by Susan Freiwald, Professor of Law, University of San Francisco School of Law
*This post is part of ACSblog’s symposium examining proposed reforms to the Electronic Communications Privacy Act (ECPA).
As eyes focus on the Microsoft appeal, people are asking why the Electronic Communications Privacy Act (ECPA) fails to resolve more clearly the questions presented. Anyone with a passing familiarity with ECPA could guess the answer: ECPA’s provisions, most of which are nearly 30 years old, are incomplete, ambiguous, and in dire need of amendment. Hence the calls to Congress to pass the LEADS Act (S. 512, H.R. 1174). But those bills, and other ECPA reform bills getting traction in Congress, leave uncovered gaping holes in the law. Only the California Electronic Communications Privacy Act (CalECPA, SB 178), which is up for its final vote in California today, would bring the needed coverage and clarity to protect modern electronic privacy rights. CalECPA applies in California to state and local entities, but it provides a blueprint for comprehensive federal reform.
At the federal level, ECPA fails adequately to protect our most personal information: the communications, movements, documents and online activities that we store on our cell phones and share with our service providers. Though it should, ECPA does not clearly require a warrant for the location data generated when we use our cell phones to make and receive calls or texts and access the internet, even though, in one recent Fourth Circuit case, United States v. Graham, agents obtained well over 100 location data points per day from the subject’s provider. Other recent cases have been all over the map on whether and when a warrant is required. CalECPA takes its cue from the Supreme Court, which recently recognized the intrusiveness of location data acquisition in Riley v. California and United States v. Jones. CalECPA requires a warrant for access to any location data (with appropriate exceptions for emergencies in any case where it requires a warrant).