throbber
Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 1 of 42
`
`
`
`
`GUTRIDE SAFIER LLP
`Seth A. Safier (State Bar No. 197427)
` seth@gutridesafier.com
`Marie McCrary (State Bar No. 262670)
` marie@gutridesafier.com
`Todd Kennedy (State Bar No. 250267)
` todd@gutridesafier.com
`100 Pine Street, Suite 1250
`San Francisco, California 94111
`Telephone: (415) 639-9090
`Facsimile: (415) 449-6469
`Attorneys for Plaintiff
`
`
`
`UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`SAN FRANCISCO DIVISION
`
`
`
`Brandon Briskin, on behalf of
`himself and those similarly situated,
`Plaintiff,
`
`v.
`
`Shopify Inc. and Shopify (USA)
`Inc.,
`
` Defendants.
`
`
`
`
`Case No. _______________
`
`Class Action Complaint
`
`Jury Trial Demanded
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 2 of 42
`
`
`
`
`Plaintiff Brandon Briskin brings this action on behalf of himself and all
`others similarly situated against Shopify Inc. and Shopify (USA) Inc.
`(collectively, “Shopify”). Plaintiff’s allegations against Shopify are based upon
`information and belief and upon investigation of Plaintiff’s counsel, except for
`allegations specifically pertaining to Plaintiff, which are based upon Plaintiff’s
`personal knowledge.
`
`Introduction
`
`1.
`
`Shopify is an e-commerce platform that enables merchants to easily sell
`
`products online. Many of Shopify’s customers are merchants who operate
`
`websites and mobile applications, such as IABMFG. Shopify created software
`
`code to enable merchants to integrate Shopify’s payment forms into their
`
`applications. To that end, Shopify provides comprehensive documentation to its
`
`merchant customers, describing how to integrate payment forms into their
`
`websites and applications using the Shopify code, including how to omit Shopify
`
`branding such that the form appears to the consumer to belong to the merchant’s
`
`website.
`
`2.
`
`In fact, despite the appearance to consumers that their payment
`
`information is being sent to the merchant, it is intercepted by Shopify. When a
`
`merchant integrates the Shopify software code into a website or mobile
`
`application, consumers who desire to pay for a product or service are presented
`
`with Shopify payment forms, which are created by Shopify. The payment forms
`
`require the consumer to provide a variety of sensitive information, such as:
`
`• name
`
`• address
`
`•
`
`telephone number
`
`
`
`
`
`Class Action Complaint, p. 1
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 3 of 42
`
`
`
`
`• email address
`
`• complete credit card information, including cvc
`
`3.
`
`Shopify also collects and indefinitely stores sensitive information about
`
`consumers using its payment form such as:
`
`• The consumers’ internet IP addresses;
`
`•
`
`the brand and model of the consumer’s computers or electronic
`
`devices;
`
`the identities of the consumer’s browsers;
`
`the operating systems that the consumer’s devices were using; and
`
`the item(s) purchased by the consumer from the merchants’ websites.
`
`•
`
`•
`
`•
`
`4. Although consumers using merchants’ websites and mobile
`
`applications reasonably expect that they are communicating directly with the
`
`merchant, Shopify’s software code is designed to enable Shopify’s computer
`
`network to intercept those communications and redirect them to Shopify’s
`
`computer network. Shopify, however, designed its payment forms to omit all
`
`Shopify branding. Accordingly, the consumer has no idea that Shopify is involved
`
`in the transaction in any way, let alone that Shopify will be obtaining, storing, and
`
`evaluating the consumer’s sensitive communications and information.
`
`5.
