Steptoe's Jennifer Quinn-Barabanov and Zachary Schreiber explain how e-commerce companies can avoid getting hauled into court across the country after the Ninth Circuit's Shopify decision.
Companies relying on e-commerce need to keep a close eye on a recent Ninth Circuit decision that forum-shopping plaintiffs will likely use to try to steer online privacy claims to sympathetic courts across the 50 states. The decision adds to the challenges faced by companies battling class-action lawsuits claiming that commonplace internet technologies such as cookies, pixels, and functionalities like searches result in unlawful disclosures, eavesdropping, and other alleged privacy violations.
In Briskin v. Shopify Inc., an en banc panel of the US Court of Appeals for the Ninth Circuit substantially expanded the scope of specific personal jurisdiction for nationwide e-commerce platform and website operators. The Ninth Circuit held that installation of a cookie on plaintiff's browser when defendants allegedly knew that plaintiff was located in California was sufficient to trigger specific personal jurisdiction
Specific jurisdiction, as any first-year law student should know, requires a nonresident defendant—typically one who is neither incorporated nor has its principal place of business in the forum state—can only be hauled into court there if it has sufficient "minimum contacts" to satisfy due process.
Briskin's Bad Facts
As is often the case, Briskin's bad facts likely contributed to what is a bad outcome from a defendant's perspective.
Brandon Briskin purchased clothing from an online retailer that allegedly didn't disclose its use of Shopify's nationwide online e-commerce platform to facilitate sales. Shopify allegedly installed cookies that communicated with its servers and remained on Briskin's device to collect data about his geolocation, browser, IP address, and purchases across Shopify's network—data that was subsequently sold by Shopify without his knowledge.
Courts in the Ninth Circuit and elsewhere have long held that "'something more' than mere passive nationwide [website] accessibility" is required to satisfy the express aiming element of minimum contacts for specific personal jurisdiction over tort claims. In Briskin, the en banc Ninth Circuit overruled its prior precedent suggesting that something more requires differential targeting of the forum state, as compared to others.
The court held that Shopify was properly subject to specific personal jurisdiction over claims arising from its installation of cookies on Briskin's device because it knew that he was located in California. The court determined the intentional installation of cookies on the devices of users known to be in California qualified as "express aiming" sufficient to support personal jurisdiction.
Briskin's unfavorable facts, particularly Shopify's alleged sale of user data and the absence of disclosures related to its involvement, could provide grounds for distinguishing it from future cases.
However, plaintiffs will likely rely on Briskin's reasoning to challenge Ninth Circuit precedent holding that online advertising, standing alone, is insufficient to support specific jurisdiction. After all, many websites target advertising. Some, such as social media websites, customize content using the same types of tracking technologies and information such as geolocation data and IP addresses that the Ninth Circuit cited to support specific jurisdiction in Briskin.
For now, the Ninth Circuit's Briskin decision is an outlier. The First and Third Circuits both concluded in cases involving session replay technology that the "express aiming requirement" wasn't met.
Both courts explicitly relied on the absence of allegations that the defendants knew about the plaintiffs' location. Plaintiffs will likely try to avoid this deficiency in future cases by including allegations related to knowledge of geolocation data and IP address.
Minimizing Risk
Faced with this potential erosion of the minimum contacts required for exercising personal jurisdiction in the virtual world, here's what defendants can do to minimize the risk of litigating online privacy claims in the courts of all 50 states.
Don't rely on differential targeting or status as a passive website as a rationale to forgo making disclosures and obtaining consent through cookie banners and privacy policies. Recognize that tailoring disclosures and consents to a particular state may be used to support plaintiffs' arguments that you are expressly aiming your activities and should be subject to specific jurisdiction there. Be prepared to oppose those arguments by arguing that you have complied in an abundance of caution.
Use forum selection clauses and choice of law provisions to maximize the likelihood that you won't be hauled into court in a jurisdiction you want to avoid. Many companies' terms of service choose the substantive law and the federal or state courts of the state where they are incorporated or have their principal place of business.
Many states honor these forum selection and choice of law provisions, but their enforceability can vary based on factors such as the substantive state law claim at issue (for example,whether it's waivable or non-waivable) and the substantive law of the proposed alternative forum. Make sure these provisions are drafted broadly enough to cover statutory claims.
Ensure vendors aren't deploying data collection and tracking technologies without your knowledge. Website operators should perform an onboarding assessment of vendors that identifies what data they will collect from customers and how they will collect it. To avoid surprises, vendor agreements should prevent vendors from changing agreed-upon practices without the website operator's consent. Vendor agreements should also allocate responsibility for obtaining any necessary consents as well as any potential liabilities from data collection and tracking.
Consider geofencing where appropriate. Some website functionalities can be limited based on the location of the user. Consider whether to avoid using collection and tracking technologies in states with greatest risks.
Practical Impacts
Briskin has "lowered the bar" to exercise specific personal jurisdiction over e-commerce companies in the Ninth Circuit. As a practical matter, Briskin's impact is likely limited for consumer-facing companies because most have terms of service that include forum selection clauses specifying their preferred location for litigating disputes.
The impacts may be more significant for back-end service providers because their involvement may not be transparent to the user. Service providers don't typically have an opportunity to present their terms of service and obtain consent from website users.
In light of Briskin, back-end vendors should consider requiring their customers who operate websites to provide the necessary disclosures and consents to permit the data collection and tracking the vendor undertakes. Otherwise, vendors risk being taken to court for online privacy claims wherever their customers take them shopping.
Originally published by Bloomberg Law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
