out of the 9th... we'll see what happens when a real court
| hears this case.
| Aloisius wrote:
| What are the odds the Supreme Court hears this?
| Alupis wrote:
| Your guess is as good as mine. I doubt Shopify will let
| this rest, since the consequences are fairly huge.
| nozzlegear wrote:
| > If this is true, I find this case troubling and weak, and
| hope it is overturned. It is squarely on the shop operator to
| be compliant - Shopify is just a platform vendor and shoppers
| are not Shopify customers; rather, they are customers of the
| shop. This seems to be akin to suing Google because a website
| uses Google Analytics but didn't disclose it in their privacy
| statement - silly...
|
| Most of my work is in the Shopify app dev ecosystem, and while
| I haven't been following this case very closely, I do think
| it's ironic how Shopify is behaving here given the privacy
| standards they enforce on their app developers.
|
| Some context: all Shopify app developers are required to follow
| the EU's GDPR rules for customer data, full stop. Your app
| _must_ implement Shopify 's mandatory GDPR webhooks. You _must_
| delete customer data when a shop 's customer is deleted; you
| must produce all data you store on a shop's customer within 7
| days upon receipt of a certain GDPR webhook; and you must
| delete all the data you store on the shop itself after the shop
| uninstalls your app.
|
| Additionally, if your app requires access to any customer data
| (whether its via the Customer API, or via other APIs e.g. to
| get the name of a customer who placed an order), you need to
| apply for access to that data on an app-by-app basis - replete
| with an explanation for why your app needs the data. Shopify's
| app store staff has to manually review and approve that data
| access application before you can publish your app on their app
| store.
|
| To be clear, I think these restrictions are a good thing+, as
| apps used to have access to a veritable firehose of private
| customer data. But it's ironic to see Shopify enforce such
| standards on their app developers, while at the same time
| arguing that they should be able to track their own potential
| customers anywhere and everywhere across the internet
| regardless of privacy laws.
|
| + Though I think it's a little odd that a Canadian company is
| making me, an American app developer, think about/adhere to the
| EU's GDPR rules. Not to mention other privacy laws like the one
| in California. Why not just call it "Shopify's Privacy
| Standards?"
| getcrunk wrote:
| Backstory from eff:
|
| https://www.eff.org/deeplinks/2024/07/courts-should-have-jur...
| nickff wrote:
| This seems like a very strange reading of "express aiming";
| instead of those words meaning that a person has done something
| to 'target', it means that the person did not 'expressly avoid'?
| I am not sure that "expressly aim" has much meaning at all in
| this reading.
|
| I don't have any horse in this race, though I know the EFF is
| very popular on HN, and that many people here are also against
| data collection.
| 3np wrote:
| I guess it's just a coincidence that the California Shopify
| meetup groups are abandoned without notice?
| 3np wrote:
| > What Could Shopify Have Done Differently?
|
| For completion I think "cease to insecurely extract, aggregate
| and abuse all that user data" should also be mentioned as an
| alternative to the different ways they could skirt regulation.
| johnea wrote:
| I was going to quote, and respond in almost the exact same way.
|
| The only change I would make to your suggestion would be to
| remove the word "insecurely".
|
| They shouldn't extract or aggregate user data in any fashion
| whatsoever.
| clucas wrote:
| You're misunderstanding the question - he's asking how Shopify
| could avoid _jurisdiction_ , not avoid this suit. Jurisdiction
| is a threshold question before you get to the merits... maybe
| Shopify did the bad thing, maybe they didn't, but before we
| decide that, we need to determine if California law even
| applies to Shopify.
|
| The author seems to think that there should be some way for
| Shopify to avoid jurisdiction while still offering services in
| California, but I don't really understand why he thinks so.
| otterley wrote:
| As a former student of the author, I don't think he's saying
| they _should_ be able to avoid jurisdiction. I think he was
| musing on whether it would even be possible under this new
| Ninth Circuit framework /test. He concludes it's unlikely,
| and hence for Shopify (or any other company putting cookies
| in browsers) to have any chance of avoiding it, they're going
| to have to appeal to SCOTUS.
| dpifke wrote:
| The "online retailer" (IABMFG) in this case is based in
| California.
|
| A company in California, selling to a customer in California,
| shouldn't be able to say "California law doesn't apply because my
| payment processor is Canadian." And if Shopify wants to take a
| cut of every sale from retailers based in California, they should
| be willing to comply with California law as well, at least
| insofar as it applies to the services provided via those
| California-based retailers' web sites.
|
| (The actual opinion is linked at the bottom of the submission; I
| humbly suggest folks commenting here should read it first:
| https://cdn.ca9.uscourts.gov/datastore/opinions/2025/04/21/2...)
| otterley wrote:
| To be clear, this isn't a choice-of-law case. It's not about
| whether California law applies. It's about whether a court in
| California has jurisdiction; that is, whether it can hear the
| case _at all._
| dpifke wrote:
| Could a tort claim under California state law be heard in any
| other court (assuming no accompanying Federal claims)?
| otterley wrote:
| Yes. Choice-of-law terms are frequently found in contracts.
| When interpreting the law, the court with jurisdiction will
| do its best to refer to and interpret existing law of the
| state in question to the case.
| healsdata wrote:
| > then more privacy-protective option are not feasibly available
| to Shopify
|
| I haven't laughed that hard in awhile. Poor Shopify, they
| couldn't possibly protect the privacy and data of their
| customers.
| djoldman wrote:
| The part where many may object:
|
| > First, the majority might say that Shopify should not engage in
| privacy-invasive activities. I didn't invest the energy to figure
| out the irreducible privacy elements of the plaintiffs' claims,
| but if using cookies to track users is an essential part of the
| claim, then more privacy-protective option are not feasibly
| available to Shopify.
| Glyptodon wrote:
| Maybe the line of reasoning offered and argued against is
| dubious. But IMO there are literally dozens of other arguments
| that will come to the same conclusion if you want to avoid hand
| waving about the particular bits the author raises.
|
| By and large states having different laws is a pain, but arguing
| that you can do business in every state while only following the
| laws of one state is a very messy rejection of state's rights,
| and leads to using the commerce clause to basically negate most
| state level regulations and jurisdiction.
___________________________________________________________________
(page generated 2025-04-23 23:00 UTC)