`
`The Shopify code also surreptitiously installs tracking cookies on
`
`consumers’ computers and mobile devices, which enable Shopify to identify a
`
`particular consumer and track his or her activities across its entire merchant
`
`network, enabling Shopify to gather even more sensitive data about the consumer
`
`including, without limitation, (i) the number of declined cards that the consumer
`
`has used with Shopify merchants; (ii) how long ago one of the consumer’s cards
`
`was last declined; (iii) whether the consumer had ever disputed a previous
`
`
`
`
`
`Class Action Complaint, p. 2
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 4 of 42
`
`
`
`Shopify charge; (iv) whether any previous early fraud warnings were associated
`
`with the consumer; (v) the percentage of transactions that were authorized for the
`
`consumer over time; and (vi) the cards and other payment methods associated
`
`with the consumer’s IP address.
`
`6.
`
`Shopify does not use consumers’ private information simply for the
`
`purposes of processing the payments in question. Instead, Shopify indefinitely
`
`stores the information, correlates all payments from the consumer made across its
`
`entire platform, and then—without informing the consumer—provides much of it
`
`to its other merchants. For example, once a consumer has submitted a payment for
`
`a purchase from IABMFG, any of Shopify’s millions of other merchant customers
`
`will then be able to access the consumer’s private information pertaining to that
`
`payment, as well as any other payment that Shopify processed for that consumer
`
`in a profile for that consumer.
`
`7. At no time does Shopify inform consumers who use its payment forms
`
`on merchant websites that: (i) Shopify will intercept communications that
`
`consumers believe are being sent exclusively to merchants; (ii) its software code
`
`is causing their devices to connect to Shopify’s computer servers; (iii) Shopify is
`
`accessing consumers’ data by placing tracking cookies on their devices; (iv) its
`
`software code is rendering the payment forms that are displayed to consumers;
`
`(v) the sensitive information in the payment forms will be sent to Shopify;
`
`(vi) sensitive information not expressly inputted by the consumer—such as IP
`
`address, operating system, geolocation data, and item(s) purchased—will also be
`
`collected from the consumer by Shopify; (vii) Shopify will indefinitely store that
`
`sensitive information; (viii) Shopify will use consumers’ information to create
`
`profiles of consumers, which could subsequently be communicated to other
`
`
`
`
`
`Class Action Complaint, p. 3
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 5 of 42
`
`
`
`merchants; (ix) Shopify will track consumers’ behavior across over more than one
`
`million websites; and (x) Shopify will make consumers’ sensitive information
`
`available to any of its millions of merchant customers who will accept payment—
`
`or who have already accepted payment—from those consumers.
`
`Parties
`
`8.
`
`Plaintiff Brandon Briskin is, and was at all relevant times, an individual
`
`and resident of California. Plaintiff currently resides in Madera, California.
`
`9. Defendant Shopify Inc. is a Canadian company headquartered in
`
`Ottawa, Canada with a domestic office in San Francisco, California.
`
`10. Defendant Shopify (USA) Inc. is a Delaware company with its
`
`principal place of business in Ottawa, Canada. Shopify (USA) Inc. is registered to
`
`do business in California and has a domestic office in San Francisco, California.
`
`11. Shopify Inc. and Shopify (USA) Inc. are referred to collectively herein
`
`as “Shopify.”
`
`Jurisdiction and Venue
`
`12. This Court has subject matter jurisdiction over this action pursuant to
`
`the Class Action Fairness Act, 28 U.S.C. Section 1332(d)(2)(A) because: (i) there
`
`are 100 or more class members, and (ii) there is an aggregate amount in
`
`controversy exceeding $5,000,000, exclusive of interest and costs.
`
`13. This Court has supplemental jurisdiction over any state law claims
`
`pursuant to 28 U.S.C. Section 1367.
`
`14. The injuries, damages and/or harm upon which this action is based
`
`occurred or arose out of activities engaged in by Shopify within, affecting, and
`
`emanating from the State of California. Shopify regularly conducts and/or solicits
`
`
`
`
`
`Class Action Complaint, p. 4
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 6 of 42
`
`
`
`business in, engages in other persistent courses of conduct in, and/or derives
`
`substantial revenue from products provided to persons in the State of California.
`
`Shopify has engaged, and continues to engage, in substantial and continuous
`
`business practices in the State of California.
