When individuals communicate with one another via digital devices, they are entitled to a certain level of privacy. These civil liberties are guaranteed by the Electronic Communications Privacy Act (ECPA), which regulates how individuals and entities can access those private electronic transmissions.
The ECPA is an update to the Federal Wiretap Act of 1968 and protects oral, electronic, and wire communication from unlawful eavesdropping and data collection. Without this privacy law in place, the barriers for law enforcement, internet service providers, and individuals to access your private communications would be exponentially easier to permeate.
When dealing with internet defamation or other online privacy matters, understanding the ECPA and its protections is critical. At Minc Law, our attorneys are well versed in how to protect individuals and businesses from ECPA violations as well as utilize ECPA rules to ascertain important information about adverse parties.
In this article, we explore the Electronic Communications Privacy Act (ECPA) and what kinds of information it protects. We then explain your civil liberties and rights under the ECPA, as well as significant case law affecting how the Act is enforced today.
Provisions of the Electronic Communications Privacy Act (ECPA)
As communication methods evolve, so should laws regulating their ethical use. The Electronic Communications Privacy Act (ECPA) was enacted in 1996 as an update to the Federal Wiretap Act of 1968. The Wiretap Act limited interceptions of traditional phone calls—but the ECPA added protections for stored communication via computer as well.
The ECPA has been amended several times (including by the USA PATRIOT Act) to keep pace with changing technology and update law enforcement access regulations for communication in electronic storage.
What is the Electronic Communications Privacy Act?
The ECPA protects individuals from unlawful electronic eavesdropping and wiretapping. It also prohibits unlawful access and dissemination of privately stored electronic communication.
The term “electronic communication” encompasses communication methods like:
- Oral conversations, and
The statute also protects data stored by service providers like Internet Protocol (IP) addresses and billing records.
What Are the Main Provisions of the ECPA?
The ECPA has three primary sections:
- Title I (Wire Tap Act). This section protects against unlawful hacking and electronic surveillance of private correspondence. This correspondence includes texts, emails, money transfers, and phone calls.
- Title II (Stored Communications Act). This section bans service providers from procuring and unlawfully distributing customer data. “Service providers” are any electronic communication service that allows users to send or receive transmissions.
- Title III. This section regulates the use of certain technologies that can intercept personal electronic communication, like pen registers and tapping devices.
Who Should Be Aware of the ECPA?
The ECPA is a Federal statute, so it applies to all individuals and entities in the United States. It is especially important to keep the ECPA in mind when you are discussing or storing sensitive electronic information.
Also, if you are involved with cyber harassment or involved in a criminal or civil investigation, you should be aware of your rights under the ECPA.
Why Was the ECPA Enacted?
The ECPA was passed in 1986 in a time of rapid technological improvement. Congress saw the potential privacy concerns and wanted to create safeguards to keep data and communication private. This Act is broadly concerned with protecting individuals’ Fourth Amendment rights.
The Fourth Amendment provides “the right of the people to be secure… against unreasonable searches and seizures.” Originally, this Amendment was intended to secure individuals’ civil liberties against unlawful physical searches. However, as technology has expanded, courts have begun interpreting the Fourth Amendment to protect people and entities from unlawful searches of their electronic communication and data.
Simply put, the purpose of the ECPA was to clarify how these types of searches are treated. It is also meant to provide individuals with details on what kinds of data are protected.
Carpenter v. United States (2018): a Seminal Case Exemplifying the Impact of Technology on Personal Privacy
In Carpenter v. United States, the Supreme Court held that geolocation information from a cell service provider cannot be accessed through a subpoena. Individuals have a “reasonable expectation of privacy” to such information.
The court then found that collecting this data constitutes a “search” under the Fourth Amendment. Law enforcement can only obtain certain data through a subpoena if they can demonstrate that it is “relevant and material to an ongoing criminal investigation.”
