The fourth time was the charm.
Last Thursday, California Gov. Jerry Brown signed the California Electronic Communications Privacy Act, which requires a warrant before California law enforcement can seize the contents or metadata of your communications, demand location records from your cell phone provider, or use a StingRay to gather information about your smartphone. This comes after Brown had vetoed three previous bills in the past four years, none nearly as ambitious as CalECPA. So getting CalECPA signed into law is truly a watershed moment for California privacy law — but also a clear signal that we have a real opportunity to make digital privacy a reality across the country.
California’s economy is largely driven by cutting-edge technology, but until last week its digital privacy protections lagged far behind. That’s no longer the case. CalECPA breaks from the archaic “180-day rule” in federal law and replaces arbitrary distinctions between “electronic communications services” and “remote computing services” with a single rule for any online service: Get a warrant.
It also ensures that not just the contents of your communications but the essential metadata that reveals who you talk to, what you read about, and when and where you go receive the protection of a warrant standard. It covers not only direct physical searches of your smart phone but also remote access through new technology like StingRays. And it makes sure that every time a warrant is issued the target is actually notified so that surveillance is not secret forever. It’s a huge step forward in a state where even small steps were failing not long ago.
One of the reasons CalECPA was successful was because of the dramatic shift in public awareness of and attitudes towards surveillance over the past few years. Edward Snowden’s revelations about the NSA’s metadata surveillance program taught Americans that simplistic assurances that “no one is listening to your calls” were no substitute for meaningful privacy protections. Evidence has mounted that police have misused surveillance powers to monitor First Amendment-protected activities like peaceful protests or religious participation. And events in Ferguson and elsewhere have continued to undermine trust in law enforcement and government in general.
The courts likewise have recently reaffirmed the right to privacy in our technological world. The Supreme Court has recently issued two unanimous decisions extending the Fourth Amendment’s warrant requirement to GPS trackers and searches of cellular phones. At the same time, Justice Scalia pointedly urged lawmakers to take up the mantle of moving privacy law forward, noting that “legislatures, enacted by the people, are in a better position than [courts] to assess and respond to the changes that have already occurred and those that almost certainly will take place in the future” when it comes to “privacy protection in the 21st century.” The White House has also called on lawmakers to update the law to “ensure the standard of protection for online, digital content is consistent with that afforded in the physical world.”
Meanwhile, eroding trust in both the government and technology has created a realization that the status quo is simply untenable. Online companies who lost tens of billions of dollars as a result of the NSA revelations recognized that consumers’ willingness to engage in online activities hinged upon their possession of meaningful digital privacy rights. And law enforcement agencies also realized that they needed to rebuild partnerships with their communities rather than treating everyone like a suspect.
So when CalECPA was introduced in January of this year, we weren’t alone in supporting it. Instead, CalECPA was supported from the outset by tech giants like Google, Facebook, and Apple as well as more traditional civil rights and civil liberties organizations and community groups. And, unlike in years past, law enforcement agencies were ready to come to the table and work through specific substantive concerns rather than rejecting the entire concept of stronger privacy on principle. Some law enforcement agencies even formally joined the cause: the San Diego Police Officers Association officially supported CalECPA, stating that it “strengthens community relationships and increases transparency” and was “in the best interests of all Californians.” And that broad support paid off, giving California arguably the strongest digital privacy law in the United States, if not the world.
But what happened in California doesn’t have to stay in California. The backdrop for CalECPA’s success is true nationwide: We the people want protection for our sensitive digital information; companies want clear and consistent rules that help them rebuild consumer trust; and no one wants to be left behind as technological and societal progress marches on. Put that together and you have a recipe for change.
Federal ECPA reform has moved at a glacial pace, with even modest reform a challenge to enact despite 300 hardcore supporters in the House alone. CalECPA shows that states don’t have to wait for D.C. — they can lead it instead. And the more states that follow, the more pressure there will be on the federal government to finally bring federal privacy law out of the digital dark ages. California has taken one big step towards that goal.
Who’s next?