The world still looks to California: The CalECPA as a Model Step for Privacy Reform in the Digital Age


The world still looks to California: The CalECPA as a Model Step for Privacy Reform in the Digital Age

by Abby Wolf 


 “In circumstances involving dramatic technological change, the best solution to privacy concerns may be legislative… A legislative body is well situated to gauge changing public attitudes, to draw detailed lines, and to balance privacy and public safety in a comprehensive way.” — Justice Alito, in his concurrence to United States. v. Jones[1] 

“We can pioneer the new technologies that emphasize quality over quantity and we can make the tools to lift millions out of poverty and ignorance. The world still looks to California.” — Jerry Brown, Governor of California[2]

 Fourth Amendment protections have lagged behind technology. Consequently, electronic data is vulnerable to surveillance and seizure by law enforcement on a mass scale, which courts have been both unwilling and unable to recognize. Traditional frameworks for Fourth Amendment analysis were developed before the advent and ubiquity of the Internet and electronic communication.[3] Thus, the law was not designed to cover the ever-increasing range of human activities that occur in intangible mediums.

Recent Supreme Court cases, such as U.S. v. Jones[4] and Riley v. California,[5] have revealed a willingness of the Court both to take into account both how important digital content is to modern life[6] and to adopt jurisprudence that is sensitive to privacy concerns when technological improvements enable law enforcement to record and investigate far more than what individual officers could accomplish.[7] However, more must be done to create meaningful protection for electronic data. While the Fourth Amendment explicitly protects “persons, houses, papers, and effects”[8] from warrantless searches and seizures, it is less clear whether those same protections extend to information stored on a computer or electronic device.[9]

In response to this lacuna in Fourth Amendment coverage, California Senators Mark Leno, a Democrat from San Francisco, and Senator Joel Anderson, a Republican from San Diego, spearheaded a bipartisan bill to bring Constitutional protections into the modern age.[10] The bill, S.B. 178, also know as the California Electronic Communications Privacy Act (“CalECPA”), was designed to strengthen privacy protections and to prevent warrantless law enforcement access to data.[11] At a high level, the bill effects two main changes. First, it articulates clear standards for the acquisition of electronic data by state actors, notably with a warrant requirement. Second, it creates a notice requirement, so individuals will be made aware when they are being observed by law enforcement.[12]

The CalECPA received widespread support from advocacy organizations concerned with privacy and civil liberties, such as the Electronic Frontier Foundation (“EFF”) and the American Civil Liberties Union (“ACLU”).[13] Many of the largest tech companies, including Google, Twitter, and Facebook, also backed the bill.[14] Google even emailed its subscribers directly to solicit their support for S.B. 178.[15] A poll conducted after the bill was introduced showed that eighty-two percent of Californians believed the police should need a warrant before accessing email or Internet activity.[16] Before its passage by both houses of the California legislature, even the state’s most prominent law enforcement organizations removed their opposition to the bill[17] after provisions were added which allowed for some leeway in conducting confidential or emergency investigations.[18] Because S.B. 178 proscribed limits on the use of relevant evidence, the California Constitution required the bill to receive a two-thirds vote of both the House and the Senate.[19] Governor Jerry Brown signed the bill into law on October 8, 2015,[20] and the moment was celebrated as a triumph for privacy as well as for California, a state known for being a leader in legislation that protects civil liberties.[21]

It should be noted that California is not the first, nor is it the only state, to pass legislation to protect electronic data.[22] There has been a “wave of privacy legislation” across the nation because the issue has crossed political and ideological lines.[23] However, the CalECPA is among the most comprehensive laws passed thus far.[24] Therefore, this law is poised to have a tremendous impact on the nearly thirty-nine million residents who live in the state of California.​[25] This paper seeks to evaluate the effectiveness of the CalECPA in terms of how the statute will work in practice, because the bill may serve as a model for reforms by other states or even the federal government.[26] It argues that the CalECPA is a good first step in balancing both individual privacy rights and law enforcement needs; however, it will not be able to fully close the gap in Fourth Amendment protection, as it still leaves some important questions unanswered. Part I lays out the relevant background and Fourth Amendment framework for electronic data. Part II discusses the robust privacy safeguards the bill creates and what problems the CalECPA is able to solve. Part III describes what is not covered by the bill and highlights some areas of concern. The final section concludes.


The historical purpose of the Fourth Amendment was to prohibit “general warrants,”[27] a tactic the English colonial government employed in order to enforce unpopular trade and navigation acts.[28] Today, they are also referred to as “writs of assistance.” [29] General warrants gave officers carte blanche to search the papers, homes, and possessions of any person,[30] and they did not give a sufficiently particularized description of the person or thing to be seized or the place to be searched.[31] The English Government used general warrants to search colonists, regardless of whether they were suspected of committing a crime.[32]

Today general warrants would be considered unconstitutional because they fail to meet the Fourth Amendment’s specificity requirements.[33] Though it may seem anachronistic to discuss centuries-old evidentiary procedure, general warrants were on the minds of the legislators writing the CalECPA. When California State Assemblyman Jay Obernolte (33rd Assembly, Republican) introduced the bill to the California Senate, he specifically mentioned how the “hated writs” were a catalyst of the American Revolution.[34] He also noted how the founders “enshrined the hatred of those kinds of searches into the Fourth Amendment.”[35]

A. The Reasonable Expectation of Privacy in Electronic Information

The Fourth Amendment protects against unreasonable searches and seizures by the government.[36] In early interpretations, the Fourth Amendment was thought to limit only searches and seizures of tangible property within constitutionally-protected areas.[37] However in the 1967 watershed Katz case, the Supreme Court expressly overruled that understanding and created the “reasonable expectation of privacy” framework to analyze whether a search was prohibited by the Fourth Amendment.[38] Justice Harlan’s concurrence became the guiding directive with a two-part inquiry: 1) Did the target of the search have an actual, subjective expectation of privacy? and 2) Is the target’s subjective expectation of privacy one that society is prepared to recognize as reasonable?[39]

The second, objective prong of the analysis has been the principal challenge for those wishing to protect privacy rights in digital or electronic content because of the nature of the way data is transferred and shared with various providers, websites, and platforms. The third-party doctrine and exceptions to the warrant requirement, such as exigency or consent, are also problematic for the protection of electronic content. The consent exception is especially injurious to Fourth Amendment safeguards because the government does not need probable cause, nor reasonable suspicion of criminal activity, if it has consent to perform a search.

B. The Third-Party and Public Disclosure Doctrines

The Supreme Court has ruled that there is no Fourth Amendment protection for information voluntarily disclosed to third parties.[40] The basic premise of the third-party doctrine is that a person loses all reasonable expectation of privacy to information disclosed to someone else.[41] It makes no difference if a person revealed that information only for a limited time or a limited purpose.[42] The California Supreme Court has noted that for all practical purposes certain disclosures are “not entirely volitional”, and it has tried to provide additional protections when necessary.[43] Features of electronic devices, such as location data, may also implicate the “public disclosure” doctrine, which addresses a person’s movements in public that can be viewed by others.[44] In United States v. Knotts, the Supreme Court held a person does not have a reasonable expectation of privacy in movements subject to visual surveillance,[45] including what may be observed by flying a plane overhead.[46]Additionally, without Fourth Amendment protection of third-party records, the government is able to access an extensive amount of personal information, which is especially complicated by technology.

