`
`
`
`
`GUTRIDE SAFIER LLP
`Seth A. Safier (State Bar No. 197427)
` seth@gutridesafier.com
`Marie McCrary (State Bar No. 262670)
` marie@gutridesafier.com
`Todd Kennedy (State Bar No. 250267)
` todd@gutridesafier.com
`100 Pine Street, Suite 1250
`San Francisco, California 94111
`Telephone: (415) 639-9090
`Facsimile: (415) 449-6469
`Attorneys for Plaintiff
`
`
`
`UNITED STATES DISTRICT COURT
`
`FOR THE NORTHERN DISTRICT OF CALIFORNIA
`
`SAN FRANCISCO DIVISION
`
`
`
`Brandon Briskin, on behalf of
`himself and those similarly situated,
`Plaintiff,
`
`v.
`
`Shopify Inc. and Shopify (USA)
`Inc.,
`
` Defendants.
`
`
`
`
`Case No. _______________
`
`Class Action Complaint
`
`Jury Trial Demanded
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 2 of 42
`
`
`
`
`Plaintiff Brandon Briskin brings this action on behalf of himself and all
`others similarly situated against Shopify Inc. and Shopify (USA) Inc.
`(collectively, “Shopify”). Plaintiff’s allegations against Shopify are based upon
`information and belief and upon investigation of Plaintiff’s counsel, except for
`allegations specifically pertaining to Plaintiff, which are based upon Plaintiff’s
`personal knowledge.
`
`Introduction
`
`1.
`
`Shopify is an e-commerce platform that enables merchants to easily sell
`
`products online. Many of Shopify’s customers are merchants who operate
`
`websites and mobile applications, such as IABMFG. Shopify created software
`
`code to enable merchants to integrate Shopify’s payment forms into their
`
`applications. To that end, Shopify provides comprehensive documentation to its
`
`merchant customers, describing how to integrate payment forms into their
`
`websites and applications using the Shopify code, including how to omit Shopify
`
`branding such that the form appears to the consumer to belong to the merchant’s
`
`website.
`
`2.
`
`In fact, despite the appearance to consumers that their payment
`
`information is being sent to the merchant, it is intercepted by Shopify. When a
`
`merchant integrates the Shopify software code into a website or mobile
`
`application, consumers who desire to pay for a product or service are presented
`
`with Shopify payment forms, which are created by Shopify. The payment forms
`
`require the consumer to provide a variety of sensitive information, such as:
`
`• name
`
`• address
`
`•
`
`telephone number
`
`
`
`
`
`Class Action Complaint, p. 1
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 3 of 42
`
`
`
`
`• email address
`
`• complete credit card information, including cvc
`
`3.
`
`Shopify also collects and indefinitely stores sensitive information about
`
`consumers using its payment form such as:
`
`• The consumers’ internet IP addresses;
`
`•
`
`the brand and model of the consumer’s computers or electronic
`
`devices;
`
`the identities of the consumer’s browsers;
`
`the operating systems that the consumer’s devices were using; and
`
`the item(s) purchased by the consumer from the merchants’ websites.
`
`•
`
`•
`
`•
`
`4. Although consumers using merchants’ websites and mobile
`
`applications reasonably expect that they are communicating directly with the
`
`merchant, Shopify’s software code is designed to enable Shopify’s computer
`
`network to intercept those communications and redirect them to Shopify’s
`
`computer network. Shopify, however, designed its payment forms to omit all
`
`Shopify branding. Accordingly, the consumer has no idea that Shopify is involved
`
`in the transaction in any way, let alone that Shopify will be obtaining, storing, and
`
`evaluating the consumer’s sensitive communications and information.
`
`5.
