I'm not familiar enough with California's law to know whether companies like Shopify/Google are meant to be liable (in the sense that the law says so), but certainly it would be a great thing if the companies actually performing the mass surveillance (Google, Shopify) were liable even if the payload deliverer is small. Absolutely what is needed is law saying that Google can be sued (or better, held criminally liable for harassment/stalking) for spying on people through its Google Analytics program, among others.

Relentlessly stalking millions of people makes it millions of times worse than stalking one person, not somehow okay.

> It is squarely on the shop operator to be compliant - Shopify is just a platform vendor and shoppers are not Shopify customers; rather, they are customers of the shop.

I disagree energetically. If Shopify wants to run a service identifying people between every site that it serves as a backend to, it should ask those people if they want to be included in that. The only alternative to stop the illegal activity otherwise is to print a list of Shopify's customers, and visit (and sue) them one by one in California. Shopify is running the service, and the shop owner probably doesn't even know how it works.

I'd even think that a shop owner sued over this should in turn be able to sue Shopify. If Shopify knows that something it does is not legal in California, it should tell its clients who may do business in California.

> If this is true, I find this case troubling and weak, and hope it is overturned. It is squarely on the shop operator to be compliant - Shopify is just a platform vendor and shoppers are not Shopify customers; rather, they are customers of the shop. This seems to be akin to suing Google because a website uses Google Analytics but didn't disclose it in their privacy statement - silly...

Most of my work is in the Shopify app dev ecosystem, and while I haven't been following this case very closely, I do think it's ironic how Shopify is behaving here given the privacy standards they enforce on their app developers.

Some context: all Shopify app developers are required to follow the EU's GDPR rules for customer data, full stop. Your app must implement Shopify's mandatory GDPR webhooks. You must delete customer data when a shop's customer is deleted; you must produce all data you store on a shop's customer within 7 days upon receipt of a certain GDPR webhook; and you must delete all the data you store on the shop itself after the shop uninstalls your app.

Additionally, if your app requires access to any customer data (whether its via the Customer API, or via other APIs e.g. to get the name of a customer who placed an order), you need to apply for access to that data on an app-by-app basis – replete with an explanation for why your app needs the data. Shopify's app store staff has to manually review and approve that data access application before you can publish your app on their app store.

To be clear, I think these restrictions are a good thing†, as apps used to have access to a veritable firehose of private customer data. But it's ironic to see Shopify enforce such standards on their app developers, while at the same time arguing that they should be able to track their own potential customers anywhere and everywhere across the internet regardless of privacy laws.

† Though I think it's a little odd that a Canadian company is making me, an American app developer, think about/adhere to the EU's GDPR rules. Not to mention other privacy laws like the one in California. Why not just call it "Shopify's Privacy Standards?"

Stripe also has a version of this called “Link”, which uses SMS authentication. Based on Stripe data on multiple platforms I have access to, quite a high percentage of people use it, probably due to how hard it’s pushed by the UI when adding a payment method