California Enacts Electronic Communications Privacy Act (CalECPA)

On October 8, 2015, California Governor Jerry Brown signed the California Electronic Communications Privacy Act (CalECPA) into law. This law basically prevents the government from accessing private electronic communications or electronic data without a warrant, subpoena or wiretap order, or without consent of the appropriate individual. State Senator Mark Leno explained the impetus for seeking to pass this legislation: “For what logical reason should a handwritten letter stored in a desk drawer enjoy more protection from warrantless government surveillance than an email sent to a colleague or a text message to a loved one?” Kim Zetter, “California Now Has the Nation’s Best Digital Privacy Law,” WIRED Magazine, Oct. 8, 2015.

As the Electronic Frontier Foundation summarized, “CalECPA protects Californians by requiring a warrant for digital records including emails and texts, as well as a user’s geographical location.” Dave Maass, “Victory in California! Gov. Brown signs CalECPA, Requiring Police to Get a Warrant Before Accessing Your Data,” Electronic Frontier Foundation, Oct. 8, 2015.

The law focuses on two kinds of data sets: “electronic communication information” and “electronic device information.” 2015 Cal. Stat. Ch.651.

“Electronic Communication Information” is

any information about an electronic communication or the use of an electronic communication service, including, but not limited to, the contents, sender, recipients, format, or location of the sender or recipients at any point during the communication, the time or date the communication was created, sent, or received, or any information pertaining to any individual or device participating in the communication, including, but not limited to, an IP address. Electronic communication information does not include subscriber information as defined in this chapter.

“Electronic Device Information” is

any information stored on or generated through the operation of an electronic device, including the current and prior locations of the device.

(Emphasis added.)

Under this new statute, law enforcement agencies cannot compel the “production of or access to electronic communication information or electronic device information . . . without a search warrant, wiretap order, order for electronic reader records or a subpoena issued pursuant under specified conditions, except for [defined] emergency situations.” Id. (Legislative Counsel’s Digest at (1)).

Any warrant for electronic information of either kind must do the following:

(1) Provide a specific description (“describe with particularity”) the information to be seized, including applicable time periods, the target individuals or accounts, the apps or services covered, and the types of information sought.

(2) Require that any information obtained due to the search warrant that is unrelated to the objective of the search warrant “shall be sealed and not subject to further review, use or disclosure without a court order.”

(3) Comply with other California and federal laws.

(4) Require that service providers that produce such information “verify the authenticity of the electronic information that it products” through an affidavit that complies with Section 1561 of the California Evidence Code.

The law also requires that the government agency MUST destroy the electronic information it receives pursuant to this process within a specified period of time, in general, “as soon as feasible after the termination of the current investigation and any related investigations or proceedings.” Id. (§ 1546.1(e)(2)). In most cases, this period is within ninety (90) days after the agency receives the information.

This law only applies in California, although Maine (Subchapter 10: Portable Electronic Device Content Information in 2013) and Utah (Location Privacy for Electronic Devices in 2014) passed similar legislation. Proponents of the California law have suggested that it be used to form the basis for similar legislation in other states.