In response to the Dobbs decision, California enacted legislation intended to enhance data privacy and block record requests by other states concerning alleged abortion-related offenses that are lawful in California.[1] In September, California launched a website – abortion.ca.gov – dedicated to abortion access information. The website includes a disclaimer: “California protects your privacy.”

On September 27, California Governor Gavin Newsom signed unique legislation that seeks to protect abortion data privacy by preventing out-of-state law enforcement officers from executing search warrants on California electronic communication and computing services companies for the purpose of investigating another state’s abortion-related offenses. For California-incorporated or -headquartered communications or computer services companies, Assembly Bill 1242 (AB 1242) significantly changes the process for responding to out-of-state law enforcement requests and lawful court orders for records of activity, such as cellphone location or internet usage, and wiretap requests. AB 1242 includes a series of laws with the sole purpose of protecting the privacy of abortion providers and seekers in California.

Amendments to California Penal Code § 1524.2 – Search Warrants

Effective immediately, a California corporation that provides electronic communications services or remote computing services to the general public “shall not produce records when the corporation knows or should know that the warrant relates to an investigation into, or enforcement of, a prohibited violation.” California corporations are permitted to disclose requested records only if the warrant includes or is accompanied by an attestation that the evidence sought is not related to an investigation into or enforcement of a “prohibited violation.” A prohibited violation is an out-of-California law violation that creates liability for providing, facilitating, or obtaining an abortion or intending or attempting to provide, facilitate, or obtain an abortion that is lawful under California law.

It is only applicable to California corporations – those corporations or other entities that are subject to Section 102 of the California Corporations Code; in other words, corporations organized under the laws of the state of California. It specifically states that it does not apply to “foreign corporations.” Foreign corporations are those organized under the laws of a different state but that have obtained a certificate of qualification to do business in California under Section 2105 of the California Corporations Code.[2]

It is only applicable to California corporations that provide electronic communication services or remote computing services to the general public. “‘[R]emote computing service’ means the provision to the public of computer storage or processing services by means of an electronic communications system.” 18 U.S. Code § 2711(2). “’[E]lectronic communication service’ means any service which provides to users thereof the ability to send or receive wire or electronic communications.” 18 U.S. Code § 2510.

Prior to Newsom’s signing the bill, Section 1524.2(c) of the Penal Code mandated that a California corporation that provides electronic communication services or remote computing services to the general public produce requested records “when served with a warrant issued by another state to produce records that would reveal the identity of the customers using those services, data stored by, or on behalf of, the customer, the customer’s usage of those services, the recipient or destination of communications sent to or from those customers, or the content of those communications.” The amendment adds significant qualifiers to the prior language:

• 1524.2(c) (renumbered as (c)(1)) maintains the above-quoted mandate, but it now ends with the following carve-out: “... but shall not produce records when the corporation knows or should know that the warrant relates to an investigation into, or enforcement of, a prohibited violation.”
• 1524.2(c)(2) prohibits a California corporation from complying with a foreign-issued warrant “unless the warrant includes, or is accompanied by, an attestation that the evidence sought is not related to an investigation into, or enforcement of, a prohibited violation.”
• 1524.2(c)(3) establishes that California corporations in receipt of a foreign-issued warrant are “entitled to rely on the representations made in an attestation described in paragraph (2) in determining whether the warrant relates to an investigation into, or enforcement of, a prohibited violation.”

Amendments to California Penal Code § 1546.5 – All Encompassing Legal Requests

Additionally, any California corporation or a corporation with its principal executive offices located in California that provides electronic communication services is now forbidden from providing records, information, facilities or assistance where it “knew or should have known that the warrant, court order, subpoena, wiretap order, pen register trap and trace order, or other legal process relates to an investigation into or enforcement of a prohibited violation.” The California attorney general may file a civil action to compel compliance with California law.

Although an attestation is not required to accompany these legal requests, covered California corporations may consider requiring one to help them establish that they did not “kn[o]w or should have known” of any connection to a prohibited violation. At a minimum, this amendment forces applicable California corporations to review a legal request more closely. One approach is to closely review any probable cause affidavit, identify the alleged offense, and conduct an analysis to determine whether there is any potential connection between the legal request and a prohibited violation.

Applicability of California Assembly Bill 1242

In order to determine whether sections 8 and 9 of AB 1242 apply, California corporations should use the following analysis.

Section 8 (Responding to out-of-state warrants):

• Is the business a California corporation that provides electronic communications services or remote computing services to the general public?
• If so, the corporation “shall not produce records when the corporation knows or should know that the warrant relates to an investigation into, or enforcement of, a prohibited violation.”
• The corporation shall not comply with providing records “unless the warrant includes, or is accompanied by, an attestation that the evidence sought is not related to an investigation into, or enforcement of, a prohibited violation.” 

Section 9 (responding to legal requests other than out-of-state warrants):

• Is the business a “California corporation or a corporation whose principal executive offices are located in California that provides electronic communications services”? 
• If so, is the corporation providing records, information, facilities or assistance in accordance with the legal process in California?
• If so, is the corporation providing records, information, facilities or assistance where it “knew or should have known that the warrant, court order, subpoena, wiretap order, pen register trap and trace order, or other legal process relates to an investigation into or enforcement of a prohibited violation”?

Covered California entities should assess their policies for responding to law enforcement requests and update the policies as applicable. One part of this analysis may include tracking states in which prohibited violations are part of the statutory scheme.

Impact on California Communications/Computing Services Companies’ Assessment of Foreign-Issued Warrants

Upon receipt of a foreign-issued warrant, covered California entities must confirm that the warrant is accompanied by an attestation that the evidence sought is not related to an investigation into the actual or attempted provision of, facilitation of, or obtaining of an abortion that is legal under California law. Section 1524.2(c)(3) allows California covered corporations to rely on the representations made in that attestation, such that no independent verification or investigation would be needed.

California corporations may quickly face a quandary: receipt of a lawful out-of-state search warrant and out-of-state law enforcement’s failure or unwillingness to comply with the attestation requirement. To prepare for these types of scenarios, covered California entities could proactively create an attestation that integrates efficiencies to speed the process. For instance, entities could set up a form document on a website that automatically submits it to the company upon completion and includes language that the entity deems satisfactory.

A compliant attestation may be as simple as one sentence. For example, “The evidence sought is not related to an investigation into or enforcement of a prohibited violation as defined in California Penal Code Section 629.51.” A California corporation is entitled to rely on such an attestation in determining whether a warrant is compliant.

One Example

In June 2022, the Texas attorney general issued a civil investigative demand to Twitter in San Francisco, California. Under California Penal Code 1546.5, a California corporation that provides electronic communications services is forbidden from producing records where it knew or should have known that the legal process is related to the investigation of a prohibited violation. In this scenario, is the newly enacted California legislation a potential safe harbor for California technology companies to not comply with Texas legal demands?

The Bottom Line

We can expect to see legal challenges concerning the enforceability of this new California legislation. Covered California entities should assess their policies for responding to law enforcement requests, update policies and conduct compliance training as needed. One part of this analysis may include tracking states in which prohibited violations are part of the statutory scheme.  

[View source.]