`
`15. Venue is proper in this District pursuant to 28 U.S.C. Section
`
`1391(b)(2) because a substantial part of the events or omissions giving rise to the
`
`claims occurred in the state of California, including within this District.
`
`16. Plaintiff accordingly alleges that jurisdiction and venue are proper in
`
`this Court.
`
`Substantive Allegations
`
`A.
`
`Shopify Surreptitiously Intercepts Consumers’ Communications
`and Collects their Private Information When They Make Online
`Payments to Merchants.
`17. Shopify is an e-commerce platform that enables merchants to sell
`
`products online. In June 2019, Shopify reported that it had more than 1,000,000
`
`businesses in approximately 175 countries using its platform, with total gross
`
`merchandise volume exceeding $41 billion for calendar year 2018.1 Using
`
`Shopify’s website, merchants provide Shopify with their product offerings, prices,
`
`shipping options and other business preferences. Shopify hosts some of its
`
`merchants’ websites and creates all of the code necessary to implement the
`
`product catalog and to accept payment. In addition, merchants who already own
`
`websites can elect to embed certain Shopify assets, such as payment forms, into
`
`their pre-existing websites. Regardless of the implementation, Shopify handles the
`
`1 Shopify Announces Fourth-Quarter and Full Year 2018 Financial Results,
`Businesswire.com, available at:
`https://www.businesswire.com/news/home/20190212005234/en/ (last accessed
`August 2, 2021).
`
`
`
`
`
`Class Action Complaint, p. 5
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 7 of 42
`
`
`
`collection and validation of the consumer’s payment information, as well as
`
`processing the payment, through its relationships with third parties, such as Stripe.
`
`18. To display payment forms to consumers, Shopify sends executable
`
`javascript code to consumers’ computers or mobile devices, which then execute
`
`the code. Upon execution, the code loads and displays the payment forms to
`
`consumers.
`
`19. Shopify does not disclose to consumers its role in the transaction, let
`
`alone that Shopify is sending code to consumers’ devices to display the payment
`
`forms. To the consumer, the website and payment forms appear to be generated
`
`by the merchant itself. Thus, a consumer never knows that they have shared their
`
`sensitive information, including sensitive financial information, to Shopify.
`
`20. For example, consumers who order apparel or accessories on the
`
`IABMFG website are presented with a cart page before proceeding to the
`
`checkout page. The bottom of the cart page features a number of icons for various
`
`forms of payment, including Visa, Mastercard and American Express. The
`
`Shopify icon is presented alongside the credit card icons, making it appear to
`
`consumers that Shopify is optional or a type of payment method the consumer
`
`could choose akin to a credit card even though it is not.
`
`21. Consumers who proceed with purchasing goods on the IABMFG
`
`website are presented with the following payment form:
`
`
`
`
`
`Class Action Complaint, p. 6
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 8 of 42
`
`
`
`
`Figure 1: IABMFG Checkout Page
`
`
`
`22. All of the input elements in the form (i.e., those corresponding to
`
`“Email,” “First name,” “Last name,” “Address,” “Apartment, suite, etc.,” “City,”
`
`“Country/Region,” “State,” “ZIP code,” and “Phone”) are generated by Shopify.2
`
`To the user, however, it appears that the form and input elements are generated
`
`and provided by IABMFG. Shopify does not cause its involvement in the
`
`transaction to be displayed to the consumer alongside the payment form.
`
`
`2 This is confirmed by the fact that the input elements are located in a <div>
`tag having the class “edit_checkout”—a class that Shopify uses throughout its
`network of merchant websites.