In this case, the petitioner was a person of interest in a serial robbery investigation. Police subpoenaed the petitioner’s cellular service providers for their location data over 152 days. The Court found that the location data the police collected did not fall under the SCA provision because the collection constituted a “search” under the Fourth Amendment. Thus, the information collection required probable cause and a warrant instead of a subpoena.
In this decision, the court reasoned that location data can create a comprehensive map of an individual’s movements, and such information should be protected.
How Has the ECPA Changed Over Time?
Because technology has rapidly evolved since the ECPA was enacted in 1986, it has been necessary to amend the Act accordingly.
First, in 1994, Congress altered the ECPA to adjust to the new Communications Assistance for Law Enforcement Act (CALEA). This Act not only allows but requires certain service providers to have the equipment necessary to monitor customer communications.
This change did not alter the ECPA’s protection of such data. Instead, it required service providers to readily comply with lawful searches.
Next, ECPA reform complied with the 2001 and 2006 USA PATRIOT Act. This Act was passed in response to the terrorist attacks on September 11th, 2001. The USA PATRIOT Act expanded law enforcement’s abilities to monitor and search electronic communication related to terrorist activities.
Finally, the ECPA was partially altered by the amended Foreign Intelligence Surveillance Act of 2008 (FISA). FISA broadened the U.S. government’s ability to collect data and surveil communication of individuals outside of the United States. FISA is generally only applied to individuals of interest in national security matters.
Generally, ECPA amendments expand the power of law enforcement. However, in spite of the changes, a law enforcement agency must still prove probable cause and obtain a valid warrant to execute searches. So while the Act has changed, there are still safeguards in place to protect individuals’ privacy.
What the ECPA Covers
There are many forms of communication available today, from in-person conversations to phone calls, email, and social media. In this section, we explore the various types of communications covered by the ECPA—as well as how to avoid violating the statute.
What Types of Communications Does the ECPA Apply To?
Communication regulated by the ECPA can be broken down into:
- Wire communication,
- Oral communication, and
- Electronic communication.
What Are Wire Communications Under the ECPA?
Wire communications are aural transfers made “by the aid of wire, cable, or other like connection.”
In other words, wire communications are sent via transmission over wire or cable. The Act further specifies that “aural transfers” require the presence of a “human voice.”
What Are Oral Communications Under the ECPA?
Oral communications are spoken by a person who expects that their words are not “subject to interception.”
For example, oral communication could include a conversation you are having with your partner at home. Under those circumstances, you would expect that conversation is private and not being recorded.
The issue may become murkier when speaking with someone on a public sidewalk. In this situation, it is less reasonable to expect your conversation to be completely private.
What Are Electronic Communications Under the ECPA?
Electronic communications are communicated by a “wire, radio, electromagnetic, photoelectronic or photo-optical system that affects interstate or foreign commerce.”
Electronic communication is the broadest category of communication within the ECPA. It essentially regulates all communication via electronic means that cannot be spoken or heard.
In general, the ECPA protects any message you send to another person electronically, as long as you can reasonably expect your communication to be private.
U.S. v. Steiger (2003): Intercepting Electronic Communications During Transmission vs. Storage
In 2003, the United States Court of Appeals held that a hacker’s collection of child pornography on the defendant’s computer was not a violation of the ECPA. The court determined that the Act does not make it unlawful to “intercept” electronic communications that are currently “stored.”.
Steiger was based on a criminal matter where the appellee had been convicted of child molestation and possession of child pornography. Law enforcement had been tipped off by an anonymous Turkish source who had discovered the appellee’s crimes after hacking into his computer and finding evidence. The appellee tried to dismiss his case on the grounds that the evidence was collected in violation of the ECPA. The court found that the hacker did not violate the ECPA because the “electronic communications” accessed were not in transmission at the point of interception.
The court ruled that the ECPA makes it unlawful to intercept electronic communications at the point of transmission. This interpretation narrows the statute by holding that once electronic communications are finished transferring and are “stored,” they can be “intercepted” without violating the Act.
How Do You Comply With the ECPA?
Compliance with the ECPA generally varies depending on your occupation. For private individuals, compliance is relatively simple: do not surveil or hack into corporate or private electronic communication systems.
