How CalECPA Improves on its Federal Namesake
Last week, Governor Brown signed the landmark California Electronic Communications Privacy Act (CalECPA) into law and updated California privacy law for modern communications. Compared to ECPA, CalECPA requires warrants, which are more restricted, for more investigations; provides more notice to targets; and furnishes as a remedy both court-ordered data deletion and statutory suppression. Moreover, CalECPA’s approach is comprehensive and uniform, eschewing the often irrational distinctions that have made ECPA one of the most confusing and under-protective privacy statutes in the Internet era.
Extended Scope, Enhanced Protections, and Simplified Provisions
CalECPA regulates investigative methods that ECPA did not anticipate. Under CalECPA, government entities in California must obtain a warrant based on probable cause before they may access electronic communications contents and metadata from service providers or from devices. ECPA makes no mention of device-stored data, even though law enforcement agents increasingly use StingRays to obtain information directly from cell phones. CalECPA subjects such techniques to its warrant requirement. While the Supreme Court’s recent decision in United States v. Riley required that agents either obtain a warrant or rely on an exception to the warrant requirement to search a cell phone incident to arrest, CalECPA requires a warrant for physical access to any device, not just a cell phone, which “stores, generates, or transmits electronic information in electronic form.” CalECPA clearly defines the exceptions to the warrant requirement by specifying what counts as an emergency, who can give consent to the search of a device, and related questions.
ECPA’s 1986-drafted text only arguably covers the compelled disclosure of location data stored by a service provider, and does not clearly require a warrant for such investigations. CalECPA explicitly includes location data in the “electronic communication information” that is subject to the warrant requirement when a government entity accesses it from either a device or a service provider (broadly defined). ECPA makes no mention of location data gathered in real-time or prospectively, but CalECPA requires a warrant both for those investigations and for stored data investigations. Whenever a government entity compels the “the production of or access to” location information, including GPS data, from a service provider or from a device, CalECPA requires a warrant.
CalECPA raises the requirements for and expands the scope of pen register and trap and trace investigations. ECPA requires only a rubber-stamp court order based on relevance for investigations that obtain dialing, routing, addressing and signaling (DRAS) information in real-time. Electronic communication information, which is protected whether acquired in real-time or from records, from a service provider or a device, includes “any information about an electronic communication or the use of an electronic communication service, including, but not limited to, the contents, sender, recipients, format, or location of the sender or recipients at any point during the communication, the time or date the communication was created, sent, or received, or any information pertaining to any individual or device participating in the communication, including, but not limited to, an IP address.” That covers not just “DRAS,” but other non-contents information (metadata), whose protection ECPA had left unclear.
More Restricted Warrants
Beyond subjecting many more types of investigations than ECPA does to a warrant requirement (defined by cross reference to other provisions of the California penal code), CalECPA adds more restrictions to the warrants it authorizes. CalECPA mandates that warrants must specify the time frames covered by the investigation and must require that any information obtained that is unrelated to the warrant’s objective be sealed and not used without a further court order. CalECPA suggests other appropriate limits to tailor warrants for electronic data and permits courts to appoint special masters or order the destruction of irrelevant evidence to protect against the acquisition of unnecessary information. While federal law highly restricts court orders for wiretaps (which CalECPA maintains), other types of investigations often proceed under ECPA without a warrant; when ECPA does require warrants, they lack CalECPA’s tailored provisions.
Notice, Statutory Suppression Remedy and Data Deletion
While ECPA dispenses with notice much more often than it requires it, CalECPA requires notice to the target in all cases. CalECPA permits the government to delay of notice in appropriately delineated cases, including emergencies. Otherwise, CalECPA requires government entities to furnish detailed information to targets about their investigations, contemporaneously with those investigations. CalECPA even requires internet reporting of investigations with no named targets, such as cell tower dumps. Apart from wiretaps, ECPA appears to dispense with notice when agents use warrants, obtain non-content information from electronic storage orDRAS in real time, and in all emergency situations.
ECPA infamously fails to provide a statutory suppression remedy for any investigation involving electronic communications and for any investigation of stored communications, no matter how significant the transgression. The lack of a statutory suppression remedy has led to calls for reform, and has contributed to the dearth of criminal cases interpreting ECPA’s provisions.
CalECPA provides a further significant remedy that is both tailored to the concerns of the digital age and absent from ECPA. A broad data destruction provision permits individuals, service providers, and others involved in investigations to petition the issuing court to “order the destruction of any information obtained in violation of [CalECPA], or the California Constitution, or the United State Constitution.”
Most significantly, CalECPA erodes the content/non-content distinction. By defining electronic communication information to include both contents and metadata, CalECPA takes a giant leap forward. CalECPA’s authors recognized that it is difficult to distinguish between contents and metadata both as a matter of technology and as a matter of policy.
Unlike ECPA, CalECPA’s protections do not depend on how long the information has been stored, on whether it has been stored by a remote computing service or an electronic communications service, on whether the provider that stores the information provides services to the public, or on whether an email has been opened, accessed or downloaded. And, as discussed, they do not turn on whether the government entity seeks real-time data or data out of electronic storage.
CalECPA’s uniform and comprehensive provisions should make it significantly more effective and more privacy-protective than its federal counterpart. Excellent analysis has considered how CalECPA achieved passage. Future analysis should consider how to obtain similar results in other states and in Congress.
 Full disclosure: I was pleased to draw upon my academic and litigation experience to serve as an issue expert for the bill’s authors: State Senators Leno and Anderson. For the past year, I served as a member of the bill’s policy team, helped answer questions about the bill’s language, testified at committee hearings in Sacramento about its legal impact, and coordinated dozens of academic colleagues to send a joint scholarly support letter to Governor Brown.
 CalECPA similarly requires government entities to delete voluntarily disclosed information after ninety days in certain cases.
 CalECPA does not cover subscriber information, defined as “the name, street address, telephone number, email address, or similar contact information provided by the subscriber to the provider to establish or maintain an account or a communication channel, a subscriber or account number or identifier, the length of service, and the types of services used by a user of or subscriber to a service provider.” Unlike under ECPA, subscriber information under CalECPA does not include IP addresses, payment information, or call logs. Like under ECPA, subscriber information will remain subject to a subpoena standard, which reflects the nature of that information rather than its non-content status.