Can a technology company based in Canada be sued in California for allegedly violating Californian privacy laws? In Briskin v Shopify, the Ninth Circuit Court of Appeals said yes. The April 2025 ruling opens the door for stronger enforcement of privacy rights in a global digital marketplace and ultimately reframes data protection as not just a consumer concern, but a human rights issue grounded in dignity, autonomy, and access to justice.

Brandon Briskin, a California resident, purchased athletic wear online from a local brand. Unbeknownst to him, when he clicked “Pay now,” his personal information—including name, address, credit card details, and geolocation—was transmitted not just to the merchant, but to Shopify, the Canadian platform powering the brand’s e-commerce backend. Shopify, according to the complaint, installed tracking cookies, gathered behavioral data, and compiled user profiles without notice or consent. Briskin sued under California’s Invasion of Privacy Act for unlawful wiretapping, the Computer Data Access and Fraud Act for data theft, and both the Consumer Privacy Act and Online Privacy Protection Act for failing to provide notice and obtain consent. He also brought invasion of privacy claims under the California Constitution and the Fourth Amendment of the U.S. Constitution.

Shopify argued it could not be sued in California simply because its software interacted with a California user. The lower court agreed and dismissed the case for lack of personal jurisdiction. But the Ninth Circuit, sitting en banc, reversed. It found that Shopify had “deliberately targeted” California residents by embedding software that collected and monetized user data, fully aware those users were in California.

From Cookies to Courts: Why Jurisdiction Matters

The Ninth Circuit’s decision rests on the doctrine of specific personal jurisdiction. Courts must assess whether a defendant’s actions were purposefully directed at the forum state. Shopify’s defense—that it merely built a platform accessible everywhere—failed to pass muster. The Court concluded Shopify purposefully directed its conduct toward California based on evidence the company tracked user location, extracted data, and marketed profiles derived from data to merchants in the state.

Importantly, the Court rejected the idea that jurisdiction depends on “differential targeting.” In other words, the Court rejected the argument that jurisdiction depends on treating California users differently from users in other locations. What matters, the Court held, is whether a platform makes the deliberate choice to enter a state through its digital infrastructure and engage with its residents. If so, it must answer for violations of their rights.

This framing has far-reaching implications. As digital commerce becomes more embedded in everyday life, so does the risk of data extraction that operates invisibly, without meaningful consent. For many users, especially in jurisdictions without robust federal protections, state laws like the CCPA serve as the last line of defense.

Privacy as a Human Right, Not Just a Statute

International human rights law recognizes privacy as a core right. Article 17 of the International Covenant on Civil and Political Rights (ICCPR) prohibits arbitrary interference with privacy, and the European Union’s General Data Protection Regulation (GDPR) enshrines principles of consent, transparency, and user control.

This stands in stark contrast to the U.S., where privacy law remains piecemeal, and enforcement is often limited to state-driven efforts. Without a federal equivalent to the GDPR, enforcement often depends on users’ ability to bring claims under state law. The Briskin decision strengthens legal pathways by affirming that privacy travels with the person—not the platform—even when foreign companies reach into Californians’ devices and homes.

The decision also echoes international principles of accountability. Under the UN Guiding Principles on Business and Human Rights, companies have a duty to respect human rights wherever they operate, and states have an obligation to provide access to remedies. Briskin delivers on that mandate by ensuring users are not left without recourse simply because the company exploiting their data resides across a border.

As online platforms increasingly serve global audiences, cases like Briskin are setting new precedents for cross-border digital accountability. The Court’s opinion signals that companies cannot insulate themselves from local privacy laws by hiding behind backend infrastructure. Briskin reminds us that what happens on a user’s device without informed consent is not just a technical process—it is a matter of rights, power, and the ability to hold companies accountable when that power is abused.