Leading on the data privacy front again after passing one of the toughest biometric data privacy laws in the nation, Illinois is now the first state to expressly limit law enforcement access to household digital device data. The new Illinois Protecting Household Privacy Act (PHPA) took effect January 1, 2022, and comes as smart devices and the internet of things reach widespread consumer adoption, with individuals possessing everything from voice-activated "assistants" to smart televisions to smart refrigerators and ovens in their homes that collect, process, and share vast amounts of personal household data.

Existing laws such as the Electronic Communications Privacy Act of 1986 (ECPA) and the Stored Communications Act (SCA) protect the privacy of subscriber and customer live communications as well as stored records and information, transaction data, and communication content, requiring varying degrees of legal process for governmental entity access. PHPA does not necessarily create new protections but does help to solidify consumer privacy for a range of new products and services.

Overview

PHPA prohibits Illinois law enforcement agencies from obtaining household electronic data or directing private third parties to acquire household electronic data without a warrant except where consented to or in specific emergency situations.1 PHPA defines "household electronic data" as "any information or input provided by a person to a household electronic device"2 but does not limit this information by whether an individual knowingly or unknowingly provided it.

The Act defines "household electronic device" as "any device primarily intended for use within a household that is capable of facilitating any electronic communication, excluding personal computing devices and digital gateway devices."3 The Act specifically excludes all "personal computers, cell phones, smartphones, and tablets, as well as modems, routers, wireless access points or cable set-top boxes serviced by a cable provider."4 "Electronic communication" includes video, audio, or text transmitted or received by way of any technology, so as to preclude Illinois law enforcement from acquiring any data inputted to a household smart device.5

Given the exceptions and exclusions, it seems the PHPA's focus is virtual assistants, video doorbells, smart speakers, security cameras, and smart appliances that connect to the internet, allowing for audio commands or video images to generate specific actions in homes.

Requirements

Warrants

Illinois law enforcement may only obtain household smart device data with a warrant. Law enforcement must thereafter destroy such data if no criminal charges are filed within 60 days of obtaining the data, unless (i) "there is reasonable suspicion that the information contains evidence of a criminal activity," or (ii) "the information is relevant to an ongoing investigation."6

Data Security

PHPA also imposes requirements on entities disclosing household electronic data in the form of a confidentiality requirement, mandating such entities "take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request."7

Existing Federal Law

ECPA and the SCA also govern state and federal law enforcement agencies (as well as other governmental entities) seeking customer or subscriber electronic communication content or data. While PHPA specifically states it does not apply to the "interception, recording, wiretap, or other acquisition of electronic communications as they are transmitted in real time,"8 the Act anticipates that in the event of any conflict, "the requirement that establishes the higher standard for law enforcement to obtain information shall govern."9

Because the definition of "electronic communication" in ECPA and the SCA is as broad as PHPA's, both laws may protect the same and different data requiring different levels of legal process.

Stored Communications Act

The SCA protects against the U.S. government's ability to acquire certain subscriber or customer information and records (including what would be deemed "household data") but allows access with a warrant, court order, or subpoena depending on the data sought. Specifically, the SCA subjects a provider of any service that allows its customers to "send or receive wire or electronic communications" to its requirements.10 Subject to certain exceptions, the SCA prohibits an "electronic communications service" (ECS) provider from "knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service."11

The SCA defines a "remote computing service" (RCS) as "the provision to the public of computer storage or processing services by means of an electronic communications system" and with exceptions prohibits an RCS provider from "knowingly divulg[ing] to any person or entity the contents of any communication which is carried or maintained on that service."12

As this overview indicates, while the SCA and PHPA both govern law enforcement access to electronic communications and data, the SCA's data protection varies by the service type and the nature of the information (content or non-content). Law enforcement access to content requires a warrant, whereas basic subscriber information may be obtained by subpoena, and other non-content information may be obtained by court order. In a case challenging the absence of a warrant for non-content records, the U.S. Supreme Court held that cell site location information (CSLI), which list cell phone numbers connected to a specific cell site at specific dates and times, nonetheless requires a warrant.13

In contrast, the PHPA's protections are device-based. Illinois law enforcement cannot access data a person provides to household electronic devices, not including cell phones and computing and digital gateway devices, unless there is a warrant, consent, or the emergency exceptions are met. Although the SCA is not device-based, it can cover household electronic data provided to a digital gateway device or cable set-top box, for example, and also has consent and emergency exceptions.14

On the other hand, the question remains whether the SCA or PHPA will control how law enforcement may access household data stored by cloud-based services, a category under which a number of connected devices and their services might fall, and which may have conflicting federal and state requirements for government access, as discussed next.

Conflicts

Where a connected device falls under both PHPA and SCA, the results are not clear. While PHPA exemptions include consent of the device owner or possessor of the device, under SCA, the originator, addressee, or intended recipient of a communication, as in the communication's intended audience, may give consent to disclosure to law enforcement.15

Additionally, the SCA may allow a governmental entity to gain access to records and information concerning the subscriber by subpoena, and a court order could allow access to transaction data that is non-content. PHPA does allow for the provision of household data to law enforcement pursuant to grand jury subpoena, but the usual trial court or administrative subpoena permitted by the SCA may conflict with the PHPA.16

Takeaways

Between the SCA's content- and service-based protections and the PHPA's device-based protections, any entity in the position of providing household electronic data in response to a request from law enforcement could face conflicting prohibitions and obligations regardless of the device into which the data was inputted. Therefore, providers should review their policy for handling law enforcement requests, organized by request categories and state of residence of the subscribers or customers, with procedures in place for considering compliance with the SCA and PHPA as appropriate.

Please contact us with any questions concerning compliance with law enforcement or other governmental entities' requests for access to subscriber or customer data.