Communications Privacy Law

With the advent of modern technology, protecting privacy in communications has become increasingly important and challenging. A federal law known as the Electronic Communications Privacy Act (ECPA) covers oral, electronic, and wire communications (such as emails and telephone conversations) both during transmission and during their storage after transmission. The ECPA consists of three parts:

• Wiretap Act (Title I), which provides that electronic communications may not be intercepted during transmission, and intercepted communications may not be used
• Stored Communications Act (Title II), which covers files stored by service providers and subscriber information retained by service providers, such as the names, billing information, and IP addresses of subscribers
• Pen Register/Trap and Trace Devices (Title III), which applies to devices that record numbers dialed for outgoing calls from a certain phone and devices that record the numbers of incoming calls to a certain phone

Some of the ECPA restrictions were loosened in the aftermath of the 9/11 terrorist attacks by the Patriot Act, which helped the government gather intelligence to fight terrorism. However, many states also have imposed communications privacy laws that provide separate protections.

Government Access to Information Under the ECPA

The Wiretap Act provides an exception for the government to intercept communications or conduct electronic surveillance in certain situations. If the government can show probable cause that intercepting communications will reveal evidence of a certain type of crime, a judge can issue a warrant authorizing the government to intercept communications for up to 30 days. However, information collected through this process remains subject to limits on its use and disclosure.

The government also can gain access to information under the Stored Communications Act, which provides a variety of procedures. In determining which procedures are necessary, a government agent must consider the type of network service provider, the type of information sought, and whether they need to compel disclosure or are only accepting information that the service provider discloses voluntarily. If disclosure needs to be compelled, the government may need to file a subpoena to get the information from the service provider, or it may need to pursue a special court order or a search warrant. If the information is voluntarily disclosed, the government must consider whether the statute permits the disclosure. Some procedures under the Stored Communications Act require notice to the subscriber, while others do not.

Pen registers and trap and trace devices do not intercept the content of communications. Under Title III of the ECPA, a government agent can use these devices if they certify that their use is likely to gather information related to a criminal investigation by their agency.

Civil Liability Under the Wiretap Act

Violations of the Wiretap Act or the Stored Communications Act also can lead to civil lawsuits against private parties responsible for violations. (The federal government cannot be sued for a violation.) In a claim under the Wiretap Act, the plaintiff must show that the defendant intentionally intercepted a wire, oral, or electronic communication, or sought to intercept or enlisted someone else to intercept a communication. Furthermore, a victim of a violation can sue anyone who intentionally used or disclosed the contents of a wire, oral, or electronic communication if the defendant knew or should have known that the information was collected through a Wiretap Act violation. In other words, a defendant does not need to have intercepted the communication. If the defendant intercepted the communication and also used or disclosed it, though, the lawsuit can allege these violations as separate counts.

A plaintiff can pursue both damages and injunctive relief in a Wiretap Act claim, as well as attorney fees and costs. Damages can be actual or statutory. Actual damages cover the losses suffered by the plaintiff and profits received by the defendant. Statutory damages accumulate at a rate of $100 per day of violation, subject to a minimum of $10,000.

Civil Liability Under the Stored Communications Act

In addition, a plaintiff can bring a claim against an electronic communications service provider or a remote computing service provider for a violation of the Stored Communications Act. Most ISPs provide both types of services, sometimes simultaneously. The classification of a defendant in a certain case depends mostly on the type of information that was disclosed.

An electronic communications service provider is liable if it knowingly discloses the contents of a communication that it is storing. It also is liable if it intentionally gains unauthorized access or exceeds the scope of its authorized access to a facility through which it is providing electronic communications services, and it obtains, alters, or prevents authorized access to a wire or electronic communication stored there. Meanwhile, a remote computing service provider is liable if the following elements are met:

• The provider carries or maintains a communication related to an electronic transmission by a subscriber or customer
• The provider solely provides storage or computer processing services to that subscriber or customer and is not authorized to access the contents of the communication for any other purpose
• The provider knowingly discloses the contents of the communication

A plaintiff in a Stored Communications Act claim can pursue damages, injunctive relief, and attorney fees and costs. Compensatory damages account for the actual harm suffered by the plaintiff and profits obtained by the defendant, subject to a minimum of $1,000. In some cases, a court may order punitive damages based on a willful or intentional violation.

Last reviewed July 2023