CIPA Litigation Persists For Online Businesses While Reform Bill Sits Idle

The past year has seen sweeping developments in personal jurisdiction doctrine as applied to online privacy litigation, particularly in California. In April 2025, the Ninth Circuit’s en banc decision in Briskin v. Shopify, Inc.[1] recalibrated the specific-jurisdiction analysis for nationwide e-commerce platforms accused of harvesting and monetizing consumer data, expressly rejecting any requirement of “differential targeting” of the forum. In the months that followed, however, two California district courts—addressing suits against a hotel holding company[2] and a Georgia retailer[3]—dismissed privacy claims for lack of personal jurisdiction, underscoring the continuing burden on plaintiffs to connect alleged data practices to defendants’ own, forum-directed conduct. Meanwhile, Sacramento has put on ice a legislative effort (SB 690)[4] to narrow the scope of the California Invasion of Privacy Act (CIPA), ensuring that current litigation dynamics will persist at least through 2026. Together, these cross currents define a more nuanced and fact-intensive landscape for companies that sell online, deploy tracking technologies, or publish omnibus privacy statements.

Briskin’s Reframing: Purposeful Direction Without ‘Differential Targeting’

In Briskin, the Ninth Circuit revived a putative privacy class action against Shopify, holding that the plaintiff made a prima facie showing of specific jurisdiction in California.[5] The complaint alleged that Shopify’s platform installed tracking tools, intercepted communications, and extracted personal and transactional data from California consumers, using the data for Shopify’s own commercial benefit.[6] The court held that such conduct—designed into the platform’s business model—constituted purposeful direction at California even though Shopify cultivated a nationwide audience.[7] Crucially, the en banc court overruled prior circuit precedent to the extent it demanded “differential targeting” of the forum, clarifying that an interactive platform “expressly aims” conduct at a state when the relevant contacts are the product of the defendant’s own choices and are not random, isolated, or fortuitous.[8] The court also concluded the claims “arose out of or related to” those forum contacts and that the exercise of jurisdiction was reasonable given California’s interest in protecting resident privacy and the efficiencies of litigating where the alleged data extraction occurred.[9]

Briskin thus lowers a doctrinal hurdle that had often shielded nationwide platforms: plaintiffs need not show that a defendant singled out California with bespoke marketing or state-specific features if the business model itself predictably and deliberately extracts Californians’ data for commercial gain. At the same time, Briskin did not dispense with the requirement that jurisdiction be anchored in the defendant’s own forum contacts—not those of third parties—and that the alleged harms relate to those contacts.

District Courts Draw Lines: Passive Policies, Third-Party Scripts, and General Online Sales Are Not Enough

Two subsequent district court rulings illustrate the remaining limits of specific jurisdiction where the defendant’s own California-directed conduct is thin.

First, in a Northern District of California case against a hotel holding company, the court granted a Rule 12(b)(2) motion and dismissed for lack of personal jurisdiction.[10] Plaintiffs alleged the company operated a website facilitating shopping for and leasing rooms in California and pointed to a global privacy statement referencing California law and opt-out rights.[11] The court credited an uncontested declaration establishing that the holding company did not itself operate hotels or maintain a California presence and emphasized that the complaint alleged data collection via third-party scripts on the website, not by the defendant itself.[12] Distinguishing Briskin, the court found no allegations that the defendant targeted California consumers or compiled their data for its own use; nor would a general, globally accessible privacy statement, standing alone, create jurisdiction in every state where it is read.[13] The dismissal was with leave to amend, but the court warned that failure to cure the jurisdictional defects could lead to dismissal without further leave.

Next, the Central District of California dismissed with prejudice a CIPA “trap and trace” action against a Georgia-based e‑commerce retailer.[14] The plaintiff alleged the retailer installed TikTok’s software on its website, which collected and transmitted visitor data (including device and geolocation information) to TikTok.[15] Despite amended allegations that the retailer sells and ships to California, the court held there was no express aiming at California and no showing that the plaintiff’s injury arose out of California‑focused conduct by the retailer itself.[16] The court again distinguished Briskin, explaining that the defendant was not a nationwide platform cultivating a ubiquitous audience for commercial gain and that the forum contacts of a third-party technology provider (TikTok) could not be imputed to the retailer.[17] Because the plaintiff failed to satisfy either of the first two prongs of the Ninth Circuit’s specific-jurisdiction test, the case was dismissed in its entirety with prejudice.