It becomes more important to know the bounds of the ECPA when you are an employer or work in law enforcement.
Law enforcement must obtain court authorization before conducting a physical or electronic search. If the collected data was obtained without authorization, the search is likely unlawful, and the collected data could not be used in the investigation.
Employers have a much more complex relationship with the ECPA. As an employer, you have some rights to monitor what your employees send and receive via company servers. Despite this allowance, courts have not yet set the bounds for limitations on employer monitoring.
How Do You Know If You Are in Violation of the ECPA?
The ECPA protects private data. Therefore, in order to be in violation of the statute, you must either be surveilling or disseminating private data. Accessing data or information from the public record is not deemed a violation of the Act.
And for providers of electronic communication channels, limited surveillance and electronic storage of private communication data is not deemed a violation of the Act.
Barring some exceptions, a person or entity is in violation of the ECPA if they are unlawfully accessing private communication such as:
- Text messages,
- Phone conversations, and
- Money transfers.
You would also be in violation of the ECPA if you distributed data related to electric communications, such as IP addresses or billing statements.
City of Ontario, Cal. v. Quon (2010): Violation of a Reasonable Expectation of Privacy
In 2008, the Ninth Circuit Court of Appeals refined its interpretation of the ECPA, specifically Title I: The Stored Communications Act. In this case, the court held that a service provider for city pagers violated the SCA (part of the Electronic Communications Privacy Act) by providing transcripts of the employee’s conversations to the city.
City of Ontario, Cal. v. Quon centered on city law enforcement officers who were provided with pagers to communicate with colleagues throughout the day. The plaintiff exceeded the allowed character limit on his pager every month at the expense of the city.
To investigate these expenses, the city audited the plaintiff’s device, including requesting a transcript from the defendant. The defendant complied. The plaintiff then alleged that by providing the transcript of his electronic communication to the city, the defendant had violated the SCA.
The Ninth Circuit agreed with the plaintiff’s assertion, even though the city requested communication from a device owned by a government entity. The Court reasoned that the defendant provided “electronic communication services” instead of “remote computing services” to the city and had a “reasonable expectation of privacy in the content of the text messages.” Therefore, the defendant should have abided by the SCA.
How the ECPA is Enforced
Under the Electronic Communications Privacy Act, it is unlawful to access or distribute private electronic transmissions unlawfully. In this section, we cover the consequences of violating the ECPA and how victims can respond to such violations.
Who Enforces the ECPA?
The ECPA has several moving parts, which means several bodies can enforce the statute.
For example, if you discover that your private data has been unlawfully accessed or distributed, you can either sue the violators or report the matter to law enforcement. The police would enforce criminal penalties, while the courts would enforce civil penalties under the Act.
Communication service providers are another important regulator of the ECPA. While these entities do not necessarily enforce the penalties of the ECPA, they do ensure that user data is secure from outside access. Service providers, therefore, need proper infrastructure to create safe pathways between their facilities and user data.
What Are the Consequences of Violating the ECPA?
Since the ECPA is a federal statute, violation of the Act comes with severe consequences. An individual who violates the ECPA can face up to five years in prison and fines of up to $250,000.
Individuals and entities can also civilly sue violators of the Act. Whenever a lawsuit is brought in court, the court may award monetary damages to the plaintiff. Monetary damages can be separated into three broad categories:
- Actual (compensatory),
- Nominal, and
- Punitive damages.
The ECPA allows courts to award actual damages, and in some cases, punitive damages. Actual damages are generally calculated based on the number of days the violation has been ongoing. For example, if the court finds the plaintiff has been harmed in the amount of $1,000 and the unlawful surveillance has been ongoing for 31 days, the court would award $31,000 in actual damages. Depending on the circumstances, a court may also award the plaintiff attorneys fees as well.
What Are Common Defenses & Exceptions to a Violation of the ECPA?
