On January 21, 2026, Judge Phyllis J. Hamilton, in the Northern District of Californi,a issued a mixed ruling on defendants’ motion to dismiss in Briskin v. Shopify Inc., a putative class action alleging that Shopify unlawfully collected and used consumer data without consent.
Background
The plaintiff, Brandon Briskin, alleges that Shopify—which operates an e-commerce platform providing payment processing services to millions of online merchants—collected sensitive consumer data, including names, addresses, email addresses, credit card numbers, IP addresses, and geolocation information, without users’ knowledge or consent. Plaintiff claims that when consumers enter payment information on a Shopify merchant’s website, it appears they are communicating directly with the merchant, but in reality, Shopify’s software generates the payment form and collects all information entered. The complaint further alleges that Shopify compiles consumer data into individualized profiles and shares this information with merchants and third parties.
Plaintiff brought claims under the California Invasion of Privacy Act (CIPA) §§ 631 and 635, the California Constitution, common law intrusion upon seclusion, the California Computer Data Access and Fraud Act (CDAFA), and the California Unfair Competition Law (UCL).
Claims Dismissed Without Leave to Amend. The court dismissed Plaintiff’s CIPA § 635 claim with prejudice, holding that the statute requires injury from the “manufacture, sale, or assembly of an eavesdropping device,” not mere “use” of such a device. Because Plaintiff could not amend to allege injury through manufacture, sale, or assembly of Shopify’s software, this claim was dismissed without leave to amend.
Claims Dismissed With Leave to Amend. All remaining claims (CIPA § 631, invasion of privacy, intrusion upon seclusion, CDAFA, and UCL) were dismissed with leave to amend for two primary reasons:
- Lack of Factual Support. The court found that Plaintiff failed to present adequate factual support for his allegations that Shopify engaged in the challenged data collection practices in 2019, when Plaintiff made his purchase. Plaintiff discovered Shopify’s involvement through a 2021 privacy policy disclosure and then inferred the same practices occurred in 2019 without that disclosure—but the court found this reasoning speculative.
- Insufficient Allegations of Intent. For claims under CIPA § 631, invasion of privacy, intrusion upon seclusion, and CDAFA, the court held that Plaintiff failed to adequately allege that Shopify acted with the requisite intent to access consumer information without permission. Because Shopify’s policies required merchants to obtain consumer consent, Shopify’s state of mind remained the same regardless of whether individual merchants complied with that requirement.
Motion Denied in Part. The court rejected several of Shopify’s arguments, including that CIPA § 635 requires intent or knowledge that a device would be used unlawfully, that Shopify qualifies as a mere “service provider” exempt from liability, and that Plaintiff’s claims were barred by the statute of limitations. The court also declined to dismiss the CDAFA claim for lack of damages, finding that Plaintiff’s disgorgement theory was supported by Ninth Circuit authority. Similarly, the court denied dismissal of the UCL claim on injury grounds, concluding that unlawful access to personal information can cause cognizable harm.
Briskin v. Shopify Inc., No. 21-CV-06269-PJH, 2026 WL 161441 (N.D. Cal. Jan. 21, 2026).
