CalECPA signed into law; warrants required for electronic communications

Edit, Oct. 8, 2015: One month after it passed the Assembly, Gov. Jerry Brown has signed CalECPA into law.

On September 8, the California Electronic Communications Privacy Act passed the California Assembly with strong bipartisan support (55–11). CalECPA passed the California Senate some time ago, so now it is headed to Gov. Brown’s desk for a signature. California is not the first state to enact legislation like this: five states have enacted legislation protecting electronic communications, and nine have legislation protecting GPS information. However, California is the largest, with the largest tech presence, and this law will have the largest impact.

What is CalECPA?

CalECPA updates current California laws to require that when law enforcement or other government entities wish to obtain information about people’s electronic communications or electronic devices from a California business, they must get a search warrant, wiretap order, or order for records. This affects all our digital information: our passwords, PIN numbers, and security codes; our photos, videos, and emails; our IMs, PMs, and DMs; our medical, financial, and location information; our Ashley Madison accounts and our Tinder profiles. Additionally, when a government entity receives electronic records, CalECPA requires the government to destroy any information provided within 90 days, subject to certain exceptions.

And there are indeed some exceptions — for example, a government entity may rely on a subpoena under certain specified conditions, and in certain defined emergency situations, a warrant may not be necessary. However, these are pretty reasonable and are what we generally see for any warrant.

CalECPA is a law that limits government entities, such as law enforcement. It does not limit service providers. Service providers may still voluntarily disclose subscriber information, when not prohibited by other state or federal laws. CalECPA just prevents service providers from being compelled to disclose electronic communication or device information without a warrant.

CalECPA was supported not only by civil liberties organizations like ACLU and EFF; and by the tech industry, including Adobe, Apple, Dropbox, Google, Facebook, LinkedIn, and Twitter; but also by major California law enforcement organizations, who recognized that clear rules would make their jobs easier.

I’m not in California. Why do I care?

CalECPA doesn’t just apply to California residents. It applies to California businesses. In other words, if you’re living in another state but using an online service provider headquartered in California (as so many are), and law enforcement would like to obtain your data from the California service provider, law enforcement will have to comply with CalECPA and get a warrant.

How does this affect you?

If you’re a member of law enforcement or a government entity, polish up your warrant-drafting skills. You’re going to be using those a lot more in California.

If you’re an online service provider in California, you should consult legal counsel and make sure your terms of service and privacy policies adequately address how you handle requests from law enforcement for users’ electronic information. You are now allowed to require a warrant, but you should give some thought to whether or not you want to promise that you will require one in all circumstances.

If you’re a user of California-based service providers, your online privacy just took a big step forward. Congratulations: you may feel somewhat safer using online service providers in California.

What does this mean, on a bigger scale?

I’ve talked before about the “California Effect,” as applied to the Internet: when a state with sufficient control over an industry creates more restrictive legislation than the federal standard, that state can create the new national default, and eventually drive federal (or even international) legislative change. As Paul Schwartz suggested, there is state action, then a flight to Washington. California did this before, first by creating the first data breach notification law (47 states now have data breach notification laws, and Europe adopted California’s model in its Data Privacy Directive), and second with its website privacy policy law, CalOPPA. While neither of these have created federal legislation, they have certainly established national standards.

Given CalECPA’s wide reach, it is very likely to become a national standard. As law enforcement agencies get accustomed to drafting warrants for electronic communications from California providers, it may become habit, and a standard practice to follow even when dealing with providers not located in California.

This is how change happens.