C. Technology-Specific Problems

How to treat electronic information has befuddled Fourth Amendment analysis since its inception. One principal reason is because there has long been a divide between content—which earns protection—and information that is not classified as content, such as metadata—which does not.[47] The Fourth Amendment is not always perceived to encompass the latter, which includes IP addresses, email to/from field information, search terms, browsing history, or location data.[48]

At the federal level, there is a split regarding bulk metadata collection of cell phone location data.[49] Some judges have held that “the indiscriminate, daily bulk collection, long-term retention, and analysis of telephony metadata almost certainly violates a person’s reasonable expectation of privacy.”[50] Other courts have held the opposite to be true.[51]

Internet security expert Susan Landau has argued that metadata may actually be more revealing than content.[52] When a person calls someone else, and who they call, may act as a proxy for content.[53] Former National Security Agency (NSA) General Counsel Stewart Baker once proclaimed: “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.” Gen. Michael Hayden, former director of the NSA and the CIA, has stated publicly: “We kill people based on metadata.” [54], [55]

Location information can be particularly sensitive. As Professor Catherine Crump explained in her TED Talk, it can reveal whether or not you see a “therapist, attend an Alcoholics Anonymous meeting, if you go to church or if you don’t go to church.”[56] Furthermore, the creation of some location data, like other forms of metadata, may not be entirely voluntary. For example, iPhones have the ability to track a person’s “Frequent Locations.” This feature records places someone has recently been, as well as when and how often they have been there.[57]

 Additionally, the search of electronic devices raises additional challenges for Fourth Amendment law because of the incredible storage capacity of the devices.[58] For example, if one were to carry an eight gigabyte flash drive, that device would be able to store approximately 520,000 pages of Microsoft Word documents.[59] Professor Elizabeth Joh has remarked that “nearly all of the world’s stored information today is digital, and we are surpassing existing mathematical terms to quantify it.”[60] This technological change represents not only a difference in degree but also a difference in kind, a distinction that the judiciary must recognize.[61]

 As the Supreme Court remarked in Riley:

Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. A conclusion that inspecting the contents of an arrestee’s pockets works no substantial additional intrusion on privacy beyond the arrest itself may make sense as applied to physical items, but any extension of that reasoning to digital data has to rest on its own bottom.[62]

Californians use technology everyday “to connect, work, and learn.”[63] Today nearly two-thirds of Americans own a smartphone,[64] and these devices are used for much more than just calling, texting, or taking “selfies.”[65] Sixty-two percent of smartphone owners have used their phone in the past year to look up information about a health condition, while fifty-seven percent have used their device to do online banking.[66] Forty-three percent have looked up information about a job, and eighteen percent have even submitted a job application using their phone. [67] Individuals with lower incomes are “especially likely” to rely on their phones for a job search.[68]

Another technology-specific question in Fourth Amendment jurisprudence is what should become of non-responsive data, data that falls outside the scope of a warrant, that is inevitably retrieved in device searches. Without some type of limit on the use of non-responsive data that is seized under a warrant, the warrant runs the risk of becoming a general warrant. There really is no physical-world equivalent to this type of problem.

D. The Problem of Notice

In the digital world generally, there is lack of notice of what actually happens with one’s personal data.[69] However, after Edward Snowden’s revelations in 2013 about the bulk electronic information collection, many Americans became aware for the first time that they were being observed by the government.[70] Some of the biggest surprises, such as the fact that the NSA collected text messages, or that there were secret court orders that allowed the NSA to sweep up phone records, were not known—or likely even suspected—by most Americans.[71] Accordingly, Americans have become more concerned about warrantless access of their digital information.[72] Society at large has been much more critical of, or at least vocal about, government infringements of civilian privacy in the wake of Snowden’s disclosures.[73]

E. The Time is Ripe for Change

The CalECPA has arrived at a particularly critical juncture in history. In the past five years, Google has seen a 250 percent jump in government demands for consumer data.[74] In 2014, AT&T received 64,000 demands from law enforcement – a 70 percent increase from the previous year.[75] Verizon reports that only one-third of its requests had a warrant. Twitter and Tumblr stated that in 2014 they received more demands from California than any other state. [76]

Contemporaneously with the passing of CalECPA, Nancy O’Malley, the District Attorney of Alameda County, was in the process of purchasing a StingRay, a cell site simulator.[77] The Attorney General’s office publically supported the purchase.[78] The desire for this type of purchase illustrates tension in California presently between protecting privacy and legitimate law enforcement interest in acquiring more electronic data.[79]

Nevertheless, at the moment, the tide seems to be supporting privacy protections.[80] Governor Jerry Brown also recently signed a bill[81] that made it illegal for companies to target customers with ads based on data gathered through a voice recognition feature, such as those on Smart TVs.[82] Creating legal boundaries for privacy is especially important given that the “Internet of Things”, the name given to the network of physical objects able to connect to the Internet, is rapidly expanding.[83]

Technology companies have also begun to pressure the government for reforms, because eroding customer trust can impact their bottom line.[84] In the post-Snowden era, companies are intent on demonstrating that they care about protecting customer information.[85]

Finally, it is a good time to reform the law surrounding electronic searches, because the status quo’s lack of clarity is challenging not only for individual privacy but also for law enforcement who must then navigate the murky waters of unclear case law.[86]



A. Clear Standards to Obtain Electronic Information

The CalECPA creates straightforward, uniform standards for the acquisition of electronic information across California for state actors.[87] The authors of the bill hoped that with clearly-defined criteria, law enforcement would be “more confident that they followed due process,” and this would demonstrate law enforcement’s “commitment to finding the right balance between civil liberties and public safety.”[88]

 In order to compel production of or access to “electronic communication information” or “electronic device information,” law enforcement must get a warrant, a wiretap order, or an order of electronic reader records.[89]

 Using technology to physically interact with, or to electronically communicate with, a device to obtain any of what the law defines as “electronic device information” triggers the warrant or wiretap order requirement.[90] However, the law also provides for emergency access without obtaining a warrant or wiretap order if there is a risk of “death or serious physical injury,”[91] or if the authorized possessor of the device gives specific consent.[92] If a device is lost or stolen, law enforcement can help locate it, with the specific consent of the owner to do so.[93] Furthermore, if a device is found, and the government believes it was lost or stolen, the government may access the device information, but only to the extent necessary to identify or contact the owner.[94] Law enforcement must comply with these bright-line requirements in order to comply with the CalECPA.[95]

 B. Particularity and Avoiding General Warrants

 The Fourth Amendment requires that a warrant “particularly describe the place to be searched.”[96] However, the storage capacity of electronic devices might undermine the limiting role of the particularity requirement.[97] For searches of electronic devices, the “place” to be searched may not be as significant of a restriction as it is with physical searches.[98] A house may have many devices, cellphones could have lots of content, and even very particularly described evidence could be located anywhere on a device.[99] As Professor Orin Kerr has argued, the facts of digital storage “create the prospect that computer warrants that are specific on their face will resemble general warrants in execution simply because of the new technological environment.[100] The law is very settled on this point: general warrants are constitutionally unreasonable under the Fourth Amendment “even if they may be useful to solve crimes.”[101]

 The CalECPA requires that “[t]he warrant shall describe with particularity the information to be seized by specifying the time periods covered and, as appropriate and reasonable, the target individuals or accounts, the applications or services covered, and the types of information sought.”[102] Thus it seems that this specific provision of the law attempts to solve this concern, and it may help California avoided falling into the trap of general warrants for electronic searches.