`
`
`
`
`
`Class Action Complaint, p. 7
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 9 of 42
`
`
`
`
`23. Only a person with technical knowledge and special software tools
`
`could determine that the payment forms are generated by Shopify. As shown by
`
`the following screenshot from such a tool, the IABMFG checkout page above
`
`required the user’s browser to load at least eight separate files—including four
`
`executable javascript files—from Shopify’s computer network:
`
`
`Figure 2: Assets loaded from Shopify during rendering of IABMFG checkout page
`
`24. After submitting the shipping information form on the IABMFG
`
`website, the user is presented with a payment form:
`
`
`
`
`
`Class Action Complaint, p. 8
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 10 of 42
`
`
`
`
`Figure 3: IABMFG Payment Form
`
`
`
`25. Once again, the payment form—including the input elements—is
`
`generated by Shopify and sent to the user’s browser. To the user, however, it
`
`appears that the payment form is being generated by the IABMFG website. As is
`
`true of the shipping form, Shopify does not disclose its involvement in the
`
`transaction to the consumer.
`
`26. When the user clicks the “Pay now” button, the Shopify-produced
`
`javascript code is executed on the user’s computer, causing the payment details to
`
`be collected from the form, and then sent directly to Shopify’s servers, at
`
`https://deposit.us.shopifycs.com/sessions. For example, the payload sent to that
`
`
`
`
`
`Class Action Complaint, p. 9
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 11 of 42
`
`
`
`address in a test transaction conducted on April 12, 2021, as seen through a
`
`special software tool, was as follows:
`
`
`
`Figure 4: Request Payload to Shopify
`
`27. As the figure above displays, the data sent directly to Shopify includes
`
`the user’s name and sensitive payment information. This payload request,
`
`however, is just one of many requests that Shopify causes the user’s browser to
`
`make to Shopify. Dozens of urls were also called by the user’s browser upon
`
`clicking the “Pay now” button during the April 12 test transaction. None of these
`
`url calls are visible to the consumer.
`
`28. When a consumer completes and submits the shipping and payment
`
`forms, it appears to the consumer that the information in the forms will be sent
`
`directly to the merchant. However, Shopify’s software code, which has been
`
`installed on the user’s computer without his or her consent, ensures that
`
`consumers’ communications—including the private information in the forms—
`
`are intercepted and rerouted to Shopify’s computer servers, including the servers
`
`that receive the requests listed above.
`
`29. After the consumer has completed a purchase transaction, Shopify
`
`sends the user an order confirmation email. The email does not mention Shopify,
`
`let alone disclose to the consumer that Shopify has obtained and stored his or her
`
`
`
`
`
`Class Action Complaint, p. 10
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 12 of 42
`
`
`
`sensitive information and communications. Instead, it appears that it was sent by
`
`the merchant. The “From” email address is identical to the merchant’s email.
`
`30. The receipt email that Shopify sends to consumers contains a button
`
`entitled “View your order.” Consumers who click the button are taken to the
`
`merchant’s website and are shown a webpage that, although hosted and/or created
`
`by Shopify, does not mention Shopify or disclose its involvement. Rather, to the
`
`consumer, the page appears to have been created and hosted by the merchant.
`
`31. Shopify’s involvement with the consumer’s private information does
`
`not end when the transaction is completed. To the contrary, Shopify’s
`
`involvement has only begun. Now that Shopify has the consumer’s information,
`
`Shopify will track the consumer’s behavior across its vast merchant network. To
`
`achieve this, Shopify installs a tracking cookie on the user’s browser. This cookie
`
`may be installed when the user visits the payment page, or any other page of the
`
`merchant’s website.
`
`32. For example, merely viewing a single item on the IABMFG website
`
`(the IABMFG Flex High Waisted Capri Pants, at
`
`https://www.iambecoming.com/collections/iab-flex-high-waisted-capri) caused at
`
`least six Shopify tracking cookies to be installed on the browser:
`
`• _shopify_sa_p
`
`• _shopify_sa_t
`
`• _shopify_s
`
`• _shopify_y
`
`• _shopify_fs
`
`• _shopify_country
`
`
`
`
`
`Class Action Complaint, p. 11
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 13 of 42
`
`
`
`
`33. Although the contents of Shopify cookies are encrypted, such that one
`
`cannot view their contents without the decryption key, it is known that these
`
`cookies are used to track consumers, their devices, and their behavior. The cookie
`
`“_shopify_y,” for example, contains a unique code that uniquely identifies the
`
`consumer’s device, so that Shopify can track the consumer’s behavior across its
`
`vast merchant network. Further, it is known that Shopify collects and stores at
`
`least the following information about customers of merchants such as IABMFG:
`
`• name;
`
`• email address;
`
`• company;
`
`• shipping address;
`
`• billing address;
`
`• phone number;
`
`• amount spent;
`
`•
`
`IP address;
`
`• user agent (i.e., the user’s browser); and
`
`• geolocation data.
