CLICK, BUY, SUE?: Shopify Pushes Back On CIPA At Checkout

Add a comment

Greetings CIPAWorld!

I’m back with another case update, and this one is spicy! If you litigate CIPA claims in the e-commerce space, this is one of those opinions you bookmark. After years of procedural detours, Briskin v. Shopify Inc. finally returns to the merits, and it issues a ruling that subtly tightens restrictions on speculative privacy claims while leaving intact several favorable doctrines for plaintiffs. See Briskin v. Shopify Inc., et al., No. 21-CV-06269-PJH, 2026 WL 161441 (N.D. Cal. Jan. 21, 2026).

In Briskin, Judge Phyllis J. Hamilton granted in part and denied in part Shopify’s motion to dismiss the second amended complaint. Rather than a sweeping win or loss, the decision outlines what plaintiffs must plead with specificity, which defects cannot be cured, and where courts remain reluctant to shut the door at the pleading stage.

If you have ever breezed through an online checkout without giving it much thought, you may not realize that Shopify often runs the show behind the scenes. Shopify runs an e-commerce platform providing payment processing services to millions of merchants across the Internet. When you buy something from a Shopify-powered store, Plaintiff alleges the merchant’s software makes it look like you’re communicating directly with the merchant, but you’re not. It’s actually Shopify’s software generating the payment form and collecting everything you type into it: name, address, email, credit card number, IP address, what you bought, and your geolocation. Shopify also allegedly installs cookies on users’ browsers to track their transactions across the entire Shopify merchant network.

Plaintiff bought fitness apparel from IABMFG (a Shopify merchant) back in June 2019. He claims he had no idea Shopify was involved in the transaction or that it was intercepting his information. He didn’t learn about Shopify’s role until 2021, when IABMFG’s privacy policy finally disclosed it. So the result? Well, Plaintiff brought claims under CIPA §§ 631 and 635, the California Constitution’s privacy protections, intrusion upon seclusion, the California Computer Data Access and Fraud Act (“CDAFA”), and the UCL.

It’s important to note that this case has already been to the Ninth Circuit. The district court initially dismissed for lack of personal jurisdiction, and a Ninth Circuit panel affirmed. But then the en banc court reversed and remanded, finding that Shopify’s conduct, including allegations that it surreptitiously implanted cookies that permanently remained on devices and tracked their physical location, was sufficient to establish jurisdiction. See Briskin v. Shopify, Inc., 135 F.4th 739, 745 (9th Cir. 2025). That jurisdictional holding looms large throughout Judge Hamilton’s analysis, particularly when addressing what constitutes “routine” commercial conduct. So now we’re back for round two on the merits.

Before getting into the claim-by-claim analysis, there’s a threshold issue that affects everything. Plaintiff’s Complaint has a factual gap! Here’s the timeline. Plaintiff made his purchase in June 2019; his counsel visited the IABMFG website in April 2021 (by then disclosing Shopify’s data collection); and this lawsuit was filed in August 2021. The Court found it problematic that Plaintiff inferred Shopify must have engaged in the same conduct in 2019 based on what he learned in 2021, without any non-speculative basis for that inference.

Judge Hamilton found M.D. v. Google, 2025 WL 2710095 (N.D. Cal. Sept. 23, 2025), to be the most factually analogous case. In M.D., the plaintiffs learned of data-sharing practices through a 2024 privacy policy amendment and then alleged those practices had been occurring for years, without any factual support for that claim. The Court here applied the same logic that Plaintiff hasn’t “nudged [his] claims across the line from conceivable to plausible” because he hasn’t provided adequate factual support that the conduct disclosed in 2021 was actually taking place in 2019. See Briskin, 2026 WL 161441 at *3–4.  Importantly, the Court was explicit about what this was not. This wasn’t treated as a statute-of-limitations issue. It’s a Rule 8 pleading deficiency. All claims are dismissed with leave to amend on this basis.

Then there’s the intent problem. Shopify argued that Claims 1, 3, 4, and 5 all require some form of intent or willfulness, and Plaintiff can’t establish that because Shopify’s policies required merchants to obtain consent for Shopify’s access. The Court agreed. Even taking Plaintiff’s allegations as true, that IABMFG didn’t obtain proper consent, Shopify’s state of mind is the same regardless of what merchants ultimately do with their privacy policies. In two hypothetical scenarios in which IABMFG obtains or doesn’t obtain consent, Shopify’s “intent” is technically identical in both. That framing drives much of the Court’s dismissal analysis.  Claims 1 (§ 631), 3 (invasion of privacy), 4 (intrusion upon seclusion), and 5 (CDAFA) were all dismissed with leave to amend to allege facts establishing Shopify’s intent to access consumer information without permission.

Now for the CIPA § 631(a) analysis. Plaintiff clarified he’s proceeding under clauses 2 and 3, the “willfully and without consent” reading of communications and the subsequent use of that information. Shopify first argued it was simply a “service provider” for IABMFG, relying on Graham v. Noom, 533 F.Supp.3d 823 (N.D. Cal. 2021). But the Court noted that even Graham recognized the test is whether the defendant uses the data for their own benefit. Plaintiff cited cases holding that a defendant need only be capable of using the data for its own benefit. In response, the Court declined to resolve this issue at the pleading stage, finding that it requires at least some evidentiary record.