The ECPA is a relatively comprehensive statute that covers most scenarios of information collection and distribution. However, notable exceptions to the Act include:
- Consent. The individual communicating or holding the electronic storage can consent to the interception or collection of their data. Consent removes liability from those who conduct the interception or collection.
- Legitimate business purpose. Under limited circumstances, employers can monitor electronic communications from their employees if it is for a “legitimate business purpose.”
- Service provider: Service providers may intercept communications or view stored data while conducting service maintenance.
How Should You Respond to Someone Who Violates the ECPA?
If you suspect that someone has violated the ECPA, report the behavior to law enforcement and contact a civil attorney. Violations of the Act give rise to serious criminal and civil liability, so it is important to understand your rights and how to enforce them.
Civil Rights & Liberties & the ECPA
Under the ECPA, all businesses and individuals have the right to privacy in their electronic communication and related stored data. This section covers individuals’ rights under the ECPA, as well as the penalties violators can incur.
What Are Your Rights Under the ECPA?
No one can access your electronic transmissions unless they have your consent, a subpoena, or a court order.
Also, all businesses and individuals have the right not to share their private electric communications with others. Generally, this right focuses on electronic data held by service providers. However, it also protects individuals and businesses against their private data being used in criminal or civil investigations if collectors do not go through legal channels.
To summarize, the ECPA grants citizens two broad rights:
- The right against others seeing or listening to their private electronic communications, and
- The right against their private communications being shared with others.
What Are the Penalties & Damages Under the ECPA?
For victims of ECPA violations, it can be devastating to have electronic communication information unlawfully collected or distributed. Legal penalties are based on the extent of the unlawfully collected data and the length of time it has been surveilled or distributed. There is also a criminal fine of $250,000 for violating the Act.
The penalties for violating the statute can be not only monetarily severe but limiting to the violator’s freedom. Those found in violation of the statute can face up to five years in prison.
Are There Any Criticisms of the ECPA?
While the ECPA strives to protect individuals’ digital privacy, it is difficult for a law to take changing technology trends into account.
For example, when the law was originally passed, most emails were stored temporarily on a third-party server. But today, online email services like Gmail store emails online indefinitely. Because the ECPA considers emails “abandoned” if they were stored on a third-party server for more than 180 days, law enforcement can access many emails with a written request. If those emails were stored on a home computer, police would need probable cause and a warrant.
Currently, the most prominent criticisms of the ECPA are that it:
- Does not do enough to prevent a governmental entity from demanding personal consumer information from service providers’ servers;
- Justifies surveillance by law enforcement too easily; and
- Gives employers too much leeway in surveilling employees under the guise of the “company’s interest.”
How Does the ECPA Tie into Defamation Claims?
The Electronic Communications Privacy Act is vital to our work at Minc Law.
First, if an individual is publishing unlawfully collected communication online, civil remedies are available. While Minc Law does not litigate specifically for ECPA claims, we do focus our practice on defamation and content removal and may be able to assist with removing information that has been unlawfully published under the ECPA.
Our team at Minc Law also helps clients file John Doe lawsuits against anonymous defamers. In these cases, the defendant has concealed or disguised their identity in some way. So during the discovery process, our firm often subpoenas online service providers and social media sites to piece together the identity of an unknown defendant. When conducting this type of discovery, our attorneys (and the entities being subpoenaed) must be aware of limitations set by the ECPA.
“Mike Pelagalli, aka: my Angel. Before, I found Mike, I searched for months for an attorney, meanwhile the social circle ruining my name was growing. I was depressed and visiting very dark places. After our first phone call, I cried. I knew I had found him. Not only has an attorney, but also a friend, and a realistic professional who does not want to see me spending unnecessary money. As a Father himself, he and my dad have shared relatable concerns acting as they would having face the situation. Mike Pelagalli always has his game face on, and the best part….not only does Mike want to win, but he aggressively works to provide you with vindication and MERCY! So, confused or lost, call the Angels at Minc Law.”
Jan 12, 2023
To schedule your initial, no-obligation defamation consultation, contact us by calling (216) 373-7706 or filling out our online contact form.