`
`34. Shopify makes all of this information available to its merchants who
`
`are involved in transactions with the consumer in question. To retrieve the
`
`information, merchants can click a button entitled “View customer data” in the
`
`Shopify user interface, and Shopify will email this data to them.
`
`B.
`
`Shopify Discloses and Sells Consumers’ Sensitive Information to
`Merchants, and Uses it to Assess Transaction Risk.
`Because over one million websites and other merchants use Shopify to sell
`
`their products, Shopify has amassed an incredible amount of sensitive data
`
`regarding consumers. Shopify leverages this data to assess the risk associated with
`
`
`
`
`
`Class Action Complaint, p. 12
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 14 of 42
`
`
`
`particular consumers and their transactions. Shopify distills this information into a
`
`profile for each consumer and payment and makes a risk recommendation to the
`
`merchant based on the consumer’s profile. Shopify then adjusts and reapplies that
`
`score for future payments. Payment transactions with unacceptable indicators can
`
`be blocked or reversed.
`
`35.
`
`In addition, Shopify makes information in the user profiles available to
`
`its merchant customers. For example, Shopify merchants can view a variety of
`
`information regarding the consumer transactions:
`
`Figure 5: Shopify Analysis Indicators
`
`
`
`
`
`
`
`Class Action Complaint, p. 13
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 15 of 42
`
`
`
`
`36. At no time are consumers informed that Shopify is collecting and using
`
`their sensitive payment information.
`
`37.
`
`In fact, Shopify enables its merchant customers to set filters that can
`
`preemptively block orders based on the information that Shopify collects on
`
`consumers. Through the filters, Shopify’s merchant customers can set rules that
`
`can ban IP addresses, prevent certain customers from placing orders, and
`
`automatically cancel orders that have “high” risk scores, among other things.
`
`When a filter preemptively cancels an order, the consumer has no idea. Rather,
`
`from the consumer’s perspective, the order processes normally. But, in reality, the
`
`order is “accepted” and then immediately canceled. Consumers will only see that
`
`their credit card was declined, which can negatively impact the “score” that
`
`Shopify assigns to the consumer and lead to future cancellations.
`
`38.
`
`In addition to compiling risk profiles for each consumer, Shopify also
`
`shares the information that its collects on consumers with third-parties, who, in
`
`turn, use the consumers’ data for their own purposes and share it with others. For
`
`example, Shopify partners with Stripe, Inc. to handle payment processing. When a
`
`consumer fills out a payment form, Shopify collects information regarding the
`
`transaction and consumer. Shopify then shares that information with Stripe, which
`
`enables Stripe to process the payment. Like Shopify, Stripe is also in the business
`
`of developing individualized risk profiles on consumers. Stripe’s “risk insights”
`
`profiles for consumers, which includes sensitive information, such as (i) the
`
`number of declined cards previously associated with an email address, (ii) the
`
`time since the first card decline occurred, (iii) the IP address, and (iv) the credit
`
`card number. Upon information and belief, Stripe uses the data that Shopify
`
`
`
`
`
`Class Action Complaint, p. 14
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 16 of 42
`
`
`
`shares with Stripe to process payments to build out its own risk profiles on
`
`consumers, which it then markets and disseminates to its own customers.
