Shopify Must Face Data Privacy Lawsuit In US (reuters.com) 33
An anonymous reader quotes a report from Reuters: A U.S. appeals court on Monday revived a proposed data privacy class action against Shopify, a decision that could make it easier for American courts to assert jurisdiction over internet-based platforms. In a 10-1 decision, the 9th U.S. Circuit Court of Appeals in San Francisco said the Canadian e-commerce company can be sued in California for collecting personal identifying data from people who make purchases on websites of retailers from that state.
Brandon Briskin, a California resident, said Shopify installed tracking software known as cookies on his iPhone without his consent when he bought athletic wear from the retailer I Am Becoming, and used his data to create a profile it could sell to other merchants. Shopify said it should not be sued in California because it operates nationwide and did not aim its conduct toward that state. The Ottawa-based company said Briskin could sue in Delaware, New York or Canada. A lower court judge and a three-judge 9th Circuit panel had agreed the case should be dismissed, but the full appeals court said Shopify "expressly aimed" its conduct toward California.
"Shopify deliberately reached out ... by knowingly installing tracking software onto unsuspecting Californians' phones so that it could later sell the data it obtained, in a manner that was neither random, isolated, or fortuitous," Circuit Judge Kim McLane Wardlaw wrote for the majority. A spokesman for Shopify said the decision "attacks the basics of how the internet works," and drags entrepreneurs who run online businesses into distant courtrooms regardless of where they operate. Shopify's next legal steps are unclear.
Brandon Briskin, a California resident, said Shopify installed tracking software known as cookies on his iPhone without his consent when he bought athletic wear from the retailer I Am Becoming, and used his data to create a profile it could sell to other merchants. Shopify said it should not be sued in California because it operates nationwide and did not aim its conduct toward that state. The Ottawa-based company said Briskin could sue in Delaware, New York or Canada. A lower court judge and a three-judge 9th Circuit panel had agreed the case should be dismissed, but the full appeals court said Shopify "expressly aimed" its conduct toward California.
"Shopify deliberately reached out ... by knowingly installing tracking software onto unsuspecting Californians' phones so that it could later sell the data it obtained, in a manner that was neither random, isolated, or fortuitous," Circuit Judge Kim McLane Wardlaw wrote for the majority. A spokesman for Shopify said the decision "attacks the basics of how the internet works," and drags entrepreneurs who run online businesses into distant courtrooms regardless of where they operate. Shopify's next legal steps are unclear.
Who are the ambulance chasers this time? (Score:1)
Re: Who are the ambulance chasers this time? (Score:2)
You are attacking the attorneys who are helping to stop invasion of our privacy?
Who's your hero? Musk or Putin?
(Yes, intentional flame bait)
Re: (Score:1)
Nonsense, it is a Canadian company. It should be governed by Canadian rules, and subject to Canadian court except where the activities in question are substantively in an other jurisdiction.
Was the origin server that generated the set-cookie header in the US? If yes then I can see a case for US jurisdiction on the issue, but if it was in Canada, then complaint should be made in Canada.
National courts should not be in the business of regulation international internet sites. If Legislatures want to prohibi
Re: Who are the ambulance chasers this time? (Score:4, Interesting)
Negatory. Shopify chose to do business in the United States (or any other country) when they could have either geo-blocked IP addresses or not allowed goods or services to be delivered to that country. In the United States (and true for many countries), a company has to register as a foreign corporation [wikipedia.org] (other countries use different terminology or legal structures) in order to conduct business outside of the jurisdiction they are registered. One reason is to have a "registered agent" where they can be served with legal documents.
If we followed your logic, then countries are essentially giving up their sovereignty to the company as there would be no mechanism to enforce laws. GDPR--gone, Food safety regulations--gone. Perhaps your country requires payment processors collect some national tax. Some foreign company can decide not to collect said tax because they are an "international internet site" and your country's rules do not apply to them. I don't buy the libertarian pipe dream that consumers will magically bind together to punish misbehaving companies. The number of times that has been successful is small.
International business is conceptually similar to a property easement. Your neighbor (or a utility) might have the need to use part of your property. An easement that defines that need becomes part of the deed. Similarly, a foreign business wants to operate in a jurisdiction. The national and local laws that define how that occurs and sets the parameters for that operation.
The onus is on the business to comply with the laws in the areas they want to operate within.
Re: (Score:2)
I'm a more serious post. (Score:5, Interesting)
Shopify knows damn well that the person they installed the tracking on is in California. It's part of the data their are selling. Not easy to dodge that
Cookies are software? (Score:1)
Re: (Score:2)
If they aren't software, what are they?
Re:Cookies are software? (Score:4, Informative)
Cookies are data.
The part of the browser which manipulates them is software, as is the browser itself obviously.
Cookies are NOT software.
Re: (Score:2, Interesting)
Cookies are small sweet cakes.
I anticipate someone pulling this one out, so I'll beat them to it:
ACTUALLY there's no distinction between code and data, because all software can be seen as interpreters, it says so here, and I must believe this to signal my allegiance to California and the lawyerly guild when it suits me. Also, I'm a fuckwit. [c2.com]
"Pre-internet, there would be no doubt..." (Score:2, Interesting)
From the ruling: "Pre-internet, there would be no doubt that the California courts would have specific personal jurisdiction over a third party who physically entered a Californian’s home by deceptive means to take personal information from the Californian’s files for its own commercial gain. "
https://cdn.ca9.uscourts.gov/d... [uscourts.gov]
Re: (Score:1)
That is a pretty weird take on what happened.
