Listen to this post

Keypoint: In this post: (1) The Ninth Circuit holds essentially any website can be sued in California; (2) two courts limit pen registry claims; (3) courts split on whether privacy policies establish consent for wiretapping claims; (4) Arizona court rejects “spy pixel” theory; and (5) courts continue to expand what is “content” for wiretapping claims.

This is our twenty-third installment in our data privacy litigation report covering decisions from the previous month. If you have any thoughts on what you would like to see (either in content or form) from these posts, please don’t hesitate to reach out and let us know.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn. Finally, for an overview of current U.S. data privacy litigation trends and issues, see Part 2 here.

Five Privacy Litigation Takeaways from April 2025

  • Takeaway #1: The Ninth Circuit holds Shopify can be sued in California, overturning a 2022 district court decision and earlier Ninth Circuit precedent.

      In a long-anticipated decision, on April 21 the Ninth Circuit, sitting en banc (meaning all judges participated rather than a three-judge panel), held an online company, Shopify, could be sued in California for alleged privacy violations. This is a very legal-heavy takeaway; so those of you who are in-house counsel may enjoy this more than our non-attorney readers.

      The facts of this case are similar to almost any case we cover: the plaintiff visited a website and went to make a purchase. The plaintiff believed they were sharing their payment information with the website and did not know the information was instead sent to a third party (in this case Shopify) who then used certain information about the plaintiff for their own commercial purposes. This case, however, has a uniquely long procedural history. The plaintiff filed its lawsuit on August 13, 2021. On May 5, 2022, the Northern District of California dismissed the complaint, finding the court lacked personal jurisdiction over Shopify because Shopify did not expressly aim its conduct into California but instead treated the plaintiff the same as it would have treated a user from any state. A three-judge panel from the Ninth Circuit had affirmed on November 28, 2023, but the entire Ninth Circuit later vacated that affirmance on May 14, 2024. The Ninth Circuit heard oral argument on September 26, 2024, which we previously covered for ByteBack+ members in our September 2024 post. (This May 2025 decision is not surprising for those who listened to the oral argument, where at least one judge fixated on whether Shopify knew a user was accessing the website from California based on the IP address.)

      The Northern District of California, the November 2023 three-judge Ninth Circuit panel, and the May 2025 Ninth Circuit panel each applied the Calder “effects test,” which requires the defendant (1) commit an intentional act, that is (2) expressly aimed at the forum state, and (3) which causes harm that the defendant knows will be suffered in the forum state. The courts focused on the second requirement: whether Shopify expressly aimed its intentional acts at California. While the 2022 and 2023 decisions found it had not, the April 2025 decision disagreed, overturned the 2022 district court decision, and overturned some other Ninth Circuit precedent in the process.

      The April 2025 court first found Shopify’s business model involved not only providing the payment processing services but also obtaining valuable personal data about consumers for Shopify’s own commercial gain. The court reasoned that if Shopify had broken into a consumer’s physical home to take their personal information, there would be no question that Shopify expressly aimed its activity at a location in California and, thus, that the entry instead was by electronic means does not change the result.

      The court also addressed the Supreme Court’s Walden decision, which Shopify argued required the defendant’s contacts with the forum be with the State itself and not merely the people who live in the State. The court held “this argument overreads Walden” where the defendant had never contacted anyone in the forum state.

      The court next rejected the argument that “differential targeting”—treating users from a certain geographic area differently than others—is necessary for the “express aiming” requirement to be met. The court limited its prior decision AMA Multimedia LLC v Wanat, 970 F.3d 1201 (9th Cir. 2020). That decision had relied on another Ninth Circuit decision, Mavrix Photo, which had held a company’s internet activity may subject the company to specific personal jurisdiction if the company “knows—either actually or constructively” about its customer base in a specific forum and “exploits that base for commercial gain.” The Shopify court found AMA misread Mavrix Photo to require some sort of “differential treatment” for a finding that the defendant had expressly aimed their conduct into the forum state and overruled both “AMA and any other cases that require some sort of differential treatment of the forum state . . . .” The Shopify court concluded this section by stating its revised standard: “an interactive platform ‘expressly aims’ its wrongful conduct toward a forum state when its contacts are its ‘own choice and not ‘random, isolated, or fortuitous,’’ . . . even if that platform cultivates a “nationwide audience[ ] for commercial gain.’” (internal citations omitted).