`
`39. Shopify also shares consumers’ information with MaxMind in order to
`
`create consumer risk profiles. When a user purchases an item through one of
`
`Shopify’s merchant customers, Shopify provides MaxMind with the consumers’
`
`personal information and data regarding the transaction. MaxMind uses that
`
`information to assign a risk score to the consumer and transaction, which Shopify,
`
`in turn, shares with its merchant customers to evaluate the transaction and future
`
`transactions. MaxMind markets and disseminates the consumer risk profiles to its
`
`own customers.
`
`40. Because Shopify conceals its involvement with consumer transactions,
`
`consumers are unaware that Shopify shares their sensitive information with third
`
`parties and are deprived of any ability to opt out of the dissemination of their data
`
`from Shopify and the third-parties that are also receiving their sensitive data.
`
`41. Shopify’s collection, storage and dissemination of users’ sensitive
`
`information opens consumers to the possibility of identity theft, credit card theft,
`
`and fraud, by storing their information, without their knowledge or consent,
`
`creating a new venue that is open to vulnerabilities, such as hackers and phishing
`
`scams. However, consumers who do not even know that their information is
`
`collected and stored by Shopify or shared by Shopify with other third parties and
`
`thus will not know to be weary of scams, and are deprived of the knowledge
`
`necessary to protect their data.
`
`42. The potential for identity theft, credit card theft and fraud of data
`
`secretly collected and stored by Shopify is more than a mere possibility. From
`
`2019-2020, certain Shopify staff members took advantage of the consumer data
`
`
`
`
`
`Class Action Complaint, p. 15
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 17 of 42
`
`
`
`Shopify unlawfully collected and stored. Shopify announced in September 2020
`
`that it became aware of an incident in which data from about 200 merchants was
`
`stolen.3 These staff members acquired information regarding consumer
`
`transaction on Shopify’s platform. The data included consumer names, e-mails,
`
`addresses, and order details, including products, services purchased, payment
`
`methods, and the last four digits of their credit cards.4 The staff members later
`
`sold the data to others on the black market. It has been estimated that the data
`
`breach involved the data of about 272,000 individuals. The consumer data that is
`
`now in the hands of criminals was data that Shopify was never authorized to
`
`collect at the outset. Because Shopify concealed its involvement with the
`
`transactions, Shopify deprived consumers of the right to opt out of its collection
`
`of their private information and, in doing so, has exposed consumers to the risk,
`
`and for some consumers, the reality of identity theft, credit card theft and fraud.
`
`C.
`Shopify Does Not Inform Consumers About Its Activities.
`43. Shopify makes no effort to inform consumers regarding any of its
`
`activities with respect to its interception and collection of consumer information
`
`using merchant websites. Specifically, it does not inform consumers that:
`
`(i) Shopify will intercept communications that consumers believe are being sent
`
`exclusively to merchants; (ii) its software code is causing their devices to connect
`
`to Shopify’s computer servers; (iii) Shopify is placing tracking cookies on
`
`consumers’ computers; (iv) its software code is rendering the payment forms that
`
`are displayed to consumers; (v) the sensitive information in the payment forms
`
`
`3 See https://community.shopify.com/c/Shopify-Discussion/Incident-Update/td-
`p/888971 (last accessed August 2, 2021).
`4 See https://www.documentcloud.org/documents/20580321-us-grand-jury-
`indictment-tassilo-heinrich (last accessed August 2, 2021).
`
`
`
`
`
`Class Action Complaint, p. 16
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 18 of 42
`
`
`
`will be sent to Shopify; (vi) sensitive information not expressly input by the
`
`consumer—such as IP address, operating system, geolocation data, and item(s)
`
`purchased—will also be collected from the consumer by Shopify; (vii) Shopify
`
`will indefinitely store that sensitive information; (viii) Shopify will use
`
`consumers’ information to assign risk scores to consumers, which could
`
`subsequently be communicated to other merchants and used to deny consumers’
`
`future payment attempts; (ix) Shopify will track consumers’ behavior across over
`
`one million websites; (x) Shopify will make consumers’ sensitive information
`
`available to any of its millions of customers who will accept payment—or who
`
`have already accepted payment—from those consumers; and (xi) Shopify will
`
`share consumer data with third-parties, such as Stripe, Inc. and MaxMind, Inc.
