Class Action Against Shopify Dismissed for Lack of Jurisdiction

The U.S. District Court for the Northern District of California dismissed a consumer class action against Ledger SAS’s e-commerce vendor Shopify Inc. because of its locale – Shopify is headquartered in Ottawa, Canada. Judge Edward M. Chen said in his decision earlier this week that the plaintiffs failed to satisfy their burden to demonstrate that Ledger “purposefully directed” its activity at California, or that the plaintiffs’ claims “ar[ose] out of” Ledger’s California-related activities.

The class action alleged that Ledger violated state consumer protection laws when it suffered two separate data breaches of information about customers  who bought Ledger cryptocurrency wallets through Shopify’s platform between July 2017 and June 2020. The first breach was a result of rogue Shopify employees who exported data from the company, including customer records. The second breach was the result of hackers who gained access to 1 million customers’ email addresses and 9,500 customers’ contact information.

However, the court found that it lacked both general jurisdiction and specific jurisdiction over Ledger/Shopify. The court said in its decision, “Plaintiffs argue that the Court has general jurisdiction over Shopify, but concede that Shopify is neither incorporated in California (it is a Delaware corporation), nor is California Shopify’s principal place of business (Shopify USA’s principal place of business is Ottawa, Canada). Instead, to support their contention that the Court has general jurisdiction over Shopify, Plaintiffs observe that Shopify previously listed San Francisco, CA as its principal place of business since 2014, including, allegedly, during the time period that the data breach took place in 2019.” This was not enough to establish general jurisdiction.

The court also noted in its decision, “The placement of a product into the stream of commerce, without more, is not an act the defendant purposefully directed toward the forum state,” and therefore, again, the plaintiffs’ argument was not enough to establish specific jurisdiction either.

The court found that it did not have personal jurisdiction over a French company with a Canadian subsidiary, even though it collected and maintained (and breached) U.S. residents’ data. Read the full decision here.