Shopify also argued that the information collected (name, address, phone number, email, credit card info, purchase info) isn’t the “content” of a communication, just “record” information. The Court reasoned that while name and email might be record information in an email context, that logic doesn’t extend to credit card information when the communication is a purchase. As the Court put it: “In fact, the ‘contents’ of an online purchase are essentially (1) the product information, and (2) the payment information – if those aren’t the ‘contents,’ then it’s unclear what is.” See Briskin, 2026 WL 161441 at *7. The Court referenced Hammerling v. Google, 615 F.Supp.3d 1069, 1093 (N.D. Cal. 2022), for the proposition that customer information “may be contents when it is part of the substance of the message conveyed.”

The argument that did stick was the “in transit” issue. Here, the Complaint alleges that data is encrypted and sent to Shopify’s servers, then read and analyzed after receipt. Plaintiff argued the “in transit” element is satisfied when the defendant receives messages “before or simultaneously with” the intended recipient, but acknowledged the Complaint could be clearer. The Court agreed and dismissed on this basis with leave to amend.

But here’s where Plaintiff took a loss he can’t fix. The CIPA § 635 claim was dismissed without leave to amend. As a reminder, § 635 prohibits manufacturing, assembling, selling, possessing, transporting, importing, or furnishing eavesdropping devices. Critically, it does not prohibit the “use” of such devices. See Saleh v. Nike, Inc., 562 F.Supp.3d 503, 522 (C.D. Cal. 2021). Because Plaintiff can’t amend to allege injury through the manufacture, sale, or assembly of Shopify’s software, this claim is gone for good! Very interesting analysis here. One interesting doctrinal footnote worth flagging is that Shopify argued § 635 requires intent or knowledge that the device would be used unlawfully. In response, Plaintiff relied on Yoon v. Meta Platforms, Inc., 2024 WL 5264041 (N.D. Cal. Dec. 30, 2024), which held that § 635 does not require such intent. The Court found this persuasive, but it ultimately didn’t matter because the claim failed on other grounds.

The invasion-of-privacy and intrusion-upon-seclusion claims survived Shopify’s “highly offensive” arguments. Shopify argued its data collection is routine commercial behavior, obvious to anyone making online purchases. But the Court pointed to the Ninth Circuit’s en banc opinion, which found Shopify’s conduct went beyond routine, including “surreptitiously implant[ing] cookies that permanently remained on Briskin’s device [and] tracked its physical location.” Briskin, 135 F.4th 739, 745. Courts are also generally reluctant to conclude at the pleading stage that conduct wasn’t “highly offensive.” These claims survive on the “highly offensive” challenge but are still dismissed for the intent and factual support issues discussed above.

On the CDAFA claim, Shopify argued that no actual damages were sustained. Plaintiff relied on a disgorgement theory, referencing Smith v. Rack Room Shoes, 2025 WL 2210002 (N.D. Cal. Aug. 4, 2025), and In re Facebook Inc. Internet Tracking Litigation, 956 F.3d 589, 600-01 (9th Cir. 2020). The Ninth Circuit has held that plaintiffs can establish standing under a disgorgement theory by alleging that the data has financial value and that the defendant profited from it. In response, Shopify used contrary authority, but the Court ultimately found the Ninth Circuit precedent controlling. Motion denied on damages, but the claim is still dismissed for intent and factual support.

For the UCL claim, Shopify argued that it lacked standing. The Court acknowledged a split in the district, with some courts holding that privacy harms can constitute economic injury, while others disagree. Judge Hamilton took a middle ground and rejected both extremes. Again, the claim is dismissed for lack of factual support.

So what are the takeaways? First, if you’re bringing CIPA claims based on conduct you learned about through a later disclosure, you need factual support that the conduct was actually happening at the time of your transaction. That’s a given, and speculation won’t cut it. Second, intent matters. When a platform operator requires its merchants to obtain consent, plaintiffs must allege facts showing that the platform itself intended to access data without permission, not merely that a merchant failed to follow the rules. Third, CIPA § 635 claims require injury from the manufacture, sale, or assembly of an eavesdropping device. Injury from mere “use” isn’t enough. Fourth, payment information can qualify as “contents” when the communication is a purchase, and the “it’s just record information” argument has limits. Fifth, disgorgement theories for CDAFA and UCL standing are alive and well in the Ninth Circuit.

Overall, Plaintiff has 28 days to file a third amended complaint. Whether he can plead around both the timeline and intent problems remains the real question.

As always,

Keep it legal, keep it smart, and stay ahead of the game.

Talk soon!

Unknown's avatar

Published by Blake Landis

Blake Landis joins the esteemed Troutman Amin, LLP as an Associate Attorney in their South Florida location. He is a J.D. graduate from St. Thomas University College of Law, 2024. During law school, Blake was recognized with Cali Book Awards in Appellate Advocacy, Innovations & Patent Management, Trademark and Branding Law, and Trial Advocacy Practice. Blake demonstrated leadership as President of the Intellectual Property & Cyber Law Society and served as the Elected Miami-Dade Bar Association Representative for the Student Bar Association. Blake was also honored with a Pro Bono Commendation Certificate for dedicating over 100 hours to legal and community service. His latest publication, "Brain-Computer Interfaces and Bioethical Implications on Society: Friend or Foe?" delves into evolving data privacy concerns. With Blake's stacked resume and extensive work experience across various legal sectors, he will assist Troutman Amin in defending TCPA class actions with a strong emphasis on evolving AI litigation matters.

Tags: , , , , , , , ,

Leave a comment