I would say in the "pre-internet, there would be no doubt that the California courts would have laughed someone out of the room if a third party sent them a letter asking them nicely to affix serial number to their person, which they did and then came to the court crying it was used to identify them."
Re: (Score:2)
That's a terrible analogy. A more apt pre-internet would involve someone in California calling a remote merchant to order something over the phone. And that company uses ANI or CallerID to record the caller's phone number (the "cookie" in this case... it's not software, merely a unique piece of data) in a log with the timestamp, length of call, order numbers and invoices, et cetera. The merchant did not initiate the contact, nor did they send anyone into anyone else's house.
Besides, don't you know? On t
Re: (Score:2)
Besides, don't you know? On the internet, analogies must be based on automobiles
In your communication with an overseas company: you have a personal assistant whose name is Chrome or Firefox who takes your car overseas and back to make direct contact on your behalf with an overseas business.
In the course of business: the company mails back a Decal with a request to stick it to the bumper of your car; which your assistant automatically does, because it is consistent with your personal assistant company's po
Re: (Score:2)
'Hate to break it to you, but there're already, at a minimum, two somethings attached to your car that can be used to report back data about where you are driving and shopping: the license plates. Keep your Fastrak tag on your windshield? That can be used too. Have hands-free entry and ignition with the fob in your pocket? Say hello to my little friend. His name is Flipper Zero.
This is like the whinging about whether Location Services, its android equivalent, and whether Apple or Google is secretly tra
Re: (Score:2)
What's the point? This is not a pre-internet world. This is a more complicated world where Californians can send their information to other countries over various services, and nobody has to physically go anywhere. This is Also Interstate and Foreign commerce which is Not subject to the regulation of any state due to the US Constitution's dormant commerce clause.
The company doesn't enter a Californian's home or take data. It's more like the Californian packages their information up in a box (TCP Packe
Dangerous and Stupid (Score:2)
A spokesman for Shopify said the decision "attacks the basics of how the internet works," and drags entrepreneurs who run online businesses into distant courtrooms regardless of where they operate
And they are exactly right. Anyone doing anything on the internet will be either forced to geofence, or face the impossibility of compliance with a tangle of contradictory international laws possibly not even availible in language you speak.
The only people this *might* be good for are Internet mega-companies like Amazon, Alphabet, Meta, etc with armies of lawyers on the payroll and control of crticial infrastructure that makes even judges and regulators fear economic consequences associated with enforceme
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Yup. Countries... ALL countries... need to keep their laws to their own borders and adopt China's "great firewall" method if they don't like what other people in other countries put on the internet. In this case, Kim Dotcom, Julian Assange, and more than a few actions by the EU and its constituent nations, all the way back to the first time (that I can recall) that they tried to abuse that "right to be forgotten" premise to control what I can find on google.com here in the US, versus only what could be fo
Re: (Score:2)
No offices or other facilities? No employees? No payroll? No operations in general? No jurisdiction!
Until someone in your country hacks our servers or uses our intellectual property. Then you have jurisdiction?
If you have customers in a country you are doing business there. If you have no operations in a country, then no they don't have jurisdiction because there is nothing for them to regulate. No one is suggesting someone in Mexico can sue a Canadian company in California. The question here is can someone in California sue a Canadian company in California.
Re: (Score:2)
. Anyone doing anything on the internet will be either forced to geofence, or face the impossibility of compliance with a tangle of contradictory international laws possibly not even availible in language you speak.
Only if they do business in multiple jurisdictions. Are you seriously suggesting that someone can set up a company in North Korea and not be subject to US regulation of its business in the United States?
Re: (Score:2)
And they are exactly right. Anyone doing anything on the internet will be either forced to geofence, or face the impossibility of compliance with a tangle of contradictory international laws possibly not even availible in language you speak.
Oh no, that sounds awful! ANYONE doing ANYTHING on the Internet will now be FORCED to face the impossibility yada yada!
Oh the humanity!
Anyone.
Doing anything.
I am an anyone. Wait, so are you. And we do things. We do any things.
At least we used to. We cannot anymore.
Stupid Headline (Score:2)
Today I learned that New York and Delaware are not in the United States--or at least that's the inference from the dumbass headline. A correct headline would be, "Shopify Must Face Data Privacy Lawsuit in California."
You're always the product... (Score:3)
It's because businesses like I Am Becoming rely on additional money they get from Shopify, so they turned Brandon into a product just because he purchased something from them.
And Shopify then sells all of those products that they paid for to whomever is interested in paying them for it.
So when
A spokesman for Shopify said the decision "attacks the basics of how the internet works,"
he's really referring to how doing anything online makes you a product for someone else to buy or sell and, oh yeah, f*ck you if you don't want to be a product.
GDPR (Score:3)
Not exactly on team litigious but why is this even a stretch? A bajillion websites worldwide had to spend a collective Billions to add notice/opt-out widgets to their websites years ago because that site was accessible in the EU. They're not alone (<cough>China</cough>) but, for better or worse, we've been in the internet world of "You do business here so you have to follow my laws" for a LONG time..
Cookie monster (Score:2)
"installed tracking software known as cookies"
My eyes can't roll hard enough or far enough back at this statement alone.
"Shopify Must Face" (Score:2)
Can someone explain to a non-native speaker what "must face" means in this context?
I mean, obviously if a lawsuit is filed against them they have to DEAL with it, or REACT to it, but ... "must face" somehow implies to me that there is an option of not having to "face" it, which means they can... ignore it? Somehow?
Or does "face" mean something different here?
Re: (Score:1)
"Not face" would be a ruling in Spotify's favor, that California can just fuck off.