      Two other opinions—one a concurrence and one a dissent—are of special note. Judge Callahan issued a dissenting opinion in which he described the effect of the majority opinion: “Now, instead of having to ‘expressly aim’ conduct at a forum, jurisdiction attaches if the company fails to ‘expressly avoid’ a forum.” Judge Collins, however, joined the majority’s holding but also issued a concurrence opinion wherein he shared his opinion that the majority did not go far enough, stating: “If a company develops a web-based business for the purpose of conducting online transactions in all 50 States, it should not be surprised that it may be sued in any State for unlawful transactions that may occur within that State.” Neither of these statements are controlling law but do shed some light on how future case law may develop.

      We expect plaintiffs in active or recently resolved litigation to heavily rely on this April 2025 decision to defeat defendants’ personal jurisdiction arguments. For example, a decision issued from the Northern District of California just 11 days before the Ninth Circuit’s decision rejected the plaintiffs’ argument that the defendant “knowingly enables the sale of Californians’ information, which it obtains by installing trackers on website visitors’ computers and earns significant revenue as a result, finding this failed to establish personal jurisdiction because the plaintiff’s allegations at best alleged the defendant targeted website users in general, some of whom happen to live in California. In this and similar cases we expect plaintiffs to argue this is no longer good law after the Shopify decision.

      • Takeaway # 2: Two separate California courts limit pen registry claims based on TikTok.

      Two separate California courts—a Superior Court in Los Angeles and a federal Central District of California case—dismissed claims that alleged a website’s use of the TikTok software violated California’s “pen registry” law.

      On April 1, a California superior court (the lowest level court in California’s state system) dismissed a claim after finding the TikTok software could not be a pen registry or tap and trace device as those were defined under California’s law.  The court first found Section 638.51 was not limited to telephones or devices that “attach” to a telephone and could website software. The court continued, however, and held the TikTok software is not a tap and trace device. The court relied on the definition of a “tap and trace device” under Section 638.51, which defines the device “as a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing , addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.” The court found the allegations showed the TikTok software sent both non-content and content, including images, to TikTok. Because these allegations contradict the statutory definition, the court dismissed the complaint.

      A few days later, a Central District of California court dismissed another pen registry claim based on the TikTok software after finding the plaintiff consented to the alleged activity when she accessed the website with the intent to “test” its privacy compliance. The plaintiff alleged she “is a consumer privacy advocate who works as a ‘tester’ to ensure that companies abide by the privacy obligations imposed by California law.” The Court had previously dismissed the plaintiff’s wiretapping claim after finding that “as a tester that actively seeks out privacy violations, ‘[the plaintiff] had no expectation of privacy’ when she visited Defendant’s website, and therefore, lacked an injury in fact sufficient to establish standing. The court then sua sponte (i.e., on its own initiative) applied the same reasoning to the plaintiff’s pen registry claim. In doing so, the court rejected the plaintiff’s argument that other courts found a tester had standing even though she expected or sought out an injury, finding those decisions involved First Amendment and ADA claims for which the plaintiffs were injured regardless of their expectations or intentions. In contrast, privacy claims depend upon the plaintiff’s reasonable expectations. Because plaintiff expected her information to be recorded and disclosed “she cannot claim an injury when her expectations were ultimately met.”

      • Takeaway # 3: Two courts dismiss wiretapping claims after finding the plaintiff consented to the alleged activity while another court declares the privacy policy creates a factual issue to be resolved later.

      Two California federal courts—one from the Northern District and one from the Central District—dismissed plaintiffs’ claims after finding the plaintiffs consented to the alleged activity. On April 2, a Northern District court concluded that the “issue of consent defeat[ed] all of Plaintiffs’ claims.” The defendant argued the plaintiffs had consented to the alleged activity when they interacted with the cookies banner, created accounts on the site, which required the user to accept the website’s terms of use and privacy policy, and made purchases, when the terms of use and privacy policy were again displayed. Plaintiffs sought a request for leave to amend, but the court denied the request because any amendment would be “futile” as plaintiffs could not “amend their complaint to overcome the issue of consent.”

      Later that month, a Central District of California court held a plaintiff had consented to the alleged activity because the website’s privacy policy disclosed the website collected and shared identifiers, purchase history, and search history among other items, which were then disclosed to “marketing providers.” This court allowed the plaintiff leave to amend the complaint however.

