Law enforcement requests for electronic information, particularly from technology companies such as Google and Twitter, have skyrocketed in recent years. In response, several states—Maine and Texas in 2013, Utah in 2014 and Virginia earlier in 2015—passed laws that limit law enforcement searches of electronic data. On October 9, 2015, California joined these states by passing the California Electronic Communications Privacy Act (CalECPA), which is intended to protect California residents from unauthorized invasion of their digital privacy.
CalECPA applies to “electronic information,” which includes both “electronic communication information” and “electronic device information”:
CalECPA generally requires a warrant before any business turns over any individual’s electronic information. Specifically, CalECPA prohibits any government entity that does not have a valid warrant or court order:
In addition, CalECPA requires:
CalECPA also permits a service provider to voluntarily disclose electronic communication information when disclosure is not otherwise prohibited by law.
Why CalECPA matters? CalECPA extends privacy rights to electronic data in a way that federal law has not: it bars any state law enforcement or investigative entity from compelling a business to turn over any metadata or digital communication—including emails, texts, documents stored in the cloud—without a warrant. It also requires a warrant to search or track the location of a business’ electronic devices like mobile phones. Also, no business (or its officers, employees and agents) may be subject to any cause of action for providing information or assistance pursuant to a warrant or court order under CalECPA.