By Mark Sanborn
Senior Product and Regulatory Counsel
The Ninth Circuit Court of Appeals recently issued a ruling that should catch the attention of every dealership nationwide. The case relates to website technology provided by website vendors, OEM partners, or advertising tech providers. But the case—Briskin v. Shopify, Inc. 135 F.4th 739 (9th Cir. 2025)— is a wake-up call for how courts are now treating many California state law claims, including those governing tracking technologies like cookies and their connection to consumer privacy.
Let’s break it down in practical terms.
The Legal Core: Personal Jurisdiction in the Digital Age
In Briskin v. Shopify, the court ruled that a company can be sued in another state based on an alleged violation of California law if it installs tracking cookies on a device located in that state, even if the company is based elsewhere and didn’t specifically target that state.
The plaintiff, a California resident, bought workout apparel through a Shopify-powered website. Unbeknownst to him, Shopify allegedly dropped cookies onto his device and collected a range of personal information, not just payment data, but also location, browser details, and more. Shopify allegedly used this data to build consumer profiles and share them with other parties.
Here’s the key takeaway: because Shopify knew the device could be located in California when it deployed its tracking tools, the court said California had jurisdiction. Shopify didn’t need to have an office in California or even “target” the state; the act of interacting with a California user’s device was enough.
What This Means for Dealerships and Their Vendors
First, regarding tracking technologies claims, if your website or any service embedded into it places cookies, pixels, or scripts on users’ devices, this decision has direct implications for you and your vendor network.
1. Cookies Now = Legal Contact
Any vendor technology that collects personal data from a visitor’s browser may legally “enter” that visitor’s state. That means:
- A New York-based adtech firm that drops a cookie on a California shopper visiting your site may now be subject to California lawsuits.
- Similarly, you, the dealership, may become part of a lawsuit if consumers believe their data was collected without proper notice or consent.
2. No More Hiding Behind “We Don’t Target Specific States”
Many third-party vendors argue they don’t “specifically target” consumers in any particular state. This ruling says that doesn’t matter. If the tool collects data from a known location, that’s enough to trigger legal exposure in that state. While this theory has been used with some success by plaintiffs in bringing claims under CIPA for non-California companies for some time, the Ninth Circuit’s ratification of this approach threatens to open the floodgates for CIPA claims against out-of-state defendants.
And it’s not just CIPA claims. The Briskin decision suggests that out-of-state companies could be subject to California’s jurisdiction for any claims implicated by their websites’ contact with California residents. This includes consumer protection laws, unfair or deceptive practices (UDAP), and the CCPA.
3. Legal Responsibility Doesn’t Stop with Your Vendor
While Shopify was the defendant in this case, dealerships often integrate services provided by:
- OEMs (manufacturer-provided digital tools)
- Website providers
- Ad vendors or behavioral targeting platforms
If these partners are using tracking tech that silently collects data from your visitors, your dealership could be swept into a legal dispute even if you didn’t directly implement the technology.
Action Items for Dealerships
To stay ahead of the risks highlighted in Briskin v. Shopify, dealership leaders should start by conducting a comprehensive audit of their website technology stack. This means identifying all third-party services running on your site, from analytics tools and chatbots to embedded payment portals or OEM widgets, and understanding whether they place cookies, track user behavior, or collect geolocation and device data. It’s essential to know not just what these tools do, but where the data they collect is going.
Next, transparency with your vendor partners is critical. Dealerships should proactively engage their website providers, advertising vendors, and OEM digital teams to understand what data is being collected through the site and which parties are accessing it. Ask your partners whether they use geolocation tools, how they manage user data, and whether their practices are aligned with the privacy laws in states where you do business, especially in states like California, Colorado, and Virginia that have enacted robust consumer privacy laws.
Finally, revisit your dealership’s privacy policy and user consent strategy. Ensure your privacy disclosures are clear, easy to find, and up to date, with explicit explanations of what data is collected and by whom. If your dealership serves consumers in privacy-sensitive jurisdictions, it may be advisable to implement a consent banner or opt-out functionality to give users control over how their data is tracked.
Bottom Line: This Isn’t Just a Shopify Problem
The Briskin decision sets a clear legal precedent: data collection tools create legal ties to the states where consumers live. That means any dealership website with embedded tracking tools, whether for personalization, analytics, or retargeting, could expose the dealership and its partners to lawsuits.
It is possible that Shopify will petition the U.S. Supreme Court to review the ruling. Whether the Court grants such a petition remains to be seen. In the meantime, the Briskin decision is the law, covering plaintiffs located in the Ninth Circuit but affecting businesses nationwide.
This is a powerful reminder to treat privacy compliance as a strategic priority, not just a legal checkbox. If you haven’t investigated how tracking tools are deployed on your website, now’s the time to look.
ComplyAuto Can Help
There’s no reason to wait—partner with ComplyAuto today and protect your dealership with confidence.
We provide a comprehensive suite of compliance solutions designed to automate and simplify your dealership’s regulatory obligations. From navigating complex federal and state privacy and data security laws to implementing privacy policies and website cookie consent banners, we’ve got you covered.
Our services extend beyond privacy, including advertising compliance tools, deal jacket audits, and VDP reviews. We also offer the industry’s most advanced EHS and Safety compliance software. Plus, our new cutting-edge tool, DealCheck AI, reviews every deal before the customer leaves the lot, identifying missing documents and errors in real-time. That means fewer unfunded deals, lower CIT, tremendous cost savings for your dealership, and a complete deal file that complies with your deal checklist every time.
At ComplyAuto, our mission is to demystify compliance and handle the heavy regulatory lifting, so your team can focus on what they do best—selling cars.