The 25-year-old Electronic Communications Privacy Act has been in the news lately, with Sen. Patrick Leahy (D-Vt.) introducing legislation to modernize the bill and a California federal court ruling that the Act does not preempt state law claims of privacy violation.
Sen. Leahy’s proposed bill, the ECPA Amendments Act of 2011, seeks to increase privacy protections and update the law by adding geolocation and remote computing service providers to the entities covered by the Act.
The bill would require a search warrant based on probable cause before electronic communications could be disclosed to authorities, although service providers could turn over “non-content communications records,” like a subscriber’s name and address, without a warrant. Geolocation information similarly would require a warrant, with exceptions for emergency response and historical data.
“Since the Electronic Communications Privacy Act was first enacted in 1986, ECPA has been one of our nation’s premier privacy laws,” Sen. Leahy said in a statement. “But, today, this law is significantly outdated and outpaced by rapid changes in technology .… Updating this law to reflect the realities of our time is essential to ensuring that our federal privacy laws keep pace with new technologies.”
In related news, a California federal court recently ruled that the ECPA does not preempt a plaintiff’s state law claims that NebuAd violated consumers’ privacy when it tracked them online to deliver targeted ads.
Dan Valentine filed a putative class action suit against NebuAd and the ISPs it contracted with to install devices to monitor subscribers’ Internet activity. The ISPs passed the data along to NebuAd, which analyzed it and used it to sell targeted advertising to subscribers.
In addition to claiming the defendants’ practices violated the ECPA, the plaintiffs argued it violated California state computer crime and fraud laws, as well as its invasion of privacy statute.
NebuAd argued that the federal ECPA preempted the state law claims, but U.S. District Court Judge Thelton E. Henderson disagreed.
Although NebuAd argued that the ECPA preempted state law claims because it “occupied the field” with respect to the interception of electronic communications, “the mere fact that a federal scheme is comprehensive is insufficient for a finding of field preemption, which ‘arises only in “extraordinary” situations,’” the court said.
“Having found no intent by Congress to occupy the entire field involving the interception of communications nor any conflict between [the ECPA] and [California state law] that would require the latter to yield under the supremacy clause,” the court said it was free to enforce state law.
To read S.1011, Sen. Leahy’s bill, click here.
To read the court’s order in Valentine v. NebuAd, click here.
Why it matters: The ECPA update joins a number of other privacy-related bills pending in Congress this legislative session. The proposed legislation does not address the issue of preemption presented in the California NebuAd suit, leaving the scope of the federal Act a matter of interpretation for the courts.