Starting on New Years Day 2016, a new law will prohibit California law enforcement agencies from compelling California residents and businesses to turn over metadata or electronic communications (e.g., texts, emails, e-documents in the cloud) without a search warrant or court order.
California Governor Jerry Brown signed the landmark California Electronic Communications Privacy Act (CalECPA) into law last month. The bill passed both chambers of the California legislature with broad bi-partisan support. It was co-sponsored by the Electronic Frontier Foundation, the American Civil Liberties Union and the California Newspaper Publishers Association, and received support from a wide variety of civil rights groups and technology companies, including Apple, Facebook, Google, Microsoft, SnapChat, and Twitter. The full text of the bill can be found here.
What is CalECPA?
CalECPA has been touted as the most comprehensive digital privacy law in the nation. It prohibits a California governmental entity from compelling the production of or access to electronic communication information or electronic device information without a search warrant, wiretap order, order for electronic reader records, or subpoena issued pursuant under specified conditions, except for certain defined emergency situations.
In other words, it requires all California state and local law enforcement agencies to obtain a search warrant or wiretap order before they can access any electronic communication information. The law defines “electronic communication information” in the broadest terms possible so that it includes emails, digital documents, text messages, location information, and any digital information stored in the cloud. The law protects all aspects of electronic communication information, not just its contents, but also metadata information relating to the sender, recipient, format, time, date, and location of the communications, including IP addresses.
CalECPA also limits the ability of California law enforcement to obtain information directly from a smartphone or similar device, or to track them. Law enforcement must either obtain a warrant or get the consent of the person possessing the electronic device.
What if law enforcement obtains electronic information without a warrant?
Any electronic evidence obtained in violation of CalECPA will be inadmissible in a criminal, civil or administrative proceeding or for use in an affidavit to obtain a search warrant or court order. Furthermore, CalECPA requires government entities that receive electronic communication without a warrant to delete the information within 90 days.
If a warrant is issued to a third party that is in possession of a person’s electronic communications, such as Facebook or Google, CalECPA requires law enforcement to contemporaneously inform the user that there has been a request for their electronic information and specify the nature of the government investigation under which the information is sought.
Are there exceptions to the warrant requirement?
Yes. If an owner of a device gives a law enforcement official permission to access data on their electronic device, or if a government entity believes an electronic device has been lost or stolen, it can access it to try to identify, verify, or contact the owner. There’s also an emergency exception. If a law enforcement official believes that an emergency involving “danger of death or serious physical injury to any person” requires access to the electronic device information, then he can access the information. The government official will still have to file for a warrant within three days of obtaining the data.
What is CalECPA intended to address?
Prior to CalECPA, California had not updated its privacy rights for the digital age. One of the bill’s authors noted that a handwritten letter stored in a desk drawer enjoyed greater legal protection than a cell phone, a text message, an email, or an electronic file stored in the cloud. Current federal law, the Electronic Communications Privacy Act (“ECPA”), which extends fourth amendment rights to electronic communications, has been widely criticized for being nearly 30 years out of date. California’s previous attempts to pass legislation that would have brought its criminal code up to date for the digital age – including legislation that would have required a search warrant (i) to obtain access to electronic communications, (ii) to obtain location information of an electronic device, or (iii) to search an electronic device during a lawful arrest – all fell victim to the Governor’s veto.
Law enforcement agencies have also been able to work around outdated warrant requirements by issuing informal requests for user data to technology companies. The tech companies weren’t forced to comply with government requests, but they often did, and those requests have increased dramatically in recent years. Google reported a 250% increase in government demands for consumer data in the past five years and Verizon reported that less than a third of its government requests had a warrant. Twitter revealed in its latest transparency report that it complied with requests from government agencies inside of the United States 80% of the time.
A survey conducted by the ACLU of Northern California found that Californians overwhelmingly supported the warrant requirements in the new law. Significant findings of the survey include:
- 82% support requiring a warrant prior to access to email;
- 82% support requiring a warrant prior to access to internet activity;
- 79% support requiring a warrant for tracking cell phones; and
- 77% support requiring a warrant for accessing text messages.
Similar State Laws Elsewhere?
Thus far, only a handful of states, including Maine, Texas, and Utah, have passed similar laws requiring a warrant for law enforcement officials to access electronic communications content. About a dozen states, beginning with Montana and Maine in 2013, have enacted more narrow electronic communication privacy laws that require law enforcement to obtain a warrant before tracking an individual’s location using their cell phone. In the end, only a few states have adopted digital privacy protections on par with California’s Electronic Communications Privacy Act.