On Thursday, October 8, 2015, California Governor Jerry Brown signed into law the Electronic Communications Privacy Act (the “California ECPA”). This legislation, which takes effect on January 1, 2015, has been heralded by privacy advocates and a number of technology companies as a welcome modernization of California privacy law. The California ECPA has broader privacy protections than the federal Electronic Communications Privacy Act (the “Federal ECPA”), which has been widely criticized for its failure to evenly protect various forms of electronic information from government intrusion and for using outdated concepts of electronic privacy. In contrast to the Federal ECPA, the California ECPA requires a search warrant to compel production of or access to sensitive information like emails that have been stored on a server for more than 180 days, detailed location information generated by electronic devices, and sensitive metadata relating to user’s electronic communications.
What Information is Protected by the California ECPA, And How Does it Impact the Federal ECPA?
The California ECPA prohibits government entities from:
Critically, “electronic communication information” is defined as including “any information about an electronic communication or the use of an electronic communication service.” This includes both content and metadata, and the California ECPA explicitly references its application to certain classes of metadata commonly sought by law enforcement, including user geolocation data and IP addresses. Similarly, “electronic device information” is defined broadly to include “any information stored on or generated through the operation of an electronic device, including the current and prior locations of the device.” Thus, the California ECPA impacts private electronic communications such as emails, text messages and GPS data that are stored in the cloud and on devices such as smartphones, tablets, laptops and other digital devices.
The California ECPA does not impact federal law enforcement demands for information; the Federal ECPA still governs their demands.
What Information is Not Protected by the California ECPA?
The California ECPA explicitly exempts certain state investigative tools, when used for specified purposes, from its prohibitions. More specifically, the California ECPA does not prevent state law enforcement from using administrative, grand jury, trial, or civil discovery subpoenas to:
How Can the Government Compel Disclosure of California ECPA-Protected Electronic Information from Service Providers and Third Parties?
Government entities may compel the production of or access to electronic communication information (from service providers) or electronic device information (from an individual other than the authorized possessor of the device) only pursuant to:
How Can the Government Access California ECPA-Protected Device Information on an Electronic Device?
The California ECPA also limits the situations in which a government entity may access electronic device information via physical interaction or electronic communication with an electronic device, such as a smartphone. This type of access, relevant to both businesses and consumers, is only permitted where the Government entity:
May a Service Provider Voluntarily Disclose Protected Information to California Officials?
Is There a Private Right of Action Against Service Providers for Disclosing Electronic Information Pursuant to the ECPA?
No. The California ECPA provides that corporations, as well as their officers, employees, and agents, “are not be subject to any cause of action for providing records, information, facilities, or assistance in accordance with the terms of a warrant, court order, statutory authorization, emergency certification, or wiretap order” issued pursuant to the California ECPA.
Who May Enforce the California ECPA?
The California ECPA authorizes the enforcement of the Act by any individual whose information is targeted, as well as by a service provider or other recipient of a search warrant, order, or other legal process seeking the disclosure of electronic information.
Given the rapidly changing and fragmented legal landscape, companies who receive government requests for access to electronic information are likely to benefit from legal counsel. These issues are increasingly complicated and are impacting an ever-wider range of businesses as companies expand their collection of customer information.