The California Electronic Communications Privacy Act (“CalECPA”) alters the procedures and requirements for making and responding to state law enforcement requests for electronic communications. CalECPA is expected to go into effect on January 1, 2016. As a result, companies that receive legal process from California government entities (including subpoenas, orders, and warrants) for electronic communications must revise their compliance procedures, including withholding information which previously could be disclosed without a warrant in some circumstances.
CalECPA will affect any person or entity that receives California warrants or orders related to electronic communications, including California and foreign corporations (defined in the new law as any corporation qualified to do business in California). The law is simpler than the federal Electronic Communications Privacy Act (“ECPA”, 18 U.S.C. § 2701 et seq.) because it collapses the distinctions between “electronic communications service” providers and “remote computing service” providers. It also eliminates the requirement that providers must offer their services to the public and encompasses entities like universities or business-to-business only providers. Any affected entity should note these eight changes that may impact their compliance practices.
1. Subscriber information is more limited.
“Subscriber information” is more limited under CalECPA than the federal law (see 18 U.S.C. § 2703(c)(2)). IP address information, call detail records, and payment information are not included in the data which may be disclosed in response to a subpoena. Thus, California government entities must now obtain a warrant to compel disclosure of these types of user data.
2. “Electronic communication information” and “electronic device information” are considered separately, but a warrant is always required for location information or IP addresses.
CalECPA has created a term for the records normally disclosed pursuant to a 2703(d) order – “electronic communication information,” (“ECI”) which is,
“any information about an electronic communication or the use of an electronic communication service, including, but not limited to, the contents, sender, recipients, format, or location of the sender or recipients at any point during the communication, the time or date the communication was created, sent, or received, or any information pertaining to any individual or device participating in the communication, including, but not limited to, an IP address.”
Subscriber information is excluded from electronic communication information. “Electronic device information” (or “EDI”) is defined even more broadly as “any information stored on or generated through the operation of an electronic device, including the current and prior locations of the device.” CalECPA simplifies the question that the federal courts of appeals and state and local law enforcement are struggling to resolve regarding location information – the law simply says that a warrant is required to obtain location information, regardless of whether that information is real-time or stored, and whether it is ECI (like cell site location information obtained from a service provider) or EDI (like location information obtained from an IMSI catcher).
3. Warrants must meet additional requirements.
Warrants for electronic information (whether “electronic communications information” or “electronic device information”) must meet additional requirements, including:
- Describing with particularity the information to be seized by specifying:
- The time periods covered,
- And, as appropriate and reasonable:
- the target individuals or accounts,
- the applications or services covered, and
- the information sought.
- Requiring that any information obtained through the execution of the warrant that is unrelated to the objective of the warrant will be sealed and not subject to further review, use, or disclosure without a court order.
4. Courts may require “taint teams” and sealing of unrelated information.
Courts may, at their discretion or upon a petition from the target or recipient of the warrant:
- Appoint a special master charged with ensuring that only information to achieve the objective of the warrant is produced or accessed (law enforcement sometimes refers to this as a “taint team”), or
- Require that any information that is unrelated to the objective of the warrant be destroyed as soon as feasible after the termination of the current investigation and any related investigations or proceedings.
5. Voluntary disclosures still allowed.
Service providers may still voluntarily disclose subscriber data and “electronic communication information” to a government entity if that disclosure is not otherwise prohibited by state or federal law.
6. Targets and recipients of legal process both have standing to challenge.
CalECPA explicitly provides that both the target of legal process and the service provider or other recipient of the legal process both have standing to petition the issuing court “to void or modify the warrant, order, or process, or to order the destruction of any information obtained in violation of this chapter, or the California Constitution, or the United States Constitution.”
7. Immunity for responding to legal process.
The law also establishes immunity for California or foreign corporations who provide “records, information, facilities, or assistance in accordance with the terms of a warrant, court order, statutory authorization, emergency certification, or wiretap order” issued under CalECPA. Service providers should note that the CalECPA immunity requires strict compliance while the federal ECPA allows for good faith immunity.
8. Shifting burden for user notice.
One of the more significant aspects of CalECPA from the consumer perspective is that the burden is now on the government to contemporaneously notify the targets of legal process when requesting their data. While the government may seek an order allowing for delayed notification if notice to the user would likely cause an “adverse result” (as similarly defined in the federal ECPA), the orders authorizing delayed notice to the user must be renewed after 90 days. The law does not prohibit service providers from independently notifying users when their data has been requested under legal process (so long as a delayed notice order is not in place), but some service providers may wish to revise and streamline their user notification policies for instances where the government is already providing notice.