The average American today generates more media than they did at any other point in history, and the ease with which our communications, photos, and videos are sent and stored digitally means most of us have more media stored in the cloud or on a single digital device than previous generations would have created in an entire lifetime. However, even as the amount of media we create and store has increased, the laws governing its search and seizure have failed to keep up. Under federal law and the laws of most states, the same information may be subject to different levels of protection from government authorities depending on whether that information is in the form of an e-mail stored in the cloud or a letter stored in a desk drawer.
California is attempting to change that equation. On October 8, 2015, Governor Jerry Brown signed into law the California Electronic Communications Privacy Act (CalECPA, SB 178), a sweeping bill aimed at protecting digital privacy rights by creating protections for digital media that mirror the protections that exist for physical media. Specifically, the law bars state law enforcement and other investigative agencies from compelling a California business or other entity that possesses a third-party’s metadata or digital communications to turn over that information without a warrant or court order. The bill similarly limits the conditions under which a government entity may directly access information stored on an electronic device (such as a cell phone or wireless hard drive) through physical or electronic communication with the device, and the use of electronic means to track the location of such devices.
CalECPA is designed to cover the kinds of digital information that average citizens would consider private, and includes emails, texts, and documents stored in the cloud. It requires anyone seeking to obtain a warrant or court order to compel access to this data to describe with particularity the data to be seized, imposes conditions on the use of the data once it is obtained, and requires the destruction of that data within 90 days.
The bill also tackles an issue many privacy rights advocates have with third party searches in general – if or until a prosecution is attempted, the actual target of a third-party search may never be aware their information was obtained by a government agency in the first place. Under CalECPA, the entity that executes a search warrant of a third party must provide contemporaneous notice to the identified target, which must inform the target that information about them has been requested and must state the nature of the government investigation under which the information is sought.
Most of the provisions in the law have exceptions which mirror the long recognized exceptions for physical searches and seizures. A warrant is not required, for example, in emergencies when accessing the data or tracking an electronic storage device could prevent loss of life or physical injury. The bill also contains exceptions to the notice provision, authorizing a delay of up to 90 days (which can be renewed), and the destruction provision, allowing for the preservation of information for longer periods under specified circumstances.
Finally, the law provides that an entity and its officers, employees, and agents may not be subject to any cause of action for providing information in compliance with the law, which helped secure the support of tech companies like Apple, Google, Facebook, Dropbox, LinkedIn, and Twitter, which have headquarters in California. The law also received widespread support from civil liberty organizations like the American Civil Liberties Union and the Electronic Frontier Foundation. While not supportive of the bill, law enforcement organizations such as the California District Attorneys Association, California Police Chiefs Association, California Sheriffs Association, and the California Statewide Law Enforcement Association were sufficiently convinced that the final bill would not hamper their investigative needs that they came out as neutral, a stance which certainly helped with the bill’s passage.
The law places California at the forefront of protecting this type of digital privacy among states: while a handful of states do have warrant requirements for digital content and several others require a warrant for GPS location tracking, California is the first to enact a comprehensive law protecting location data, content, metadata and device searches. It also outpaces the federal government, where efforts to pass a comprehensive bill covering the search and seizure of digital media have stalled.