Read together, these decisions signal that Briskin is not a jurisdictional panacea. Plaintiffs must still plausibly allege that the defendant’s own business choices foreseeably involved extracting or exploiting data from California users and that their claims arise out of those contacts. Passive website features, generalized privacy statements that acknowledge California law, routine interstate sales and shipping, and the mere incorporation of third-party code will not, without more, establish specific jurisdiction.

Legislative Stasis: CIPA Reform Deferred, Litigation Continues

In parallel, California’s attempt to cabin CIPA exposure has stalled. SB 690—introduced to add a “commercial purpose” exception to several CIPA provisions (including Sections 631, 632, and 638.50)—passed the Senate 35–0 but failed to advance in the Assembly and has been reclassified as a two-year bill.[18] The earliest it could be reconsidered is 2026, with no effect before 2027 even if enacted. The bill would have clarified that routine website practices such as session replay, chat support, and third‑party analytics do not amount to unlawful wiretapping or eavesdropping when employed for legitimate commercial purposes. With reform delayed, businesses remain exposed to continuing CIPA litigation and statutory damages of $5,000 per violation amid inconsistent judicial interpretations, as reflected in recent appellate activity involving website tracking and chat technologies.

Practical Implications for Online Businesses

The immediate takeaway is twofold. First, Briskin expands potential jurisdictional exposure for platforms whose business models inherently rely on the collection and commercialization of consumer data across state lines, including California. For such entities, the absence of California-specific targeting may no longer bar suit in California if the alleged data extraction from Californians is part of the platform’s designed operations. Second, for traditional retailers and brand owners that merely operate an online storefront, ship to California, and implement off‑the‑shelf tracking pixels or SDKs[19] provided by third parties, the recent district court dismissals demonstrate that specific jurisdiction in California remains contestable—often successfully—unless plaintiffs can tie their privacy claims to the defendant’s own forum-directed conduct.

Given the legislative standstill on CIPA, the litigation environment will remain active and uncertain through at least 2026. Companies should expect continued, early-stage battles over personal jurisdiction, with outcomes turning on the specificity of pleadings concerning a defendant’s business choices, the locus of any alleged data extraction, and the relationship between those contacts and the asserted harms. Briskin has shifted the center of gravity, but it has not erased the boundaries between nationwide platforms that deliberately harvest data from Californians and out‑of‑state retailers whose incidental California web traffic and generalized privacy policies, without more, do not constitute purposeful direction.

[1] 135 F.4th 739 (9th Cir. 2025)

[2] Shah v. Hilton Worldwide Holdings Inc., No. 25-CV-01018-EKL, 2025 WL 1683577 (N.D. Cal. June 11, 2025)

[3] Rounds v. Case-Mate Inc., No. 2:24-CV-08531-WLH-RAO, 2025 WL 1873999 (C.D. Cal. July 2, 2025)

[4] 2025 California Senate Bill No. 690, California 2025-2026 Regular Session

[5] Briskin v. Shopify, 135 F.4th 739, 755 (9th Cir. 2025)

[6] Id. at 746-747.

[7] Id. at 756.

[8] Id. at 758.

[9] Id. at 760.

[10] Shah v. Hilton Worldwide Holdings Inc., No. 25-CV-01018-EKL, 2025 WL 1683577 (N.D. Cal. June 11, 2025)

[11] Id. at *2.

[12] Id.

[13] Id. at *2-3.

[14] Rounds v. Case-Mate Inc., No. 2:24-CV-08531-WLH-RAO, 2025 WL 1873999 (C.D. Cal. July 2, 2025)

[15] Id. at *1.

[16] Id. at *6

[17] Id. at *7

[18] See 2025 California Senate Bill No. 690, California 2025-2026 Regular Session

[19] Software development kits

——————————————————————–

This DarrowEverett Insight should not be construed as legal advice or a legal opinion. This Insight is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. Please reach out to us if you need help addressing any of the issues discussed in this Insight, or any other issues or concerns you may have relating to your business. We are ready to help guide you through these challenging times.

This Insight does not constitute written tax advice as described in 31 C.F.R. §10, et seq. and is not intended or written by us to be used and/or relied on as written tax advice for any purpose including, without limitation, the marketing of any transaction addressed herein. Any U.S. federal tax advice rendered by DarrowEverett LLP shall be conspicuously labeled as such, shall include a discussion of all relevant facts and circumstances, as well as of any representations, statements, findings, or agreements (including projections, financial forecasts, or appraisals) upon which we rely, applicable to transactions discussed therein in compliance with 31 C.F.R. §10.37, shall relate the applicable law and authorities to the facts, and shall set forth any applicable limits on the use of such advice.