      In direct contrast to these decisions, a Northern District of California court held the privacy policy presented a factual dispute and denied a motion to dismiss. Although the parties agreed the plaintiffs accepted the privacy policy, the court nevertheless denied the motion to dismiss on this ground. The court found a factual dispute over whether the privacy policy disclosed the alleged activity simply from the disclosure that the website collects information through “cookies and beacons.” The court also found the privacy policy did not disclose the third parties could use the information for their own commercial purposes.

      • Takeaway # 4: An Arizona District Court rejects plaintiffs’ “spy pixel” theory.

      Although not covered as extensively as wiretapping, pen registry, and other privacy theories – website owners have faced demand letters and lawsuits that allege their use of pixels in emails to track open rates and similar information violate various state laws. Arizona’s Telephone, Utility, and Communiatoins Service Records Act (or “TUCSRA” for a shorter but not much easier way to refer to the law) has been an often-cited statute in such allegations. After an April 16, 2025, decision from a District of Arizona court, however, that may no longer be true.

      The plaintiff alleged a company known for their California-style of surfer fashion violated TUCSRA when the defendant embedded “spy pixels” in its marketing emails that allowed it to capture “sensitive information, including the time and place where plaintiff and other Arizona residents open the email and what contents they click on.” The court found TUCSRA was “not aimed at regulating any entity that sends or receives communication[s], but rather those that provide the infrastructure and services enabling communication.” Because the defendant was obviously not such an entity, the court dismissed the plaintiff’s claim. The district court’s decision is not binding but is certainly persuasive and may limit this theory.

      • Takeaway #5: Courts continue to expand what is considered “content” for wiretapping claims.

      Unlike a pen registry or tap and trace device, wiretapping laws are limited to the interception of the “content” of a message. Historically, this meant what people were saying on a telephone. In 2014, the Ninth Circuit’s In re Zynga Privacy Litig. decision held “contents” referred “to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated in the course of the communication.” The court continued on to reject the plaintiff’s argument that the URL at issue in that case was the “content” of a communication, but noted in some circumstances a URL could be content, such as when a user’s request to a search engine for specific information shows the specific search terms the user had communicated to the search engine. The Ninth Circuit’s 2014 decision has been cited by more than 120 other courts, who in turn have tried to resolve when something is content.

      Two decisions in April further push that balance toward including URLs as content. On April 4, a Northern District of California court found readable versions of the plaintiffs’ PII (names, addresses, and telephone numbers) that were generated when the user entered that information into a website form was content. The court further found the collections of the plaintiffs’ URLs, button clicks, and viewing/cart history disclosed the plaintiffs’ Personal interests, queries, and habits” and was therefore “plausibly alleged to be content.”  Ten days later, a Central District of California court also rejected an argument that transmitting what a user selected from a pre-defined menu option was not content, finding the plaintiff alleged the information was “from the user.”

      Print:
      Email this postTweet this postLike this postShare this post on LinkedIn
      Photo of Dustin Taylor Dustin Taylor

      Dustin is a litigator whose practice primarily focuses on intellectual property disputes, including patent, trademark, and trade secret matters. He also has experience in litigation involving data access, including claims made under the California Unfair Competition Law, the Computer Fraud and Abuse Act…

      Dustin is a litigator whose practice primarily focuses on intellectual property disputes, including patent, trademark, and trade secret matters. He also has experience in litigation involving data access, including claims made under the California Unfair Competition Law, the Computer Fraud and Abuse Act, and the California Computer Data Access and Fraud Act.

      Read more about Dustin Taylor
      Show more Show less
      Photo of Owen Davis Owen Davis

      Owen assists employers across industry sectors – from small businesses to Fortune 500 corporations – to identify changing workplace law at a local, state and federal level. He offers legal guidance on employment agreements, restrictive covenants, personnel policies and other human resources issues.

      Owen assists employers across industry sectors – from small businesses to Fortune 500 corporations – to identify changing workplace law at a local, state and federal level. He offers legal guidance on employment agreements, restrictive covenants, personnel policies and other human resources issues. Owen also represents employers before state and federal courts as well as administrative agencies on matters related to discrimination, retaliation, harassment, and wage and hour violations.

      Read more about Owen Davis
      Show more Show less
      Related Posts
       U.S. Privacy Litigation Update: March 2025
      April 15, 2025
       U.S. Privacy Litigation Update: February 2025
      March 10, 2025
       U.S. Privacy Litigation Update: January 2025
      February 17, 2025