C. Metadata and Location Data are Covered

 Though often ignored by courts and its importance denied, metadata was given unambiguous protection by the CalECPA.[103] The bill makes no distinction between “deliberate and involuntary expression,” a distinction that has long precluded metadata from protection by the judiciary.[104]The CalECPA explicitly protects “electronic information.”[105] The bill defines this as both “electronic device information” and “electronic communication information.”[106]

The CalECPA’s definition of “electronic device information” encompasses “any information stored on or generated through the operation of an electronic device, including the current and prior locations of the device.”[107] Therefore, the CalECPA protects private electronic communications such as emails, text messages and location data that are stored on devices, as well as information stored in the cloud.[108] Previously, information stored on the cloud might not have been considered to have a reasonable expectation of privacy, since it was hosted by – and thus had been disclosed to – a third party, in accordance with the third party doctrine.[109]

The bill defines “electronic communication information” as “information about an electronic communication or the use of an electronic communication service.”[110] The illustrative examples include “the contents, sender, recipients, format, or location of the sender or recipients at any point during the communication, the time or date the communication was created, sent, or received, or any information pertaining to any individual or device participating in the communication, including, but not limited to, an IP address.” [111] This definition, in conjunction with section 1546(a)(1) which precludes “the production of or access to electronic communication information from a service provider,” effectively closes the gap created by Smith v. Maryland.[112]

However, “subscriber information,” which includes amongst other things, “name, street address, telephone number, email address, or similar contact information” and the account number is not considered “electronic communication information” or “electronic information” and thus is not afforded any protections by the CalECPA.[113] Also, service providers are still permitted to “voluntarily” turn over phone record metadata or other electronic information,[114] and they may not be sued civilly for doing so.[115]

D. Notice is Provided

Another success of the bill is its notice requirement.[116] When a government entity executes a warrant, or obtains information in one of the emergency scenarios defined in § 1546.1, the bill clearly delineates how and when that entity must inform the subject of its investigation.[117] The notice can be served by a variety of means “reasonably calculated to be effective,” including email.[118] Notice must be given contemporaneously with the execution of the warrant, or in the case of a § 1546.1 emergency situation, within three days after obtaining electronic information.[119]

In addition to timely notification, the bill further provides that the notice not only indicate that information has been “compelled or requested” by the government but also that it “state[] with reasonable specificity the nature of the government investigation under which the information is sought.”[120] A copy of the warrant must be included in the notice, or a “written statement setting forth facts giving rise to the emergency.”[121

If a court does permit law enforcement to delay notification,[122] notice must be still be given in accordance with the above requirements, along with a statement containing the court’s grounds for allowing the delay.[123] Furthermore, after a period of delay, the notification must also include either a copy of all the electronic data taken or a summary of that information.[124] At a minimum, this summary must include the number and types of records and the date and time when the earliest and latest records were created.[125

E. Law Enforcement Needs are Given Proper Deference

Law enforcement was actively involved in negotiations with the bill’s authors, and thus, by the time CalECPA was signed, their legitimate concerns were alleviated.[126] A letter to Senator Leno on behalf of the California State Sheriffs’ Association went so far as to say, “Thank you for working with law enforcement to ensure that the correct balance is struck between the need for law enforcement to obtain information regarding criminal activities from electronic communications and the privacy interests of those who use email and other forms of electronic communication.”[127] The CalECPA comports with the aspirational goals of the criminal justice system: that the guilty not escape nor the innocent suffer.[128]

Prior to changes to the bill, there was opposition by a Tennessee-based group called the National Organization to Protect Children, also known as “PROTECT.”[129] Marty Vranicar of the California District Attorneys Association also warned that the bill would “undermine efforts to find child exploitation,” specifically child pornography.[130]

PROTECT was concerned primarily that notice requirements could lead to destruction of evidence by telling “child pornography suspects [law enforcement is] coming.”[131] The final version of the bill, however, provides the ability to delay notification for up to 90 days when a court determines “there is reason to believe that notification may have an adverse result.”[132] A court may also grant additional delays of up to 90 days at a time to support the needs of law enforcement investigations.[133

PROTECT also worried that law enforcement might not be able to demonstrate the risk of “destruction or tampering with evidence requirement” as defined in § 1546(a)(3) in order to delay notifying the subject of the investigation.[134] Notification, however, can be delayed by the threat of an “adverse result,” which includes not only the risk of destruction of evidence,[135] but also the possibility of “[d]anger to the life or physical safety of an individual,” “[f]light from prosecution,” “[i]ntimidation of a witness” or “[s]erious jeopardy to an investigation.”[136]

PROTECT raised additional concerns that seemed to stem from a misunderstanding of some of the provisions of the bill. For instance, the organization protested the bill’s “data retention limits.”[137] However, the data retention limits would not apply to child porn investigations, because data related to those investigations would not be destroyed. The data retention limits apply to non-responsive data unrelated to what was specified in the warrant.[138] Also, there was a specific exception added to the requirement to destroy information “voluntarily” turned over within ninety days, when “the information relates to child pornography and the information is retained as part of a multi-agency database used in the investigation of child pornography and related crime.”[139] PROTECT stated that the bill “eliminates most law enforcement subpoena power in child pornography cases.”[140] The bill does not alter the use of subpoena power in criminal cases, and in fact confirms the power of subpoena is not limited or affected in non-criminal cases.[141] Lastly, PROTECT was concerned about how the law would affect out-of-state law enforcement issuing a subpoena or warrant in California.[142] The bill, of course, would not apply, as it only covers state and local agencies of California.[143]

The authors of the bill also amended the definition of “specific consent” in response to critiques of earlier versions, so the CalECPA would not require that the “originator of the communication have actual knowledge that an addressee, intended recipient, or member of the specific audience is a government entity” to ensure that child pornography stings and operations could proceed effectively.

One legitimate concern of PROTECT not directly addressed by the final version of the bill is that the bill’s emergency provision[144] only covers situations where there is a danger of “death or serious physical injury.” [145] PROTECT raised the important point that most child sexual abuse and child pornography production generally do not cause “death or serious physical injury.” However, this may not be problematic, because when the emergency provision applies, agencies will be able to proceed as necessary and delay notification. In other instances, they will be able to proceed and delay notification for as long as is necessary using the adverse result exception.

F. Many Technology-Specific Issues Were Resolved 

The CalECPA effectively addresses many of the technology-specific problems that have long plagued legislation concerning electronic searches and seizures. For example, many provisions in the bill cover both the “owner,” as well as an “authorized possessor” of a device. An “authorized possessor” is defined as one who the owner has allowed to possess a device. [146] This inclusion takes into account how many electronic devices are owned and operated today. The definition would cover individuals who are using “their” cell phones as a part of a family plan in someone else’s name, as well as people who share a family iPad, for instance. Normally, under Fourth Amendment jurisprudence, authorized possessors might not have the requisite standing to object to a search of a device that is not “owned” by them.[147]

The law also creates an option for limiting the use of non-responsive data revealed in the course of a search. A court may require that extraneous information unrelated to what is sought by the warrant be deleted.[148] This approach has been endorsed by Professor Orin Kerr as the “best way to minimize the unwarranted intrusions upon privacy.”[149] By using this method, as opposed to placing an ex ante limit on non-responsive data, law enforcement has the necessary authority it needs to perform electronic searches, while avoiding the problem of creating general warrants since officers are limited to what is described and to what they have probable cause to seize.[150] Thus, officers cannot “receive a windfall from the overseizure.”[151]

The CalECPA also has clear definitions of what type of data is covered. California’s law is much broader than the Federal Electronic Communications Privacy Act (“ECPA”).[152] The ECPA provides only “anemic protections” for metadata because metadata is not considered content.[153] Warrants are only required for access to electronic information less than 180 days old. [154] The CalECPA’s broad scope is even more significant because Congress is considering making changes to the ECPA.[155]



A. Plain View Exception to the Warrant Requirement for Electronic Devices?

The CalECPA’s warrant requirement may not answer all the questions associated with the practical execution of electronic searches.[156] Specifically, it remains unclear whether the traditional plain view exception to the warrant requirement can or should be permitted. Professor Orin Kerr has argued that the plain view exception should not be available in searches of digital data because there is such a danger of a lawful, particularized warrant becoming an unlimited license to search and seize.[157]

