A federal judge in the Southern District of California recently granted Hwareh.com’s motion to dismiss a proposed class action claiming that third-party source code on its website unlawfully routed information about consumer information to that third party.  See Zarif v. Hwareh.com, Inc., No. 3:23-cv-00565-BAS-DEB (S.D. Cal.).  The court found that the plaintiff—whose claims included asserted violations of the Federal Wiretap Act, 18 U.S.C. § 2510 et seq., and the California Invasion of Privacy Act, Cal. Pen. Code § 631—failed to establish that the court had personal jurisdiction over Hwareh.com, an online pharmacy.  Hwareh.com is incorporated in Delaware and maintains its principal place of business in Missouri, but the plaintiff alleged that its website was available in California and that it maintained a non-resident pharmacy license in the state.  The court’s decision is the latest in a series of decisions clarifying personal jurisdiction in the context of privacy claims.

Plaintiff asserted that the court had specific jurisdiction over Hwareh.com because it “expressly aimed” its activities at California by operating its website in the state and then collecting the personal information of California consumers who interacted with its website.  But as the court highlighted, other district courts recently have found that personal jurisdiction for alleged privacy violations does not arise merely because a defendant sells and delivers “physical products via a website.”  See, e.g., Doe v. FullStory, Inc., 2024 WL 188101, at *11 (N.D. Cal. Jan. 17, 2024).  Because plaintiff asserted that the harm she purportedly suffered arose from her browsing and use of Hwareh.com’s website—as opposed to buying physical products offered on the website, for example—the court found no causal relationship between Hwareh.com’s operations in the state and her alleged harms. 

Similarly, the court found that Hwareh.com’s internet advertising, even if directed at California residents, was insufficient to subject it to a California court’s jurisdiction.  Plaintiff did not allege, for example, that Hwareh.com had specifically targeted California residents with its advertisements (i.e., treating them differently than citizens of other states) or that it had “individually targeted” plaintiff.  Accordingly, even though plaintiff alleged that Hwareh.com is a registered independent pharmacy in California, that assertion was insufficient—without “something more”—to establish jurisdiction.  Lastly, plaintiff’s assertion that Hwareh.com’s decision to host its website with a third-party whose servers are located in California did not establish jurisdiction.  If it accepted plaintiff’s theory, the court said, it “would significantly expand personal jurisdiction such that each firm whose website is hosted in California could be haled into court.”

Plaintiff will have an opportunity to file an amended complaint because the Zarif court dismissed plaintiffs’ claims without prejudice.  Still, this new decision underscores the importance of considering personal jurisdiction defenses for online services, particularly in the context of privacy claims.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dominic Booth Dominic Booth

Dominic Booth is an associate in the firm’s Palo Alto office who focuses on commercial litigation and complex class actions. He has experience working with clients in the technology and financial services industries in matters involving privacy, consumer protection, product liability, and breach…

Dominic Booth is an associate in the firm’s Palo Alto office who focuses on commercial litigation and complex class actions. He has experience working with clients in the technology and financial services industries in matters involving privacy, consumer protection, product liability, and breach of contract claims. In particular, Dominic has experience litigating cases brought under the Federal Wiretap Act, California Invasion of Privacy Act (CIPA), and Video Privacy Protection Act (VPPA).