Law enforcement requests for electronic information, particularly from technology companies such as Google and Twitter, have skyrocketed in recent years. In response, several states—Maine and Texas in 2013, Utah in 2014 and Virginia earlier in 2015—passed laws that limit law enforcement searches of electronic data. On October 9, 2015, California joined these states by passing the California Electronic Communications Privacy Act (CalECPA), which is intended to protect California residents from unauthorized invasion of their digital privacy.
CalECPA applies to “electronic information,” which includes both “electronic communication information” and “electronic device information”:
- Electronic communication information means “any information about an electronic communication or the use of an electronic communication service including … any information pertaining to any individual or device participating in the communication.”
- Electronic device information means “any information stored on or generated through the operation of an electronic device, including the current and prior locations of the device.”
CalECPA generally requires a warrant before any business turns over any individual’s electronic information. Specifically, CalECPA prohibits any government entity that does not have a valid warrant or court order:
- Compelling an electronic communication service provider to produce or access electronic communication information;
- Compelling any person or entity other than the authorized possessor of the device to produce or access electronic device information; or
- Accessing electronic device information by physical interaction or electronic communication with the electronic device.
In addition, CalECPA requires:
- A government entity to notify the target of an investigation about the electronic information covered by the search warrant; and
- A “service provider” to verify the authenticity of electronic information that it produces pursuant to a warrant or government request.
CalECPA also permits a service provider to voluntarily disclose electronic communication information when disclosure is not otherwise prohibited by law.
Why CalECPA matters? CalECPA extends privacy rights to electronic data in a way that federal law has not: it bars any state law enforcement or investigative entity from compelling a business to turn over any metadata or digital communication—including emails, texts, documents stored in the cloud—without a warrant. It also requires a warrant to search or track the location of a business’ electronic devices like mobile phones. Also, no business (or its officers, employees and agents) may be subject to any cause of action for providing information or assistance pursuant to a warrant or court order under CalECPA.