`
`The Shopify code also surreptitiously installs tracking cookies on
`
`consumers’ computers and mobile devices, which enable Shopify to identify a
`
`particular consumer and track his or her activities across its entire merchant
`
`network, enabling Shopify to gather even more sensitive data about the consumer
`
`including, without limitation, (i) the number of declined cards that the consumer
`
`has used with Shopify merchants; (ii) how long ago one of the consumer’s cards
`
`was last declined; (iii) whether the consumer had ever disputed a previous
`
`
`
`
`
`Class Action Complaint, p. 2
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 4 of 42
`
`
`
`Shopify charge; (iv) whether any previous early fraud warnings were associated
`
`with the consumer; (v) the percentage of transactions that were authorized for the
`
`consumer over time; and (vi) the cards and other payment methods associated
`
`with the consumer’s IP address.
`
`6.
`
`Shopify does not use consumers’ private information simply for the
`
`purposes of processing the payments in question. Instead, Shopify indefinitely
`
`stores the information, correlates all payments from the consumer made across its
`
`entire platform, and then—without informing the consumer—provides much of it
`
`to its other merchants. For example, once a consumer has submitted a payment for
`
`a purchase from IABMFG, any of Shopify’s millions of other merchant customers
`
`will then be able to access the consumer’s private information pertaining to that
`
`payment, as well as any other payment that Shopify processed for that consumer
`
`in a profile for that consumer.
`
`7. At no time does Shopify inform consumers who use its payment forms
`
`on merchant websites that: (i) Shopify will intercept communications that
`
`consumers believe are being sent exclusively to merchants; (ii) its software code
`
`is causing their devices to connect to Shopify’s computer servers; (iii) Shopify is
`
`accessing consumers’ data by placing tracking cookies on their devices; (iv) its
`
`software code is rendering the payment forms that are displayed to consumers;
`
`(v) the sensitive information in the payment forms will be sent to Shopify;
`
`(vi) sensitive information not expressly inputted by the consumer—such as IP
`
`address, operating system, geolocation data, and item(s) purchased—will also be
`
`collected from the consumer by Shopify; (vii) Shopify will indefinitely store that
`
`sensitive information; (viii) Shopify will use consumers’ information to create
`
`profiles of consumers, which could subsequently be communicated to other
`
`
`
`
`
`Class Action Complaint, p. 3
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 5 of 42
`
`
`
`merchants; (ix) Shopify will track consumers’ behavior across over more than one
`
`million websites; and (x) Shopify will make consumers’ sensitive information
`
`available to any of its millions of merchant customers who will accept payment—
`
`or who have already accepted payment—from those consumers.
`
`Parties
`
`8.
`
`Plaintiff Brandon Briskin is, and was at all relevant times, an individual
`
`and resident of California. Plaintiff currently resides in Madera, California.
`
`9. Defendant Shopify Inc. is a Canadian company headquartered in
`
`Ottawa, Canada with a domestic office in San Francisco, California.
`
`10. Defendant Shopify (USA) Inc. is a Delaware company with its
`
`principal place of business in Ottawa, Canada. Shopify (USA) Inc. is registered to
`
`do business in California and has a domestic office in San Francisco, California.
`
`11. Shopify Inc. and Shopify (USA) Inc. are referred to collectively herein
`
`as “Shopify.”
`
`Jurisdiction and Venue
`
`12. This Court has subject matter jurisdiction over this action pursuant to
`
`the Class Action Fairness Act, 28 U.S.C. Section 1332(d)(2)(A) because: (i) there
`
`are 100 or more class members, and (ii) there is an aggregate amount in
`
`controversy exceeding $5,000,000, exclusive of interest and costs.
`
`13. This Court has supplemental jurisdiction over any state law claims
`
`pursuant to 28 U.S.C. Section 1367.
`
`14. The injuries, damages and/or harm upon which this action is based
`
`occurred or arose out of activities engaged in by Shopify within, affecting, and
`
`emanating from the State of California. Shopify regularly conducts and/or solicits
`
`
`
`
`
`Class Action Complaint, p. 4
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 6 of 42
`
`
`
`business in, engages in other persistent courses of conduct in, and/or derives
`
`substantial revenue from products provided to persons in the State of California.
`
`Shopify has engaged, and continues to engage, in substantial and continuous
`
`business practices in the State of California.
`
`15. Venue is proper in this District pursuant to 28 U.S.C. Section
`
`1391(b)(2) because a substantial part of the events or omissions giving rise to the
`
`claims occurred in the state of California, including within this District.
`
`16. Plaintiff accordingly alleges that jurisdiction and venue are proper in
`
`this Court.
`
`Substantive Allegations
`
`A.
`
`Shopify Surreptitiously Intercepts Consumers’ Communications
`and Collects their Private Information When They Make Online
`Payments to Merchants.
`17. Shopify is an e-commerce platform that enables merchants to sell
`
`products online. In June 2019, Shopify reported that it had more than 1,000,000
`
`businesses in approximately 175 countries using its platform, with total gross
`
`merchandise volume exceeding $41 billion for calendar year 2018.1 Using
`
`Shopify’s website, merchants provide Shopify with their product offerings, prices,
`
`shipping options and other business preferences. Shopify hosts some of its
`
`merchants’ websites and creates all of the code necessary to implement the
`
`product catalog and to accept payment. In addition, merchants who already own
`
`websites can elect to embed certain Shopify assets, such as payment forms, into
`
`their pre-existing websites. Regardless of the implementation, Shopify handles the
`
`1 Shopify Announces Fourth-Quarter and Full Year 2018 Financial Results,
`Businesswire.com, available at:
`https://www.businesswire.com/news/home/20190212005234/en/ (last accessed
`August 2, 2021).
`
`
`
`
`
`Class Action Complaint, p. 5
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 7 of 42
`
`
`
`collection and validation of the consumer’s payment information, as well as
`
`processing the payment, through its relationships with third parties, such as Stripe.
`
`18. To display payment forms to consumers, Shopify sends executable
`
`javascript code to consumers’ computers or mobile devices, which then execute
`
`the code. Upon execution, the code loads and displays the payment forms to
`
`consumers.
`
`19. Shopify does not disclose to consumers its role in the transaction, let
`
`alone that Shopify is sending code to consumers’ devices to display the payment
`
`forms. To the consumer, the website and payment forms appear to be generated
`
`by the merchant itself. Thus, a consumer never knows that they have shared their
`
`sensitive information, including sensitive financial information, to Shopify.
`
`20. For example, consumers who order apparel or accessories on the
`
`IABMFG website are presented with a cart page before proceeding to the
`
`checkout page. The bottom of the cart page features a number of icons for various
`
`forms of payment, including Visa, Mastercard and American Express. The
`
`Shopify icon is presented alongside the credit card icons, making it appear to
`
`consumers that Shopify is optional or a type of payment method the consumer
`
`could choose akin to a credit card even though it is not.
`
`21. Consumers who proceed with purchasing goods on the IABMFG
`
`website are presented with the following payment form:
`
`
`
`
`
`Class Action Complaint, p. 6
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 8 of 42
`
`
`
`
`Figure 1: IABMFG Checkout Page
`
`
`
`22. All of the input elements in the form (i.e., those corresponding to
`
`“Email,” “First name,” “Last name,” “Address,” “Apartment, suite, etc.,” “City,”
`
`“Country/Region,” “State,” “ZIP code,” and “Phone”) are generated by Shopify.2
`
`To the user, however, it appears that the form and input elements are generated
`
`and provided by IABMFG. Shopify does not cause its involvement in the
`
`transaction to be displayed to the consumer alongside the payment form.
`
`
`2 This is confirmed by the fact that the input elements are located in a <div>
`tag having the class “edit_checkout”—a class that Shopify uses throughout its
`network of merchant websites.
`
`
`
`
`
`Class Action Complaint, p. 7
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 9 of 42
`
`
`
`
`23. Only a person with technical knowledge and special software tools
`
`could determine that the payment forms are generated by Shopify. As shown by
`
`the following screenshot from such a tool, the IABMFG checkout page above
`
`required the user’s browser to load at least eight separate files—including four
`
`executable javascript files—from Shopify’s computer network:
`
`
`Figure 2: Assets loaded from Shopify during rendering of IABMFG checkout page
`
`24. After submitting the shipping information form on the IABMFG
`
`website, the user is presented with a payment form:
`
`
`
`
`
`Class Action Complaint, p. 8
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 10 of 42
`
`
`
`
`Figure 3: IABMFG Payment Form
`
`
`
`25. Once again, the payment form—including the input elements—is
`
`generated by Shopify and sent to the user’s browser. To the user, however, it
`
`appears that the payment form is being generated by the IABMFG website. As is
`
`true of the shipping form, Shopify does not disclose its involvement in the
`
`transaction to the consumer.
`
`26. When the user clicks the “Pay now” button, the Shopify-produced
`
`javascript code is executed on the user’s computer, causing the payment details to
`
`be collected from the form, and then sent directly to Shopify’s servers, at
`
`https://deposit.us.shopifycs.com/sessions. For example, the payload sent to that
`
`
`
`
`
`Class Action Complaint, p. 9
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 11 of 42
`
`
`
`address in a test transaction conducted on April 12, 2021, as seen through a
`
`special software tool, was as follows:
`
`
`
`Figure 4: Request Payload to Shopify
`
`27. As the figure above displays, the data sent directly to Shopify includes
`
`the user’s name and sensitive payment information. This payload request,
`
`however, is just one of many requests that Shopify causes the user’s browser to
`
`make to Shopify. Dozens of urls were also called by the user’s browser upon
`
`clicking the “Pay now” button during the April 12 test transaction. None of these
`
`url calls are visible to the consumer.
`
`28. When a consumer completes and submits the shipping and payment
`
`forms, it appears to the consumer that the information in the forms will be sent
`
`directly to the merchant. However, Shopify’s software code, which has been
`
`installed on the user’s computer without his or her consent, ensures that
`
`consumers’ communications—including the private information in the forms—
`
`are intercepted and rerouted to Shopify’s computer servers, including the servers
`
`that receive the requests listed above.
`
`29. After the consumer has completed a purchase transaction, Shopify
`
`sends the user an order confirmation email. The email does not mention Shopify,
`
`let alone disclose to the consumer that Shopify has obtained and stored his or her
`
`
`
`
`
`Class Action Complaint, p. 10
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 12 of 42
`
`
`
`sensitive information and communications. Instead, it appears that it was sent by
`
`the merchant. The “From” email address is identical to the merchant’s email.
`
`30. The receipt email that Shopify sends to consumers contains a button
`
`entitled “View your order.” Consumers who click the button are taken to the
`
`merchant’s website and are shown a webpage that, although hosted and/or created
`
`by Shopify, does not mention Shopify or disclose its involvement. Rather, to the
`
`consumer, the page appears to have been created and hosted by the merchant.
`
`31. Shopify’s involvement with the consumer’s private information does
`
`not end when the transaction is completed. To the contrary, Shopify’s
`
`involvement has only begun. Now that Shopify has the consumer’s information,
`
`Shopify will track the consumer’s behavior across its vast merchant network. To
`
`achieve this, Shopify installs a tracking cookie on the user’s browser. This cookie
`
`may be installed when the user visits the payment page, or any other page of the
`
`merchant’s website.
`
`32. For example, merely viewing a single item on the IABMFG website
`
`(the IABMFG Flex High Waisted Capri Pants, at
`
`https://www.iambecoming.com/collections/iab-flex-high-waisted-capri) caused at
`
`least six Shopify tracking cookies to be installed on the browser:
`
`• _shopify_sa_p
`
`• _shopify_sa_t
`
`• _shopify_s
`
`• _shopify_y
`
`• _shopify_fs
`
`• _shopify_country
`
`
`
`
`
`Class Action Complaint, p. 11
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 13 of 42
`
`
`
`
`33. Although the contents of Shopify cookies are encrypted, such that one
`
`cannot view their contents without the decryption key, it is known that these
`
`cookies are used to track consumers, their devices, and their behavior. The cookie
`
`“_shopify_y,” for example, contains a unique code that uniquely identifies the
`
`consumer’s device, so that Shopify can track the consumer’s behavior across its
`
`vast merchant network. Further, it is known that Shopify collects and stores at
`
`least the following information about customers of merchants such as IABMFG:
`
`• name;
`
`• email address;
`
`• company;
`
`• shipping address;
`
`• billing address;
`
`• phone number;
`
`• amount spent;
`
`•
`
`IP address;
`
`• user agent (i.e., the user’s browser); and
`
`• geolocation data.
`
`34. Shopify makes all of this information available to its merchants who
`
`are involved in transactions with the consumer in question. To retrieve the
`
`information, merchants can click a button entitled “View customer data” in the
`
`Shopify user interface, and Shopify will email this data to them.
`
`B.
`
`Shopify Discloses and Sells Consumers’ Sensitive Information to
`Merchants, and Uses it to Assess Transaction Risk.
`Because over one million websites and other merchants use Shopify to sell
`
`their products, Shopify has amassed an incredible amount of sensitive data
`
`regarding consumers. Shopify leverages this data to assess the risk associated with
`
`
`
`
`
`Class Action Complaint, p. 12
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 14 of 42
`
`
`
`particular consumers and their transactions. Shopify distills this information into a
`
`profile for each consumer and payment and makes a risk recommendation to the
`
`merchant based on the consumer’s profile. Shopify then adjusts and reapplies that
`
`score for future payments. Payment transactions with unacceptable indicators can
`
`be blocked or reversed.
`
`35.
`
`In addition, Shopify makes information in the user profiles available to
`
`its merchant customers. For example, Shopify merchants can view a variety of
`
`information regarding the consumer transactions:
`
`Figure 5: Shopify Analysis Indicators
`
`
`
`
`
`
`
`Class Action Complaint, p. 13
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 15 of 42
`
`
`
`
`36. At no time are consumers informed that Shopify is collecting and using
`
`their sensitive payment information.
`
`37.
`
`In fact, Shopify enables its merchant customers to set filters that can
`
`preemptively block orders based on the information that Shopify collects on
`
`consumers. Through the filters, Shopify’s merchant customers can set rules that
`
`can ban IP addresses, prevent certain customers from placing orders, and
`
`automatically cancel orders that have “high” risk scores, among other things.
`
`When a filter preemptively cancels an order, the consumer has no idea. Rather,
`
`from the consumer’s perspective, the order processes normally. But, in reality, the
`
`order is “accepted” and then immediately canceled. Consumers will only see that
`
`their credit card was declined, which can negatively impact the “score” that
`
`Shopify assigns to the consumer and lead to future cancellations.
`
`38.
`
`In addition to compiling risk profiles for each consumer, Shopify also
`
`shares the information that its collects on consumers with third-parties, who, in
`
`turn, use the consumers’ data for their own purposes and share it with others. For
`
`example, Shopify partners with Stripe, Inc. to handle payment processing. When a
`
`consumer fills out a payment form, Shopify collects information regarding the
`
`transaction and consumer. Shopify then shares that information with Stripe, which
`
`enables Stripe to process the payment. Like Shopify, Stripe is also in the business
`
`of developing individualized risk profiles on consumers. Stripe’s “risk insights”
`
`profiles for consumers, which includes sensitive information, such as (i) the
`
`number of declined cards previously associated with an email address, (ii) the
`
`time since the first card decline occurred, (iii) the IP address, and (iv) the credit
`
`card number. Upon information and belief, Stripe uses the data that Shopify
`
`
`
`
`
`Class Action Complaint, p. 14
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 16 of 42
`
`
`
`shares with Stripe to process payments to build out its own risk profiles on
`
`consumers, which it then markets and disseminates to its own customers.
`
`39. Shopify also shares consumers’ information with MaxMind in order to
`
`create consumer risk profiles. When a user purchases an item through one of
`
`Shopify’s merchant customers, Shopify provides MaxMind with the consumers’
`
`personal information and data regarding the transaction. MaxMind uses that
`
`information to assign a risk score to the consumer and transaction, which Shopify,
`
`in turn, shares with its merchant customers to evaluate the transaction and future
`
`transactions. MaxMind markets and disseminates the consumer risk profiles to its
`
`own customers.
`
`40. Because Shopify conceals its involvement with consumer transactions,
`
`consumers are unaware that Shopify shares their sensitive information with third
`
`parties and are deprived of any ability to opt out of the dissemination of their data
`
`from Shopify and the third-parties that are also receiving their sensitive data.
`
`41. Shopify’s collection, storage and dissemination of users’ sensitive
`
`information opens consumers to the possibility of identity theft, credit card theft,
`
`and fraud, by storing their information, without their knowledge or consent,
`
`creating a new venue that is open to vulnerabilities, such as hackers and phishing
`
`scams. However, consumers who do not even know that their information is
`
`collected and stored by Shopify or shared by Shopify with other third parties and
`
`thus will not know to be weary of scams, and are deprived of the knowledge
`
`necessary to protect their data.
`
`42. The potential for identity theft, credit card theft and fraud of data
`
`secretly collected and stored by Shopify is more than a mere possibility. From
`
`2019-2020, certain Shopify staff members took advantage of the consumer data
`
`
`
`
`
`Class Action Complaint, p. 15
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 17 of 42
`
`
`
`Shopify unlawfully collected and stored. Shopify announced in September 2020
`
`that it became aware of an incident in which data from about 200 merchants was
`
`stolen.3 These staff members acquired information regarding consumer
`
`transaction on Shopify’s platform. The data included consumer names, e-mails,
`
`addresses, and order details, including products, services purchased, payment
`
`methods, and the last four digits of their credit cards.4 The staff members later
`
`sold the data to others on the black market. It has been estimated that the data
`
`breach involved the data of about 272,000 individuals. The consumer data that is
`
`now in the hands of criminals was data that Shopify was never authorized to
`
`collect at the outset. Because Shopify concealed its involvement with the
`
`transactions, Shopify deprived consumers of the right to opt out of its collection
`
`of their private information and, in doing so, has exposed consumers to the risk,
`
`and for some consumers, the reality of identity theft, credit card theft and fraud.
`
`C.
`Shopify Does Not Inform Consumers About Its Activities.
`43. Shopify makes no effort to inform consumers regarding any of its
`
`activities with respect to its interception and collection of consumer information
`
`using merchant websites. Specifically, it does not inform consumers that:
`
`(i) Shopify will intercept communications that consumers believe are being sent
`
`exclusively to merchants; (ii) its software code is causing their devices to connect
`
`to Shopify’s computer servers; (iii) Shopify is placing tracking cookies on
`
`consumers’ computers; (iv) its software code is rendering the payment forms that
`
`are displayed to consumers; (v) the sensitive information in the payment forms
`
`
`3 See https://community.shopify.com/c/Shopify-Discussion/Incident-Update/td-
`p/888971 (last accessed August 2, 2021).
`4 See https://www.documentcloud.org/documents/20580321-us-grand-jury-
`indictment-tassilo-heinrich (last accessed August 2, 2021).
`
`
`
`
`
`Class Action Complaint, p. 16
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 18 of 42
`
`
`
`will be sent to Shopify; (vi) sensitive information not expressly input by the
`
`consumer—such as IP address, operating system, geolocation data, and item(s)
`
`purchased—will also be collected from the consumer by Shopify; (vii) Shopify
`
`will indefinitely store that sensitive information; (viii) Shopify will use
`
`consumers’ information to assign risk scores to consumers, which could
`
`subsequently be communicated to other merchants and used to deny consumers’
`
`future payment attempts; (ix) Shopify will track consumers’ behavior across over
`
`one million websites; (x) Shopify will make consumers’ sensitive information
`
`available to any of its millions of customers who will accept payment—or who
`
`have already accepted payment—from those consumers; and (xi) Shopify will
`
`share consumer data with third-parties, such as Stripe, Inc. and MaxMind, Inc.
