Brandon Briskin v. Shopify, Inc.
A California court ruled that Shopify's use of session replay and tracking pixels without consent violates the California Invasion of Privacy Act (CIPA). This decision expands liability for any business using similar technologies on California consumers.
Aforeworn detected this change in the US State Data-Privacy Laws space on July 7, 2026 and published this briefing so affected operators are forewarned rather than caught off guard. It is rated High urgency. Multistate retailers, adtech/data brokers, SaaS platforms, and any business using session replay, tracking pixels, or similar third-party tracking on websites visited by California consumers. should confirm how it applies to their specific situation before acting. There is a time constraint attached: Within 30 days to mitigate litigation risk; class actions are likely.. Acting after that point can mean penalties, a lapsed licence, or lost eligibility — exactly the kind of surprise Aforeworn exists to prevent. Aforeworn monitors US State Data-Privacy Laws continuously and turns every detected change into a plain-English briefing like this one, so you always know first. Forewarned is forearmed.
What changed
The court held that Shopify's undisclosed collection of keystrokes, mouse movements, and page interactions via session replay and tracking pixels constitutes wiretapping under CIPA, even if the data is not recorded or stored. This sets a precedent that passive collection of user interactions without consent is illegal.
Who it affects
Multistate retailers, adtech/data brokers, SaaS platforms, and any business using session replay, tracking pixels, or similar third-party tracking on websites visited by California consumers.
What you must do
Immediately review and update website tracking practices to obtain explicit, informed consent before deploying session replay, heatmaps, or any third-party tracking that captures user interactions. Implement a consent management platform (CMP) that blocks such scripts until consent is given.
Deadline
Within 30 days to mitigate litigation risk; class actions are likely.
Source: https://www.courtlistener.com/opinion/10381924/brandon-briskin-v-shopify-inc/
Never miss a change like this again
Aforeworn watches US State Data-Privacy Laws around the clock and alerts you the moment a rule moves — with a plain-English brief on what to do.
Start your free trialRelated changes in US State Data-Privacy Laws
- Netchoice, LLC v. Bonta
- Agency Information Collection Activities; Proposals, Submissions, and Approvals: Crash Reporting Sampling System, Non-Traffic Surveillance, and Special Study Data Collection
- FTC Requires Amazon to Pay $2.25 Million to Resolve Charges It Knowingly Violated the Fair Credit Reporting Act
- Client Alert: California Invasion of Privacy Act Reform Gains Momentum: Legislature Advances Bill That Could Significantly Curtail Website Tracking Litigation - JD Supra
- Privacy Act of 1974; System of Records