Plain view is an exception to the warrant, but not probable cause, requirement.[158] An officer may search and seize an object in plain view if three requirements are met: the incriminating character is immediately apparent (such that it generates probable cause), the officer is lawfully located in a place from which the object can be seen, and the officer has a lawful right of access to the object itself.[159] For instance, an officer cannot see an item inside a house while walking down the street and then enter the house absent exigent circumstances or a warrant. In an electronic search — given the way files are organized and the quantity of information stored — the traditional analysis may become difficult to apply

The Supreme Court of Colorado grappled with this question last year in People v. Herrera.[160] In Herrera, the police had a warrant to search a subject’s cell phone for text messages and photos.[161] The officer then chose to search a folder of a third-party messenger application, which he knew was outside the scope of the warrant.[162] There the officer found additional incriminating messages.[163] The Colorado Supreme Court’s analysis, albeit somewhat convoluted,[164] held that the plain view exception was not met because the government did not have “lawful access” to the folder contained in the third-party messenger application.[165] Additionally, the Court found that the plain view exception did not permit the search of the folder because it was not reasonable for the officer to think the folder contained evidence described in the warrant.[166] The Court also made the point that the plain view exception must be applied “cautiously” to avoid allowing “a limitless search.”[167]

Thus, requiring a warrant will not unilaterally alleviate the threat of the plain view exception – the risk that Fourth Amendment-conforming warrants could be turned into general warrants. The CalECPA does somewhat mitigate this problem because its warrant requirement requires a more comprehensive description of what will be searched,[168] and it also permits a magistrate to order the deletion of non-responsive data. Nevertheless, it is critical for courts or the legislature to determine how, or if, the plain view exception will apply in the searches of electronic devices

B. A Possible Loophole to the Notice Requirement?

As discussed previously in Part II.A, the notice requirement of the bill is triggered when a government entity “executes a warrant or obtains electronic information in an emergency pursuant to Section 1546.1.” [169] However, the law expressly permits the government “to compel the production of or access” to electronic information in ways other than the use of a warrant.[170] The government may request the information pursuant to a warrant, a wiretap order, an order for electronic reader records (under Section 1798.90 of the Civil Code), or pursuant to a subpoena, as long as the information requested by the subpoena is not sought for the purposes of investigating or prosecuting a criminal offense.[171] Though this would contravene the spirit of the notice requirement, by the language of the bill, whether the government will be required to provide notice when it seeks information pursuant to a wiretap order or an order for electronic reader records is unclear

C. Are There Other Ways for the Police to Gather the Same Information?


1. The CalECPA Would Not Prevent Police from Collecting Data Themselves

The CalECPA prohibits law enforcement from”[a]ccess[ing] electronic device information by means of physical interaction or electronic communication with the electronic device.”[172] The CalECPA does not contain any provisions proscribing policing technologies when they are used on individuals. The law only covers those techniques when used with electronic devices.[173] Thus, even though the information might be subject to a warrant requirement when contained in an electronic medium, law enforcement may be able to create and store some types of this information independently, such as individual’s location data or other personal information without a warrant or giving notice.[174]

Indeed, many law enforcement agencies are employing technologies to collect vast quantities of information, in a process that is sometimes referred to as “dataveillance,” a method of surveillance that observes “not through the eye or the camera, but by collecting facts and data.[175

For example, automated license plate readers (“LPRs”), affixed in public places or on police cars, can take thousands of photos of license plates per minute using a high-speed camera and then store those images in a database.[176] LPRs were designed to be used to alert police to the location of a vehicle associated with a crime, however the devices photograph indiscriminately and regularly capture images of innocent civilians going about their lives.[177] A Bay Area journalist once requested all the LPR records collected from the Oakland Police Department (“OPD”); so much data was available that he was able to make an educated guess about where an individual lived or worked, especially when that person had a regular commute.[178] Interestingly, according to OPD, only .16 percent of the 4.6 million LPR records collected were “hits,” meaning vehicles associated with a crime. [179] The location data amassed by the use of LPRs would not fall under the protections of the CalECPA because cars are not “electronic device[s]” by the language of the statute,[180] nor could their relative position in the world be considered “electronic device information.”[181] LPRs could also be attached to drones for even more effective data collection.[182] Governor Brown vetoed a bill this year, A.B. 1327, which would have required law enforcement agencies to obtain a warrant in order to use drones for surveillance.[183]

Additionally, the police could choose to gather data for predictive policing.[184] The National Institute of Justice, the research and development agency of the DOJ, has made millions of dollars in grants available for police departments to develop predictive crime mapping.[185] Predictive policing aggregates huge amounts of data to try to draw connections between past crimes in order to forecast future criminal behavior.[186] Officers may even “friend request” individuals on Facebook for the purpose of gathering information.[187] Depending on how this information is obtained, such practices too may fall outside the CalECPA’s regulations.

2. There are No Provisions Precluding or Limiting the Acquisition of Biometric Data

The collection of biometric data, intrinsic physical characteristics—fingerprints, facial features, iris scans, tattoos, or DNA—to identify people,[188] is another technology that would likely not be encompassed by the CalECPA. Currently there are no federal laws and few state laws controlling the collection of biometric data.[189] Only Illinois and Texas have laws limiting the use of biometric information.[190] Illinois prohibits a person’s biometric data from being “collect[ed], capture[d], purchase[d], receive[d] through trade, or otherwise obtain[ed].”[191] Texas’s law is more limited, as it only prevents the capture of biometric data for a commercial purpose. Both laws cover biometric data such as retina or iris scans, fingerprints, voiceprints, or scans of hands or face geometry.”[192] However, neither law applies to law enforcement.[193

Law enforcement agencies are beginning to deploy new technologies that raise many privacy concerns. For example, facial recognition has become a more readily used practice. [194] In 2014 after the Boston Marathon bombing, the Boston police tested out facial recognition software on crowds at a music festival.[195] In the United Arab Emirates, facial recognition scanners have been mounted to police car siren lights.[196] Because these practices are conducted in the public, where citizens do not have a reasonable expectation of privacy, they currently may be conducted without Fourth Amendment protection.

Furthermore, the FBI is developing a national database called the Next Generation Identification (“NGI”) system to house over 51 million facial photographs, and that number is expected to continue growing.[197] The database can search faces for identifying scars, tattoos, and birthmarks. The NGI system will also include ways to search for eyes, voices, palm prints, walking strides, and other biometric data in the future.[198] Police departments all over the country will be able to use the system.[199]

Some agencies, including the San Diego Police Department (“SDPD”) and the Los Angeles Sheriff’s Department, now employ facial recognition technology, and others, such as the San Jose Police Department are planning to do so.[200] The Los Angeles Sheriff’s Department has its own “Digital Mugshot System” that can match a face in less than 30 seconds against its more than 6.5 million photos.[201] The San Diego program began with a grant from the DOJ two years ago,[202] and the number of collection devices has doubled over the last year to over 400. [203] There is even a mobile app for officers to use in the field to compare images against over 400,000 images in their mugshot database.[204] Each time someone is booked, their photo is added to the database, regardless of whether or not the person is ultimately convicted of a crime.[205] SDPD officers are only allowed to use the devices if the stopped person does not present identification or if the officer suspects the identification is false.[206]

Neither the CalECPA nor any other California law has a provision regarding biometrics, which may ultimately create an incongruent legal result. Consider the following example. The recently released Windows 10 operating system includes Windows Hello, a biometric authorization program that allows users to log into the computer using advanced facial recognition hardware.[207] If a San Diego police officer wished to access the encrypted file containing the person’s biometric data stored on the device, the officer would need to get a warrant, as the file would fall under the protection of the CalECPA. Conversely, the officer would be permitted to scan that same person’s face without a warrant.[208]

If police technology continues to develop outside the reach of the CalECPA, measures may need to be taken to ensure an appropriate balance between the government’s interest in effective policing and individual privacy rights. For instance, the New York Police Department recently was found to be driving “backscatter vans,” which use X-ray to scan around the city.[209] It is not yet clear why or how the vans are being used.[210] The CalECPA would only cover this technique if it were deployed against electronic devices.[211]

Because neither the CalECPA nor any other California law has a provision regarding biometrics, this may ultimately create an incongruent legal result. To illustrate this, consider the following example. The recently released Windows 10 includes Windows Hello, a biometric authorization program that allows users to log into the computer using advanced facial recognition hardware.[212] If a San Diego police officer wished to access the encrypted file containing the person’s biometric data stored on the device, the officer would need to get a warrant, as the file would fall under the protect of the CalECPA. Conversely, the officer would be permitted to scan that same person’s face without a warrant.[213]


What has been famously referred to as the “right to be let alone”[214] or the “[recognition] of the sovereignty of the individual,”[215] privacy remains an important and necessary part of a democratic society. Privacy is integral to fostering free speech, including dissent.[216] The CalECPA is a meaningful and positive step in amending Fourth Amendment protections for the modern technological environment.[217] Though it does not solve all of the problems associated with the execution of searches in a digital medium, the CalECPA is a model piece of legislation that other states may wish to follow and improve upon.


