Keypoint: In this post: (1) The Ninth Circuit holds essentially any website can be sued in California; (2) two courts limit pen registry claims; (3) courts split on whether privacy policies establish consent for wiretapping claims; (4) Arizona court rejects “spy pixel” theory; and (5) courts continue to expand what is “content” for wiretapping claims.
This is our twenty-third installment in our data privacy litigation report covering decisions from the previous month. If you have any thoughts on what you would like to see (either in content or form) from these posts, please don’t hesitate to reach out and let us know.
There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn. Finally, for an overview of current U.S. data privacy litigation trends and issues, see Part 2 here.
Five Privacy Litigation Takeaways from April 2025
- Takeaway #1: The Ninth Circuit holds Shopify can be sued in California, overturning a 2022 district court decision and earlier Ninth Circuit precedent.
In a long-anticipated decision, on April 21 the Ninth Circuit, sitting en banc (meaning all judges participated rather than a three-judge panel), held an online company, Shopify, could be sued in California for alleged privacy violations. This is a very legal-heavy takeaway; so those of you who are in-house counsel may enjoy this more than our non-attorney readers.
The facts of this case are similar to almost any case we cover: the plaintiff visited a website and went to make a purchase. The plaintiff believed they were sharing their payment information with the website and did not know the information was instead sent to a third party (in this case Shopify) who then used certain information about the plaintiff for their own commercial purposes. This case, however, has a uniquely long procedural history. The plaintiff filed its lawsuit on August 13, 2021. On May 5, 2022, the Northern District of California dismissed the complaint, finding the court lacked personal jurisdiction over Shopify because Shopify did not expressly aim its conduct into California but instead treated the plaintiff the same as it would have treated a user from any state. A three-judge panel from the Ninth Circuit had affirmed on November 28, 2023, but the entire Ninth Circuit later vacated that affirmance on May 14, 2024. The Ninth Circuit heard oral argument on September 26, 2024, which we previously covered for ByteBack+ members in our September 2024 post. (This May 2025 decision is not surprising for those who listened to the oral argument, where at least one judge fixated on whether Shopify knew a user was accessing the website from California based on the IP address.)
The Northern District of California, the November 2023 three-judge Ninth Circuit panel, and the May 2025 Ninth Circuit panel each applied the Calder “effects test,” which requires the defendant (1) commit an intentional act, that is (2) expressly aimed at the forum state, and (3) which causes harm that the defendant knows will be suffered in the...