`
`44. Shopify deliberately chose to hide its involvement from consumers.
`
`Shopify did so to increase its profits, because it (i) understands that consumers
`
`value the privacy of their communications and do not wish those communications
`
`to be intercepted; (ii) understands that consumers do not wish for their activities
`
`to be tracked across a vast network of third party merchants; and (iii) wants to
`
`maximize the ability of its merchant customers to “white-label” payment forms, to
`
`make it appear to consumers that the merchants have the sophistication to handle
`
`payments themselves and without extensive third party involvement.
`
`45. Although Shopify provides a default template for merchant websites
`
`that includes, in the footer, a “powered with Shopify” link leading to Shopify’s
`
`homepage, Shopify does not require merchants to use that template, or the link.
`
`Indeed, Shopify provides instructions—including a dedicated video—to
`
`merchants regarding how to remove the link. (See
`
`https://help.shopify.com/en/manual/online-store/themes/os/customize/remove-
`
`
`
`
`
`Class Action Complaint, p. 17
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 19 of 42
`
`
`
`powered-by-shopify-message (last accessed August 9, 2021).) As Shopify knows,
`
`the vast majority—if not all—of its large merchants delete the link.
`
`46. On information and belief, Shopify does not review its customers’
`
`websites or mobile applications to determine whether its customers have disclosed
`
`to consumers any of Shopify’s activities with respect to their personal
`
`information.
`
`47. Consumers visiting Shopify merchants’ webpages are not required to
`
`view (through a link or otherwise), let alone agree to, Shopify’s Terms of Service
`
`or Privacy Policy. Plaintiff has never agreed to any such policy.
`
`48. As described above, the information that Shopify obtains from
`
`consumers who purchase products from merchants utilizing the Shopify payment
`
`forms includes consumers’ telephone numbers. Shopify maintains a database of
`
`these consumer telephone numbers on its computers. Shopify then transmits, or
`
`causes to be transmitted by a third party, marketing text messages to selected
`
`telephone numbers from Shopify’s database. For example, Shopify sends
`
`“abandoned cart” text messages to consumers that add items to their cart but do
`
`not complete the checkout process. The telephone numbers messaged by Shopify
`
`are assigned to cellular telephone service for which Plaintiff and Class members
`
`incur charges for incoming messages.
`
`D. Plaintiff’s Experience
`49. Plaintiff purchased fitness apparel for his wife from IABMFG on or
`
`about June 14, 2019. To do so, he used his iPhone’s Safari browser to establish a
`
`secure, encrypted connection to IABMFG at https://www.iambecoming.com.
`
`50. After adding products to his virtual shopping cart, Plaintiff was
`
`presented with a checkout screen substantially similar to the screen shown at
`
`
`
`
`
`Class Action Complaint, p. 18
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`Case 3:21-cv-06269-SK Document 1 Filed 08/13/21 Page 20 of 42
`
`
`
`Figure 1, supra. Plaintiff believed that all aspects of the checkout screen were
`
`being generated by IABMFG, and sent over his browser’s encrypted connection
`
`with IABMFG.
`
`51. Plaintiff was required to provide his private information in order to
`
`complete the checkout process, including information such as his full name,
`
`delivery address, billing address, phone number, and credit card number,
`
`expiration date, and CVV code. Plaintiff provided this information, and then
`
`clicked on the “Pay now” button to submit it. Plaintiff did not provide consent to
`
`Shopify to send him text messages. Plaintiff did not provide consent for Shopify
`
`to obtain, use, store, or share his sensitive information. When Plaintiff clicked the
`
`“Pay now” button, he believed that his information would be sent directly to
`
`IABMFG, through the secure, encrypted connection that his smartphone browser
`
`had established with IABMFG.
`
`52.
`
` Although Plaintiff was not aware of it, the IABMFG checkout page he
`
`visited contained a link to the Shop