 * J.D., U.C. Davis, School of Law, 2016, B.A. in History, U.C. Berkeley, 2011. I would like to extend my sincerest thanks to Professor Anupam Chander for his guidance and encouragement throughout the writing of this paper. I am also very grateful to the Andrew W. Mellon Foundation for sponsoring the course in which this paper was written: Privacy, Surveillance, and “Sousveillance,” a Sawyer Seminar for comparative research on the historical and cultural sources of contemporary developments. All errors are my own. Abby Wolf © 2017.

[1] U.S. v. Jones, 132 S.Ct. 945, 964 (2012).

[2] This quotation is from California Governor Jerry Brown’s State of the State Address in 1982, and it is also included in a placard below his gubernatorial portrait in the California State Capitol.

 [3] For example, the landmark Supreme Court case, Katz v. United States, which created the two-part “reasonable expectation of privacy” framework, occurred in 1967. Katz v. United States, 389 U. S. 347 (1967). The first personal computer, the MITS Alstair 8800, however, was not introduced until 1975. See Dan Knight, Personal Computer History: The First 25 Years, LOW END MAC (Apr. 26, 2014), -the-first-25-years/.

[4] 132 S.Ct. 945 (2012).

[5] 134 S.Ct. 2473 (2014).

[6] In Riley, the Court went so far to as say that “modern cell phones, which are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” Riley, 134 S.Ct. at 2484.

[7] Justice Alito made this point in his concurrence when he commented on the power of the GPS technology used by the police to track Jones: “[t]he Court suggests that something like this might have occurred in 1791, but this would have required either a gigantic coach, a very tiny constable, or both – not to mention a constable with incredible fortitude and patience.” Jones, at 958 n.3; See also, Harold Laidlaw, Shouting Down the Well: Human Observation as a Necessary Condition of Privacy Breach, and Why Warrants Should Attach to Data Access, Not Data Gathering, 70 N.Y.U. ANN. SURV. AM. L. 323, 326–8 (2015).

[8] U.S. CONST. amend. IV.

[9] Anupam Chander, Can California Lead on Privacy Moving from Pen and Paper to Cloud Computing?, AM. CONST. SOC. BLOG (Sept. 4, 2015), pen-and-paper-to-cloud-computing.

[10] Ca. State. Ass. Floor Analysis (Third Reading) (Aug. 28, 2015) at 4 (According to the author of the bill, law governing criminal investigations “has not been meaningfully updated to account for modern technology.”); Dave Maass, CalECPA and the Legacy of Technology: An Open Letter to Gov. Jerry Brown, ELEC. FRONTIER FOUND. (Sept. 23, 2015), (“As our devices have shrunk, as their storage capacity has grown, as cloud services have begun hosting more of our information … our laws have failed to reflect the privacy protections enshrined in the California Constitution: the guarantee that the people be free from unreasonable searches and seizures.” [hereinafter Open Letter to Gov. Brown]; Sen. Mark Leno and Sen. Joel Anderson, Electronic Privacy Bill Protects Privacy Rights and Public Safety, SACRAMENTO BEE (OPINION) (Sept. 9, 2015), (“This bill updates California law for the modern digital age ….While technology has advanced exponentially, California’s communications laws are stuck in the dark ages, leaving our personal emails, text messages, photos and smartphones increasingly vulnerable to warrantless searches.).

[11] S. B. 178 (Ca. 2015) Privacy: Electronic Communications: Search Warrant, billNavClient.xhtml?bill_id=201520160SB178.

[12] R. Taj Moore, So What’s in the California Electronic Communications Privacy Act?, LAWFARE (Oct. 22, 2015),

[13] In fact, the ACLU of California, Electronic Frontier Foundation, and California Newspaper Publishers Association were co-sponsors of the bill.

[14] On the day the bill passed, the ACLU of Northern California noted in its press release that the following organizations had supported the bill: Adobe, Airbnb, American Library Association, Apple, Asian Americans Advancing Justice, Bay Area Council, California Chamber of Commerce Association, California Attorneys for Criminal Justice (CACJ), California Public Defenders Association, Center for Democracy and Technology, Center for Media Justice, Centro Legal de la Raza, Citizens for Criminal Justice Reform, Civil Justice Association of California, Color of Change, Common Sense Kids Action, ConnectSafely, Consumer Action, Consumer Federation, Council on American-Islamic Relations (CAIR), Dropbox, Engine, Facebook, Foursquare, Google, Internet Archive, Legal Services for Prisoners with Children, LinkedIn, Media Alliance, Microsoft, Mozilla, NameCheap, National Center for Youth Law, National Center for Lesbian Rights, New America: Open Technology Institute, Privacy Rights Clearinghouse, reddit, Restore the 4th, San Diego Police Officers Association, Small Business California, TechNet, Tech Freedom, The Internet Association, and legal scholars, who “teach and write extensively about criminal procedure, information privacy law, cyber law, and related fields” from across the nation. In Landmark Victory for Digital Privacy, Gov. Brown Signs California Electronic Communications Privacy Act into Law, ACLU (Oct. 8, 2015), electronic-communications-privacy; Letter from Legal Scholars, to Sen. Mark Leno, California State Senate (Mar. 13, 2015),

[15] Alexander Reed Kelly, Google to Californians: Help Us Protect Your Electronic Privacy, TRUTHDIG (Jun. 10, 2015), privacy_20150610/. Amongst other things, the email said, “The California Electronic Communications Privacy Act (CalECPA) would update our privacy laws to protect all electronic communications and records from warrantless inspection by the state, regardless of format or age.” The email included a fact sheet about the bill created by the EFF and ACLU. The email also had a link to support Google’s efforts to pressure the legislature to pass the CalECPA.

[16] The poll further showed that 79% of Californians support a warrant requirement for tracking cell phone activity and 77% support a warrant requirement for accessing text messages. See Memorandum from Ben Tulchin, Corey O’Neil and Kiel Brunner, Tulchin Research, California Statewide Survey Finds Voters Concerned about Digital Privacy and Support Requiring Police to Get a Warrant, ACLU OF N. CAL. (Aug. 21, 2015), sites/default/files/technology/20150821-polling_data_get_a_warrant.pdf.

[17] Letter from Alan Wayne Barcelona, President of California Statewide Law Enforcement Association (“CSLEA”), to Sen. Mark Leno, California State Senate (Aug. 10, 2015), enforcement-association-removes-opposition-sb-178-calecpa; Letter from Sean Hoffman, Director of Legislation, California District Attorneys Association (CDAA), to Sen. Mark Leno (Aug. 31, 2015), document/california-district-attorneys-association-remove-opposition-sb-178-calecpa; Letter from Aaron R. Maguire, Legislative Counsel, California State Sheriff’s Association to Sen. Mark Leno (Aug. 26, 2015), The San Diego Police Officer’s Association even voiced support for the bill. Letter to Sen. Mark Leno from Brian R. Marvel, President of the San Diego Police Officers Association, Inc. (Sept. 1, 2015), support-letter-sb-178-calecpa.