`
`44. Shopify deliberately chose to hide its involvement from consumers.
`
`Shopify did so to increase its profits, because it (i) understands that consumers
`
`value the privacy of their communications and do not wish those communications
`
`to be intercepted; (ii) understands that consumers do not wish for their activities
`
`to be tracked across a vast network of third party merchants; and (iii) wants to
`
`maximize the ability of its merchant customers to “white-label” payment forms, to
`
`make it appear to consumers that the merchants have the sophistication to handle
`
`payments themselves and without extensive third party involvement.
`
`45. Although Shopify provides a default template for merchant websites
`
`that includes, in the footer, a “powered with Shopify” link leading to Shopify’s
`
`homepage, Shopify does not require merchants to use that template, or the link.
`
`Indeed, Shopify provides instructions—including a dedicated video—to
`
`merchants regarding how to remove the link. (See
`
`https://help.shopify.com/en/manual/online-store/themes/os/customize/remove-
`
`
`
`
`
`Class Action Complaint, p. 17
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 19 of 42
`
`
`
`powered-by-shopify-message (last accessed August 9, 2021).) As Shopify knows,
`
`the vast majority—if not all—of its large merchants delete the link.
`
`46. On information and belief, Shopify does not review its customers’
`
`websites or mobile applications to determine whether its customers have disclosed
`
`to consumers any of Shopify’s activities with respect to their personal
`
`information.
`
`47. Consumers visiting Shopify merchants’ webpages are not required to
`
`view (through a link or otherwise), let alone agree to, Shopify’s Terms of Service
`
`or Privacy Policy. Plaintiff has never agreed to any such policy.
`
`48. As described above, the information that Shopify obtains from
`
`consumers who purchase products from merchants utilizing the Shopify payment
`
`forms includes consumers’ telephone numbers. Shopify maintains a database of
`
`these consumer telephone numbers on its computers. Shopify then transmits, or
`
`causes to be transmitted by a third party, marketing text messages to selected
`
`telephone numbers from Shopify’s database. For example, Shopify sends
`
`“abandoned cart” text messages to consumers that add items to their cart but do
`
`not complete the checkout process. The telephone numbers messaged by Shopify
`
`are assigned to cellular telephone service for which Plaintiff and Class members
`
`incur charges for incoming messages.
`
`D. Plaintiff’s Experience
`49. Plaintiff purchased fitness apparel for his wife from IABMFG on or
`
`about June 14, 2019. To do so, he used his iPhone’s Safari browser to establish a
`
`secure, encrypted connection to IABMFG at https://www.iambecoming.com.
`
`50. After adding products to his virtual shopping cart, Plaintiff was
`
`presented with a checkout screen substantially similar to the screen shown at
`
`
`
`
`
`Class Action Complaint, p. 18
`
`

`

`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 20 of 42
`
`
`
`Figure 1, supra. Plaintiff believed that all aspects of the checkout screen were
`
`being generated by IABMFG, and sent over his browser’s encrypted connection
`
`with IABMFG.
`
`51. Plaintiff was required to provide his private information in order to
`
`complete the checkout process, including information such as his full name,
`
`delivery address, billing address, phone number, and credit card number,
`
`expiration date, and CVV code. Plaintiff provided this information, and then
`
`clicked on the “Pay now” button to submit it. Plaintiff did not provide consent to
`
`Shopify to send him text messages. Plaintiff did not provide consent for Shopify
`
`to obtain, use, store, or share his sensitive information. When Plaintiff clicked the
`
`“Pay now” button, he believed that his information would be sent directly to
`
`IABMFG, through the secure, encrypted connection that his smartphone browser
`
`had established with IABMFG.
`
`52.
`
` Although Plaintiff was not aware of it, the IABMFG checkout page he
`
`visited contained a link to the Shop

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket