Skip to main content

California May Limit Law Enforcement's Warrantless Data Collection

Eager to retain its spot among the principal laboratories for domestic privacy legislation, California’s legislature is set to debate Senate Bill 178, legislation restricting state law enforcement agencies from requesting data without a warrant. Five other states have adopted similar legislation in recent months, and California’s proposal largely follows that trend.

Broad Definitions Cover Most Electronic Communication Service Providers

SB 178, known as the Electronic Communications Privacy Act (or CalECPA, for short), curtails California’s law enforcement agencies ability to compel companies providing “electronic communications services” from producing “electronic communication information” without a warrant, a wiretap order, or a showing of exigent circumstances. It also limits law enforcements’ ability to conduct warrantless searches of mobile devices.

CalECPA applies to requests to “electronic communication services,” defined as any “service that provides to its subscribers or users the ability to send or receive electronic communications,” and to request for data from “electronic devices,” which is any “device[ ] that stores, generates, or transmits information in electronic form.”

Electronic communication information is also broadly defined, and includes not only email, and other messages, but also device identifiers, location data, time of transmission data, and the contents of electronic communications. This definition covers a host of services, from web-based email to social media platforms.

Addition of Judicial Oversight Shifts Some Administrative Burdens

A key feature of the proposed legislation is the increased judicial oversight of law enforcement data collection requests. Under CalECPA, law enforcement authorities will generally have to apply for either a warrant or a wiretap application before approaching an electronic communication service with a data collection request. Absent a warrant or wiretap order, service providers would generally not be required to comply with a law enforcement request. This new requirement would likely streamline the process of assessing law enforcement collection requests, while also reducing the volume of those requests.

Even in situations where a warrant is not required under CalECPA, such as those involving exigent circumstances, the government must still bring—within three days of seeking disclosure—a motion explaining the emergency and seeking judicial approval of the requested disclosures.

CalECPA also increases the transparency of law enforcement data collection efforts. Under the proposed legislation, any law enforcement agency making data collection requests would be required to detail the number of requests for electronic communication information to the California Attorney General, who would then be responsible for compiling and publishing an annual report analyzing the number of law enforcement demands for this type of information.

Proposed Legislation Benefits Consumers and Communication Service Providers

In addition to strengthening consumers’ expectation of privacy in hosted data repositories and mobile devices, the proposed legislation clearly benefits technology and communication companies (many of whom have endorsed it) by reducing the total number of law enforcement request and by shifting some the administrative burdens of identifying appropriate requests onto state judicial officers.

The measure is backed by a long list of well-known companies and organizations, including Google, Apple, Facebook, Adobe, LinkedIn, Microsoft, Twitter, Foursquare the Electronic Frontier Foundation, and the ACLU.

Subscribe To Viewpoints

Authors

Peter Day

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.