[18] Open Letter to Gov. Brown, supra note 10.

[19] Cal. Const. art. I, § 28(2), “Right to Truth-in-Evidence. Except as provided by statute hereafter enacted by a two-thirds vote of the membership in each house of the Legislature, relevant evidence shall not be excluded in any criminal proceeding . . . .”

[20] Interestingly, Governor Brown vetoed previous bills with similar provisions multiple times: S.B. 914 in 2011, S.B. 1434 in 2012, and S.B. 467 in 2013. See Hanni Fakhoury, Another Year, Another Electronic Privacy Veto for California Governor Brown, ELEC. FRONTIER FOUND. (Oct. 14, 2013), another-year-another-electronic-privacy-veto-california-governor-brown. This was also noted by the California State Assembly’s Committee on Public Safety in its report on the CalECPA. See Ca. State. Ass. Comm. on Pub. Safety Report, Bill Quirk, S.B. 178 (Leno) as Amended July 7, 2015 (Jul. 14, 2015) at p. 12: S.B. 914 was written to overrule People v. Diaz, 51 Cal. 4th 84 (2011), a California Supreme Court decision which allowed police to search an individual’s cell phone without a warrant. See Sen. Bill 914: Search Warrants: Portable Electronic Devices, 2011–2012 Regular Session, S.B. 1434 would have required the government to get a warrant in order to obtain location data from an electronic device. See Sen. Bill. 1434: Location Information: Warrants (Leno), 2011–2012 Regular Session, http://leginfo. S.B. 467 was the most similar to CalECPA. It would have required a search warrant when the government seeks to obtain the contents of a wire or electronic communication that is stored, held or maintained by a provider of electronic communication services or remote computing services. See Sen. Bill 467, Privacy: Electronic Communications: Warrant (Leno), 2013–2014 Regular Session, Governor Brown had argued in his veto message that law already required a warrant, subpoena, or court order to access electronic communication in most cases, and the notice requirements of that bill could impede ongoing criminal investigations. Ca. State. Ass. Comm. on Appropriations Report, Jimmy Gomez, S.B. 178 (Leno) as Amended Aug. 17, 2015 (Aug. 19, 2015) at 2.

[21] Susan Freiwald, It’s Time to Look to California for Robust Privacy Reform — CalECPA, AM. CONST. SOC. (BLOG) (Sept. 8, 2015), -reform-%E2%80%94-calecpa; Dave Maass, Victory in California! Gov. Brown Signs CalECPA, Requiring Police to Get a Warrant Before Accessing Your Data, ELEC. FRONTIER FOUND. (Oct. 8, 2015), 2015/10/victory-california-gov-brown-signs-calecpa-requiring-police-get-warrant-accessing.

[22] Five states have legislation to protect digital communications, and nine states have legislated protection for GPS information. Colleen Kriel, California Senate Says Cops Need Warrant to Search Smartphones, Tablets, SILICONANGLE (Jun. 4, 2015), -need-warrant-to-search-smartphones-tablets/. California, Maine, Texas, Utah and Virginia all enforce strict policies for digital records. Cassidy Fix, Digital Privacy Enhanced by New California Law, WESTERN SUN (Oct. 21, 2015), privacy-enhanced-by-new-bill/.

[23] Sagiv Galai and Tekendra Parmar, How Edward Snowden Changed Everything, THE NATION (Nov. 12, 2015),

[24] Hanni Fakhoury, senior staff attorney for the Electronic Frontier Foundation, stated that only Maine and Utah had similarly comprehensive laws on the books prior to California. Bree Fowler, New California Law Extends Privacy Rights to Electronic Data, ASSOC. PRESS (Oct. 9, 2015), bfd1c4d1ecad4eaba446bcecb8935d69/new-california-law-extends-privacy-rights-electronic-data.

[25] This estimate is current as of July 1, 2014. QuickFacts, U.S. CENSUS BUREAU, table/PST045214/00,06.

[26] The EFF explicitly voiced this hope on the October 8 passing of the bill: “We hope that California’s success will lend momentum to the federal Electronic Communications Privacy Act.” Dave Maass , Victory in California! Gov. Brown Signs CalECPA, Requiring Police to Get a Warrant Before Accessing Your Data, ELEC. FRONTIER FOUND. (Oct. 8, 2015), police-get-warrant-accessing.

[27] The Supreme Court explicitly stated in Riley that “the Fourth Amendment was the founding generation’s response to the reviled ‘general warrants’ and ‘writs of assistance’ of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity.” Riley v. California, 134 S.Ct. 2473, 2494 (2014).

[28] See PHILLIP A. HUBBART, MAKING SENSE OF SEARCH AND SEIZURE LAW 23 (Carolina Academic Press, 2nd ed. 2015).

[29] See “assistance” Encyclopedia Britannica. 2015.

[30] David Snyder, The NSA’s “General Warrants: How the Founding Fathers Fought an 18th Century Version of the President’s Illegal Domestic Spying, ELEC. FRONTIER FOUND. 2, warrantsmemo.pdf.

[31] Historically, a general warrant was issued by the English Secretary of State for the arrest of an author, printer, or publisher of seditious libel, but the warrant did not name the person(s) to be arrested. WARRANT, Black’s Law Dictionary (10th ed. 2014).

[32] Snyder, supra note 30, at 1.

[33] WARRANT, Black’s Law Dictionary (10th ed. 2014).

[34] He proclaimed that the writs of assistance, “allowed any government official to search a person anytime, at any place, and for any reason, without even suspecting that person of a crime.” See Asm. Obernolte Introduces S.B. 178 – Opening Remarks (video of Sept. 8, 2015), Ca. Assemb. G.O.P. Vimeo,

[35] Id

[36] U.S. Const. amend. IV.

[37] Olmstead v. U.S., 277 U.S. 438 (1928), held a search required a physical trespass of property; while Goldman v. U.S., 316 U.S. 129 (1942), held a search required a physical intrusion. In that case, the police held a cup against a wall to listen to the defendant, but the Court determined that only things being “searched for” were the suspects’ voices, which are not tangible property. Cf. Professor Orin Kerr, The Curious History of Fourth Amendment Searches. GWU Legal Studies Research Paper No. 2012-107; GWU Law School Public Law Research Paper No. 2012-107 (September 30, 2012), that the pre-Katz “trespass test” history was an invention of the Katz court and tracking the real history of the Fourth Amendment by examining case law).

[38] Katz v. U.S., 389 U.S. 347 (1967).

[39] Id. at 361.

[40] See Smith v. Maryland, 442 U.S. 735, 743 (1979) (saying there is no reasonable expectation of privacy in the dialed phone dialed numbers because individuals “know that they must convey numerical information to the phone company.”); U.S. v. Miller, 425 US 435, 442 (1976), (finding there is no reasonable expectation of privacy in bank records because they were voluntarily given to the banks and their employees).

[41] Monu Bedi, The Curious Case of Cell Phone Location Data: Fourth Amendment Doctrine Mash-Up, 110 NW. U. L. REV. ONLINE 61, 64 (2015), 1231&context=nulr_online.

[42] Miller, 425 U.S. at 443.

