California Electronic Communications Privacy Act (CalECPA) - SB 178

Updated January 2025

About CalECPA

On Jan. 1, 2016, the landmark California Electronic Communications Privacy Act (CalECPA, SB 178) went into effect.

CalECPA has been hailed as “the nation’s best privacy law.” Under CalECPA, no California government entity can search our phones and no police officer can search our online accounts without going to a judge, getting our consent, or showing it is an emergency.

Whether you’re a policymaker, an individual, or a business leader, you should know about CalECPA and your rights and responsibilities under the law.

What to Know About the Landmark California Electronic Communications Privacy Act (CalECPA)

Table of Contents:

• CalECPA: Background and History
• CalECPA and Your Rights
• CalECPA and What it Means for Businesses

What Is CalECPA?

The California Electronic Communications Privacy Act (CalECPA, Cal. Penal Code § 1546) is a landmark privacy law that has been hailed as “the nation’s best privacy law.” It went into effect on January 1, 2016. Under CalECPA, no California government entity can demand any electronic communications information or search our devices without going to a judge and getting a warrant, obtaining a person’s consent, or showing it is an emergency.

How Did CalECPA Become Law?

Prior to the passage of CalECPA, there had been an exponential increase in law enforcement and other government agencies trying to access private user information like emails, text messages, and location information, and also trying to search mobile phones and other electronic devices without a warrant. 

This invasion of privacy was undermining the privacy of users and their trust in technology services. This concern inspired a diverse coalition of the state’s leading civil rights organizations and technology companies to work together to push for the swift passage of this commonsense law that updated privacy law for the modern digital world. CalECPA had broad bipartisan support in the state legislature. The law was jointly authored by Senator Mark Leno (D-San Francisco) and Senator Joel Anderson (R-Alpine).

You can read more about the movement to pass CalECPA here:

• CalECPA Fact Sheet
• It's Time to Protect Digital Privacy in California | ACLU of Northern CA (aclunc.org)
• Tech Industry Stands with Sen. Leno to Modernize Digital Privacy Protections | ACLU of Northern CA (aclunc.org)
• CA Poll: Voters Concerned About Digital Privacy, Support Efforts to Increase Protections from Warrantless Searches | ACLU of Northern CA (aclunc.org)
• Legal Scholar Letter in Support of CalECPA
• Demand your dotRights one pagers and video (link) (link)

The supporters of CalECPA were diverse and included major figures across tech, business, civil rights, and government.

Full list of supporters: Adobe Inc., Airbnb, American Civil Liberties Union of California, American Library Association, Apple Inc., Asian Americans Advancing Justice (AAAJ), Bay Area Council, California Chamber of Commerce (CalChamber), California Newspaper Publishers Association, California Attorneys for Criminal Justice (CACJ), California Public Defenders Association, Center for Democracy and Technology, Center for Media Justice, Centro Legal de la Raza, Citizens for Criminal Justice Reform, Civil Justice Association of California (CJAC), Common Sense Media, Connect Safely, Color of Change, Consumer Action, Consumer Federation, Council on American-Islamic Relations (CAIR), Dropbox, Electronic Frontier Foundation, Engine, Facebook, Foursquare, Google, Internet Archive, Legal Services for Prisoners With Children, LinkedIn, Media Alliance, Microsoft, Mozilla, NameCheap, National Center for Lesbian Rights (NCLR), New America: Open Technology Institute, Privacy Rights Clearinghouse, reddit, Restore the 4th, San Diego Police Officers Association, Small Business California, TechNet, Tech Freedom, The Internet Association, The Utility Reform Network (TURN), Twitter.

Who Must Comply with CalECPA?

CalECPA applies to any California “government entity.” This includes everyone in state and local law enforcement, prosecutors, sheriffs, and probation officers. It also includes public school and hospital officials and any other California government entity or individuals acting on behalf of a government entity.

