Shopify Hit with Privacy Lawsuit Over Tracking Customer Data Without Consent

Shopify is facing a major data privacy lawsuit in the U.S. that could reshape how global companies are held responsible for handling personal information. A proposed class action lawsuit—originally dismissed by a lower court—is now back in motion after a full panel of judges from the 9th Circuit Court of Appeals revived the case.

Shopify, based in Ottawa, Canada, powers online and offline stores for millions of businesses around the world. To do this, it collects customer information such as names, email addresses, phone numbers, IP addresses, and device details. Shopify says this data is essential for processing orders, managing payments, and ensuring a smooth shopping experience. The company claims it uses strong security measures and follows privacy laws like GDPR.

However, California resident Brandon Briskin says Shopify placed tracking cookies on his iPhone without his permission when he bought athletic wear from a retailer using the platform. He accuses Shopify of using his data to build a user profile that was then shared or sold to other merchants.

Shopify argued it shouldn’t be sued in California because it's a global company not specifically targeting that state. A lower court agreed and dismissed the case. But the full 9th Circuit reversed that decision, saying Shopify intentionally reached out to Californians by installing tracking software and collecting their data—actions that weren’t random or accidental.

A Shopify spokesperson criticized the ruling, saying it sets a dangerous precedent by allowing lawsuits from anywhere, which could burden small businesses selling online. Meanwhile, Briskin’s lawyer welcomed the court’s stance, saying companies can no longer hide behind the excuse that they’re “everywhere” but “nowhere” in particular.

This case could have wide-reaching implications for how internet-based companies are regulated in the U.S., especially those that collect and use consumer data across state lines. Multiple states have backed the decision, arguing for the right to enforce their own consumer protection laws on companies operating in their markets.

The court’s approach—called the "traveling cookie rule"—suggests that installing tracking software across state lines can create legal grounds for local lawsuits, marking a possible shift in how digital privacy rights are upheld in the U.S.