Five Lessons for Employers from California v. Riley

by Littler

In the waning days of its current term, the U.S. Supreme Court ruled unanimously in California v. Riley that police officers generally violate the Fourth Amendment's prohibition against unreasonable searches by conducting a warrantless search of a smartphone seized incident to an arrest. The ruling turned largely on the Supreme Court's interpretation of a long-established exception to the Fourth Amendment's warrant requirement. Although the Fourth Amendment and the relevant exception will rarely apply to private employers, the high court's decision remains highly relevant for private employers whose workplace searches, like police searches, increasingly encounter personal smartphones, whether as part of a bring your own device program or not, and other mobile devices.

The Supreme Court's decision provides five key takeaways for private employers that we discuss below. At the end of this article, we supplement those takeaways with recommendations for workplace searches of employees' personal smartphones and other mobile devices. Employers should note that the high court's decision does not affect their ability to search company-owned mobile devices. Because they own those devices, employers can establish as a condition of use that employees waive any expectation of privacy in information — whether business or personal — stored on the device. 

Private Employers Must Treat Smartphones Differently From Other Personal Property When Conducting a Workplace Search

In the words of the Supreme Court, "Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet or a purse." Those heightened privacy concerns derive from the quantity of data that can be stored on the device and the nature of that information. Taken together, those attributes permit searches of a personal smartphone to reveal to private employers far more about an employee than searches of any other type of personal property that might be brought to the workplace. 

The massive memory of smartphones is well known. As the Supreme Court pointed out, the standard, 16 gigabytes memory of today's top-selling smartphone "translates to millions of pages of text, thousands of pictures or hundreds of videos." The Supreme Court emphasized that it is not just the sheer quantity of data that distinguishes a smartphone from other personal property. Several other aspects of smartphone data storage can make a search of the device highly invasive.

 First, the distinct types of information stored on a smartphone "reveal much more in combination than any isolated record." Second, smartphones often contain months', if not years', worth of information, dating back to the device's purchase and even earlier. Third, Internet browser history can reveal "an individual's interests and concerns." Fourth, "historic location information ... can reconstruct someone's specific movements down to the minute, not only around town but also within a particular building." Finally, the Supreme Court noted that the "average smartphone user has installed 33 apps, which together can form a revealing montage of the user's life." 

The Supreme Court highlighted the potential intrusiveness of a smartphone search by comparing it to the search of a house, the sanctum sanctorum for Fourth Amendment purposes. The high court concluded in the following language that a smartphone search can be far more invasive: 

Indeed, a cell phone search would typically expose to the government far more than the most exhaustive search of a house: A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form — unless the phone is. 

This same analogy can be used with equal force against a private employer who has searched an employee's personal smartphone without taking the steps recommended below to mitigate risk. 

Courts Will Likely Apply the Same Privacy Standards to all Mobile Devices

While the Supreme Court's ruling focused on smartphones, private employers likely will confront a variety of mobile devices when conducting workplace searches, ranging from flip phones to tablets to laptops. The high court's ruling suggests that private employers should not expect courts to be receptive to arguments trying to differentiate among these devices based on their technical capabilities. 

To illustrate the point, the Supreme Court issued its ruling in companion cases, one involving a flip phone and another involving a smartphone. The high court made no distinction in its analysis between the two devices because all mobile phones have fundamentally similar storage capacity and capability. It noted that, "Even the most basic phones that sell for less than $20 might hold photographs, picture messages, text messages, Internet browsing history, a calendar, thousand-entry phone book and so on." 

Private Employers can Still Search Employees' Personal Smartphones

While the Supreme Court recognized that individuals' privacy interests in their smartphones are "weighty," its ruling specifically rejected the notion that those interests immunize smartphones from a search by law enforcement. As stated by the Court, "Our holding, of course, is not that the information on a cell phone is immune from search; it is instead that a warrant is generally required before such a search, even when a cell phone is seized incident to an arrest." 