[43] Burrows v. Superior Court, 13 Cal. 3d 238, 247 (1974) (“The underlying dilemma in this and related cases is that the bank, a detached and disinterested entity, relinquished the records voluntarily. But that circumstance should not be crucial. For all practical purposes, the disclosure by individuals or business firms of their financial affairs to a bank is not entirely volitional, since it is impossible to participate in the economic life of contemporary society without maintaining a bank account. In the course of such dealings, a depositor reveals many aspects of his personal affairs, opinions, habits and associations. Indeed, the totality of bank records provides a virtual current biography.”); and Id. at 247–48, (“Development of photocopying machines, electronic computers and other sophisticated instruments have accelerated the ability of government to intrude into areas which a person normally chooses to exclude from prying eyes and inquisitive minds. Consequently judicial interpretations of the reach of the constitutional protection of individual privacy must keep pace with the perils created by these new devices.”).

[44] Bedi, supra note 41, at 66.

[45] United States v. Knotts, 460 U.S. 276, 281–82 (1983).

[46] California v. Ciraolo, 476 U.S. 207, 212–13 (holding there was no Fourth Amendment violation because “[a]ny member of the public flying in this airspace who glanced down could have seen everything that these officers observed.”).

[47] Id.

[48] Friewald, supra note 21. Quite simply, and almost tautologically, metadata is data about data. See “metadata.” Merriam-Webster Online Dictionary. 2015.

[49] Bedi, supra note 41, at 62.

[50] Mem. Op. of Nov. 9, 2015, Klayman v. Obama, Civil Action No. 13-851 (D.C. Cir.),, at 26.

[51] Mem. & Order of Dec. 27, 2013, ACLU v. Clapper, Civil Action No. 13-3994 (S.D.N.Y.), preliminary_injunction.pdf at 2.

[52] Mike Godwin, Our Inboxes, Ourselves, SLATE (Sept. 15, 2015),

[53] Landau shows how one may be able to discern intimate details of a person’s life by using the example of a call log where an individual receives a call from a gynecologist, then that person places a call to an oncologist, and then she makes calls to her family members. Id. 

[54] Id. 

[55] Edward Snowden, TWITTER (Nov. 2, 2015),

[56] Catherine Crump, The Small and Surprisingly Dangerous Detail the Police Track About You, TED (Dec. 2014), _you/transcript?language=en at :50.

[57] See Apple Support,

[58] Orin Kerr, Executing Warrants for Digital Evidence: The Case for Use Restrictions on Nonresponsive Data, 48 TEX. TECH. L. R. 1, 1 (Fall 2015),, [hereinafter Executing Warrants].

[59] Id. at 1 n.2.

[60] Elizabeth E. Joh, The New Surveillance Discretion: Automated Suspicion, Big Data, and Policing, 10 HARV. L. & POL’Y REV. 15, 20 (2016).

[61] Galai and Parmar, supra note, 23. “Admittedly, what metadata is has not changed over time. As in Smith, the types of information at issue in this case are relatively limited: phone numbers dialed, date, time, and the like. But the ubiquity of phones has dramatically altered the quantity of the information that is now available, and more importantly, what that information can tell the Government about people’s lives.” Mem. Op. of Dec. 16, 2013, Klayman v. Obama, Civil Action No. 13-851 (D.C. Cir.),

[62] Riley v. California, 134 S.Ct. 2473, 2488–89 (2014).

[63] Senator Loni Hancock, S.B. 178 (Leno) – Privacy, Senate Committee on Public Safety Report p. 7, 2015–2016 Regular Session (Mar. 16, 2015),

[64] Aaron Smith, U.S. Smartphone Use in 2015, PEW RESEARCH CENTER (Apr. 1, 2015), /2015/04/01/us-smartphone-use-in-2015/, [hereinafter Pew Report].

[65] It has been estimated that on average, a million “selfies” are taken each day. Marvin Heiferman, Who’s Who? The Changing Nature and Uses of Portraits, NY TIMES (BLOG) (Nov. 16, 2015), 16/whos-who-the-changing-nature-and-uses-of-portraits/?smid=pl-share.

[66] Pew Report, supra note 64.

[67] Id.

[68] “Compared with smartphone owners from households earning $75,000 or more per year, those from households earning less than $30,000 annually are nearly twice as likely to use a smartphone to look for information about a job — and more than four times as likely to use their phone to actually submit a job application.” Id.

[69] Daniel J. Solove, “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy, 44 SAN DIEGO L. REV. 745, 757–58 (2007),

[70] Glenn Greenwald, NSA Collecting Phone Records of Millions of Verizon Customers Daily, GUARDIAN (June 6, 2013),

[71] Lorenzo Franceschi-Bicchierai, The 10 Biggest Revelations from Edward Snowden’s Leaks, MASHABLE (Jun. 5, 2014),

[72] Eighty percent of adults “agree” or “strongly agree” that Americans should be concerned about the government’s monitoring of phone calls and internet communications, while only 18 percent “disagree” or “strongly disagree” with that notion. Mary Madden, Public Perceptions of Privacy and Security in the Post-Snowden Era, PEW RESEARCH CENTER (Nov. 12, 2014), See also, Nicole A. Ozer, Get a Warrant! Senate Committee Approves E-Privacy Bill, ACLU OF S. CAL. (Mar. 24, 2015),; Colleen Kriel, California Senate Says Cops Need Warrant to Search Smartphones, Tablets SILICONANGLE (Jun. 4, 2015), says-cops-need-warrant-to-search-smartphones-tablets/.

[73] Chapter Four: Considering Police Body Cameras, 128 HARV. L. REV. 1794, 1810–11 and n.102 (2015). In response to newly passed law, the NSA will stop its wide-ranging surveillance program and replace it with a scaled-back system, NSA Ends Bulk Collection of U.S. Phone Records, AL JAZEERA AMERICA (Nov. 28, 2015), See also, Ozer, supra note 72.

[74] S.B. 178 (Leno and Anderson) Fact Sheet, ELEC. FRONTIER FOUND. (Version Feb. 2, 2015),

[75] Nicole A. Ozer, Victory for Privacy Rights in California, THE PEOPLE’S VANGUARD OF DAVIS, (Sept. 13, 2015),

[76] S.B. 178 (Leno and Anderson) Fact Sheet, ELEC. FRONTIER FOUND. (Version Mar. 18, 2015),

[77] Cell site simulators are devices that act like a cellphone tower. They trick devices in the area into connecting with them which enables law enforcement to get a person’s ISMI information or also possibly access communications. A “StingRay” is the brand name for a cell site simulator made by Harris Corp. Even though the device has not been in the public eye for a long time, it appears already to be suffering from “genericide,” or brand tarnishment. Devices made by other manufacturers are often referred to as “StingRays.” See Stingray Tracking Devices: Who’s Got Them?, ACLU,; Kim Zetter, Turns Out Police Stingray Spy Tools Can Indeed Record Calls, WIRED.COM (Oct. 28, 2015), stingray-government-spy-tools-can-record-calls-new-documents-confirm.

The device is also known by a number of other names, including an IMSI-catcher, Triggerfish, Kingfish, Amberjack, Hailstorm, Wolfpack, Gossamer, and swamp box. Kim Zetter, Turns Out Police Stingray Spy Tools Can Indeed Record Calls, WIRED.COM (Oct. 28, 2015), -spy-tools-can-record-calls-new-documents-confirm/; Cell Site Simulators Primer, National Association of Criminal Defense Lawyers (NACDL), Cell-Site-Simulator-Primer_Final.pdf.

[78] Ali Winston, East Bay Cellphone Surveillance Plan Gets Attorney General’s Support, REVEAL NEWS (Sept. 30, 2015),

[79] In a meaningful collaboration with privacy advocates, the Alameda County Board of Supervisors passed a comprehensive privacy policy on November 17, 2015. The policy requires a warrant before any deployment of the device and periodic audits of use. Alameda County Passes Groundbreaking Privacy Policy, EAST BAY (Nov. 24, 2015),

[80] Galai and Parmar, supra note, 23.

[81] CAL. BUS. & PROF. CODE D. §§ 22948.20–22948.25 (West 2017).

