California Passes Landmark Digital Privacy Law
By Sheri Pan – Edited by Ariane Moss
On October 8, 2015, California Governor Jerry Brown signed into law the California Electronic Communications Privacy Act (“CalECPA”), thereby heightening privacy protections for digital records. Under the new regime, state government entities must secure a search warrant to obtain the content and metadata of electronic communications.
CalECPA, effective January 1, 2016, will only allow state government entities to obtain digital communications from private companies with a search warrant, a wiretap order, or order for electronic reader records. The increased requirements will protect the content and metadata of communications, including geolocation data. Communications is broadly defined to cover emails, texts, and documents stored in the cloud. Subscriber data and users' names, street addresses, telephone numbers, and email addresses will not receive increased protection, and service providers can still voluntarily disclose information.
The law also prohibits the government from using stingrays without a warrant, by requiring a search warrant, wiretap order, or consent before physically interacting or communicating with an electronic device. Stingrays obtain a cellphone’s location and identifying information by simulating cellphone towers.
For any records the government does legally obtain, it must generally delete the information within 90 days. The law also requires the warrant to contain specific information and notification to targeted users of the search warrant.
CalECPA is the most comprehensive law regarding digital communications. The federal statute that governs disclosure of electronic communications, the Electronic Communications Privacy Act, requires the government to secure a search warrant to obtain the content of emails stored for 180 days or less, but not the content of older emails, metadata, or subscriber information. Passed in 1986, the statute has been criticized for failing to adequately protect online records in the 21st century. Although a proposed amendment has over 300 co-sponsors, it is not as protective as CalECPA and focuses mostly on content, not metadata.
Five other states have enacted legislation requiring a warrant for content and nine others for geolocation data, but no state has passed comprehensive protection like California’s. Privacy advocates have called for CalECPA to serve as a model for other jurisdictions.
The bill received broad support from non-profits such as the American Civil Liberties Union and the Electronic Frontier Foundation, along with many large technology companies. Police chiefs, sheriffs, and prosecutors expressed opposition to the bill, arguing it would obstruct investigations of online crime.
Sheri Pan is a third-year student at Harvard Law School interested in the intersection of technology and public interest law.