The U.S. District Court for the Northern District of California dismissed a consumer class action against Ledger SAS’s e-commerce vendor Shopify Inc. because of its locale – Shopify is headquartered in Ottawa, Canada. Judge Edward M. Chen said in his decision earlier this week that the plaintiffs failed to satisfy their burden to demonstrate that Ledger “purposefully directed” its activity at California, or that the plaintiffs’ claims “ar[ose] out of” Ledger’s California-related activities.

The class action alleged that Ledger violated state consumer protection laws when it suffered two separate data breaches of information about customers  who bought Ledger cryptocurrency wallets through Shopify’s platform between July 2017 and June 2020. The first breach was a result of rogue Shopify employees who exported data from the company, including customer records. The second breach was the result of hackers who gained access to 1 million customers’ email addresses and 9,500 customers’ contact information.

However, the court found that it lacked both general jurisdiction and specific jurisdiction over Ledger/Shopify. The court said in its decision, “Plaintiffs argue that the Court has general jurisdiction over Shopify, but concede that Shopify is neither incorporated in California (it is a Delaware corporation), nor is California Shopify’s principal place of business (Shopify USA’s principal place of business is Ottawa, Canada). Instead, to support their contention that the Court has general jurisdiction over Shopify, Plaintiffs observe that Shopify previously listed San Francisco, CA as its principal place of business since 2014, including, allegedly, during the time period that the data breach took place in 2019.” This was not enough to establish general jurisdiction.

The court also noted in its decision, “The placement of a product into the stream of commerce, without more, is not an act the defendant purposefully directed toward the forum state,” and therefore, again, the plaintiffs’ argument was not enough to establish specific jurisdiction either.

The court found that it did not have personal jurisdiction over a French company with a Canadian subsidiary, even though it collected and maintained (and breached) U.S. residents’ data. Read the full decision here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.