A private employer, of course, is not required to obtain a warrant to establish the reasonableness of a search of an employee's personal smartphone. However, the types of factors that courts will consider in deciding whether to issue a warrant to search a smartphone can inform an employer's decision whether its own smartphone search is reasonable. 

These factors include the strength of the employer's suspicion that the smartphone contains evidence of unlawful conduct or policy violations; the time, place and manner of the search; and the nature and scope of the search. Employers should strongly consider evaluating these factors before searching an employee's personal smartphone because under common law, an invasion of privacy generally is actionable only if the intrusion would be highly offensive to a reasonable person. That element of the tort turns on a balancing of the employee's "weighty" privacy interests against the employer's legitimate business interests and the method by which the employer sought to accomplish those interests. 

Searching an Employee's Smartphone Without Consent Could Potentially Trigger Liability Under State and Federal Computer Trespass Laws

All 50 states have outlawed computer trespass and the federal Computer Fraud and Abuse Act also criminalizes computer trespass. Several of the state laws and the CFAA supplement their criminal sanctions with civil remedies. Most of these laws were enacted long before smartphones entered the marketplace. Consequently, they almost uniformly define a fundamental element of the crime as unauthorized access to someone else's computer without addressing the question whether a smartphone is a computer for purposes of the statute. 

The Supreme Court's decision did not specifically address state computer trespass laws or the CFAA. However, the Court did note, in dicta, that the "term 'cell phone' is itself misleading shorthand; many of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone." While this dicta is not controlling precedent, courts applying computer trespass laws could rely on it to conclude that those laws apply to smartphones. 

Beware: Smartphones are a Gateway to 'the Cloud'

The Supreme Court's decision identifies yet another reason for distinguishing smartphone searches from searches of other personal property (i.e., "a cell phone [can be] used to locate data elsewhere at the tap of a finger"). More to the point, "cloud computing" allows "Internet-connected devices to display data stored on remote servers rather than on the device itself." Notably, even the U.S. conceded in its brief that law enforcement cannot rely on the exception to the warrant rule for searches incident to an arrest to justify a search of data in the cloud that is accessible through a suspect's smartphone. 

Similarly, private employers who search an employee's smartphone must beware of accessing information stored in an employee's cloud accounts, for example, by clicking on an app that permits direct access to an online storage account, such as Dropbox, or to a web-based email account, such as Hotmail. Information stored in such accounts may be protected not only by state computer trespass laws and the CFAA but also by the federal Stored Communications Act, another computer trespass law that provides for both criminal penalties and civil damages. The SCA generally prohibits unauthorized access to electronic communications in electronic storage at an electronic communications service. While the SCA's application to cloud computing remains somewhat unsettled, an adverse ruling on an SCA claim could expose an employer to substantial liability. 

Recommendations for Employers

In light of the Supreme Court's recent decision in Riley, private employers should consider taking the following steps before searching an employee's personal smartphone and when conducting the search: 

  1. Recognize that searches of employees' personal smartphones and other mobile devices are high-risk endeavors that should be undertaken only in consultation with legal counsel.
  2. Do not reflexively rely on workplace search policies applicable to searches of backpacks, briefcases and even cars when searching an employee's personal smartphone.
  3. Whenever feasible, request and obtain consent in writing before searching an employee's smartphone. Confirm that the scope of the consent is consistent with the intended scope of the search and limit the search to the scope of the consent.
  4. Before searching an employee's smartphone without consent, consult with counsel concerning the potential application of state computer trespass laws or the CFAA. If the smartphone can be searched without violating these laws, structure the search in a way that a court likely would deem reasonable in the event of an invasion of privacy claim. 

Take steps to avoid accessing information stored in cloud accounts, for example, by placing the device in airplane mode or by not opening apps. Keep in mind that even these steps might not prevent an employer's unauthorized access to information stored in the cloud because, for example, an employee might synchronize a personal email account with a work email account, allowing those personal emails to be downloaded before the phone is set to airplane mode and without tapping any apps. 


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Littler | Attorney Advertising

Written by:


Littler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.