CalECPA and Your Privacy

CalECPA protects the privacy of Californians in several very concrete ways, including:

• First, no government entity can demand access to your electronic information – like your email, text messages, digital documents, location information, and more – without complying with the privacy requirements of CalECPA and getting a warrant, obtaining your consent, or showing it’s an emergency where someone’s life or physical well-being is in danger.
• Second, no government entity can search your device – like a cell phone or tablet without complying with the privacy requirements of CalECPA and getting a warrant, obtaining your consent, or showing its’ an emergency where someone’s life or physical well-being is in danger.
• Third, targets of a warrant must be provided with notice of the government’s request, even in emergency situations or situations where the target may not be identified.
• Fourth, if you find yourself in any type of trial, hearing or proceeding, you can seek to suppress and even destroy any electronic information collected or retained about you in violation of the law.

Key Provisions of CalECPA

Under CalECPA, government entities in California must obtain a warrant before they can demand the disclosure of electronic communication information or electronic device information (collectively called “electronic information”) from service providers or obtain such information directly from electronic devices.

That warrant must describe with “particularity” information to be seized by specifying the time periods covered and targeted individuals or accounts.

• Electronic communication information is “any information about an electronic communication or the use of an electronic communication service.” This includes the content of electronic messages, as well as associated metadata, location data, and IP addresses.
• Electronic device information includes all information that a person has stored on their device as well as information generated through use of that device.
• CalECPA does not cover “subscriber information,” which is limited to name, address, phone number, email address, account number, length of service, and type of service.

Emergency Use Exception:

• CalECPA includes an emergency use exception, which allows a government agency to access electronic information without a warrant when a “government entity, in good faith, believes that an emergency involving danger of death or serious physical injury to any person” requires access to the information. 
• However, within three days of obtaining the information, the agency must establish factual support for the emergency or apply for a warrant. If a judge does not grant the warrant or approve of the emergency disclosure, the judge will order immediate destruction of all information obtained and provide notice to the target.

Notice Requirement:

• CalECPA requires that the targets of a warrant be provided with notice of the government’s request, even in emergency situations or situations where the target may not be identified.

Sanctions and Remedies:

• Any person may move to suppress any electronic information obtained or retained in violation of any provision of CalECPA or in violation of the Fourth Amendment.
• CalECPA also permits individuals and service providers to ask a court to “order the destruction of any information obtained in violation” of CalECPA.

The law also authorizes the California Attorney General to bring a civil action to force a government entity to comply with the terms of CalECPA.

What CalECPA Means for Businesses:

If your company receives a demand for electronic communications information (including emails, text messages, digital documents, location information, and more) from any California government entity, that demand needs to comply with CalECPA. That means your business must:

1) Make sure that the government entity has a warrant and that the warrant complies with the special particularity requirements of CalECPA.  

2) You should provide your users with notice of any government demand, even in exigent circumstances, or in situations where a person may not be individually identified. One of the simplest ways your company can help protect people is by giving them the opportunity to protect themselves. Ideally, you should give someone as much time as possible before complying with the demand yourself. Doing so costs very little but still clearly positions you as your users’ ally.   

3) Stand up for your users in court. Fight to suppress any electronic information collected or retained about your users in violation of the law. It’s critical to make sure that laws to protect people from improper government surveillance are enacted and followed – it protects your customers and your company and builds trust and credibility.

Keeping Pace with New Technology and Novel Government Demands

It is important for your company to make sure you understand CalECPA and that the law is followed – including being thoughtful about the best ways to protect people’s privacy and secutre their trust as technology evolves or government tactics change. Failing to fully enforce federal and state laws, stand up for your users in the courts and legislatures, and support new privacy laws to keep pace with new technology and government tactics can lead to serious problems, for your users, and your bottom line.

For example, as more companies collect more detailed information, the government has been using a new demand tactic - dragnet reverse demands try to compel technology companies to search their records and reveal the identifies of all people who looked up a particular keyword online (“keyword demand”) or entered a certain geographic area (“geofence demand”).  

These types of dragnet demands can allow the government to track Californians’ every movement and uncover who they associate with, what medical care they seek, and where they worship. These warrants are particularly concerning in the current political climate. 

You can take action as a company – like Google did – to make sure your company does not facilitate these dragnet demands.  

For more information on how to safeguard your users’ privacy, see our resource, Privacy & Free Speech: It’s Good for Business.