[82] Keith Wagstaff, New California Law Bans Smart TV Snooping, NBC NEWS (Oct. 7, 2015),

[83] Catherine Crump and Matthew Harwood, Invasion of the Data Snatchers: Big Data and the Internet of Things Means the Surveillance of Everything, ACLU (Mar. 25, 2014), -snatchers-big-data-and-internet-things-means-surveillance-everything.

Recently, Bose was sued by plaintiffs who alleged that its headphones were recording users’ music choices.  Hayley Tsukayama, Bose Headphones Have Been Spying on Their Customers, Lawsuit Claims, WASH. POST (Apr. 21, 2017),‌

[84] For example, the Snowden leaks were estimated to cause companies to lose between $22–35 billion in the three years following his disclosures. Daniel Castro, How Much Will PRISM Cost the U.S. Cloud Computing Industry?, INFO. TECH. & INNOVATION FOUND. (Aug. 2013), =1.120059528.1612146265.1450036081

[85] Matt Apuzzo, David E. Sanger, and Michael S. Schmidt, Apple and Other Tech Companies Tangle with U.S. Over Data Access, N.Y. TIMES (Sept. 7, 2015), companies-tangle-with-us-over-access-to-data.html.

[86] Federal Magistrate Judge (S.D. Cal.), the Hon. James F. Stiven, writes: “[d]espite strong support for S.B. 178 in existing law, its passage will bring needed clarity for all those affected, including law enforcement. Ca. State. Ass. Comm. on Privacy and Consumer Protection, Mike Gatto, S.B. 178 (Leno) as Amended June 2, 2015 (Jun. 23, 2015) at 8.

[87] CAL. PENAL CODE § 1546(i).

[88] Dave Maass, Why Law Enforcement Professionals Should Support CalECPA, ELEC. FRONTIER FOUND. (Sept. 2, 2015),

[89] § 1546.1(b)(1–3).

[90] § 1546.1(c)(1) and (2).

[91] § 1546.1(c)(5).

[92] § 1546.1(c)(3).

[93] § 1546.1(c)(4).

[94] § 1546.1(c)(6).

[95] § 1546.1(a).

[96] U.S. CONST. amend. IV.

[97] Executing Warrants, supra note 58, at 2.

[98] Id. at 16.

[99] Id. at 19.

[100] Id. at 34.

[101] Id. at 29.

[102] CAL. PENAL CODE § 1546.1(d)(1).

[103] § 1546(d).

[104] Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193, 206–207 (1890).

[105] § 1546(h).

[106] Id.

[107] § 1546(g).

[108] Grant P. Fondo and Nathanial J. Moore, California Enacts CalECPA, Requiring a Search Warrant to Obtain or Access Users’ Electronic Information, GOODWIN PROCTOR (Oct. 14, 2015),

[109] For a detailed discussion of this issue, see Ryan Watzel, Riley’s Implications for Fourth Amendment Protection in the Cloud, 124 YALE L.J. F. 73 (2014), -implications-in-the-cloud. The author notes that the Supreme Court’s ruling in Riley protected only data stored in the cloud accessible on a cell phone. He argues that the Supreme Court explicitly sidestepped a broader discussion of how the third-party doctrine applies to cloud storage generally (citing Riley, 134 S.Ct. at 2489 n.1 “Because the United States and California agree that these cases involve searches incident to arrest, these cases do not implicate the question whether the collection or inspection of aggregated digital information amounts to a search under other circumstances.”).

[110] CAL. PENAL CODE § 1546(d).

[111] Id. 

[112] Smith v. Maryland, 442 U.S. 735 (1979).

[113] § 1546(l).

[114] § 1546.1 (a)(3), and it is also repeated in § 1546.1 (f).

[115] “A California or foreign corporation, and its officers, employees, and agents, are not subject to any cause of action for providing records, information, facilities, or assistance in accordance with the terms of a warrant, court order, statutory authorization, emergency certification, or wiretap order issued pursuant to this chapter.” § 1546.4(d).

[116] § 1546.2.

[117] Id.

[118] § 1546.2 (a) “[A]ny government entity… shall serve upon, or deliver to by registered or first-class mail, electronic mail, or other means reasonably calculated to be effective, the identified targets of the warrant or emergency request.”

[119] § 1546.2 (a).

[120] Id.

[121] Id.

[122] The option to delay notification is discussed in further detail in Part II-D.

[123] § 1546.2 (b)(3).

[124] Id.

[125] Id.

[126] The California District Attorneys Association, California Police Chiefs Association, California Sheriffs Association, and the California Statewide Law Enforcement Association were also neutral on the bill. In Landmark Victory for Digital Privacy, Gov. Brown Signs California Electronic Communications Privacy Act into Law, ACLU OF N. CAL. (Oct. 8, 2015), california-electronic-communications-privacy. One consideration, which was not raised by law enforcement, but is nonetheless ostensibly resolved by the CalECPA, was the matter of cost. The Senate Appropriations Committee noted that there might be significant one-time costs, as well as ongoing expenses associated with providing notice, though the Committee believed that agencies could be reimbursed using the State General Fund. See CAL. S. COMM. ON APPROPRIATIONS REP., S.B. 178 – PRIVACY, 2015–2016 Reg. Sess., at 1–2 (2015), senate-appropriations-committee-sb-178-analysis.

[127] Letter from Cal. State Sheriffs’ Assoc. to Sen. Mark Leno, supra note 17.

[128] Berger v. United States, 295 U.S. 78, 88 (1935).

[129] Patrick Mcgreevy, California Requires Warrants to Access Emails, L.A. TIMES (Oct. 18, 2015),

[130] Cyrus Farivar, California bill requires warrant for stingray use, ARS TECHNICA (Mar. 25, 2015),

[131] California Electronic Communications Privacy Act – S.B. 178 – Needs Amending, NAT’L ASSOC. TO PROTECT CHILDREN (Aug. 6, 2015), [hereinafter PROTECT on CalECPA].

[132] CAL. PENAL CODE § 1546.2 (b)(1) (West 2017).

[133] CAL. PENAL CODE § 1546.2 (b)(2) (West 2017); Patrick Mcgreevy, California Requires Warrants to Access Emails, supra note 127.

[134] PROTECT on CalECPA, supra note 129.

[135] This provision was amended on August 17, 2015 from “[i]mminent destruction” to just “[d]estruction,” as well.

[136] CAL. PENAL CODE § 1546(a)(1–5).

[137] PROTECT on CalECPA, supra note 129.

[138] Destruction of data also is not done until “after the termination of the current investigation and any related investigations or proceedings.” CAL. PENAL CODE § 1546.1(e)(2).

[139] CAL. PENAL CODE §1546.1(g)(3).

[140] PROTECT on CalECPA, supra note 129.

[141] CAL. PENAL CODE § 1546.1(g)(3) (West 2017).

[142] PROTECT on CalECPA, supra note 129.

[143] “This section does not limit the authority of a government entity to use an administrative, grand jury, trial, or civil discovery subpoena . . .” CAL. PENAL CODE § 1546.1(i) (West 2017).

[144] The bill was passed by the California State government, which does not have jurisdiction over the investigations of other states or by the federal government.

[145] CAL. PENAL CODE § 1546(k) (West 2017). However, PROTECT was still not pleased by this change perhaps again due to sort of confusion: “Is this language, based on the ‘intent’ of child pornography traffickers, enough to stand up to challenge in California courts? The only honest answer is, ‘a judge could tell you.’ We expect years of court battles if this bill becomes law, with a danger that convictions could be overturned.” PROTECT Analysis, supra note 140.

[146] See CAL. PENAL CODE § 1546.1(c)(5) (West 2017).

[147] See Wong Sun v. United States, 371 U.S. 471, 492 (1963) (holding that while the Fourth Amendment barred the use of drugs found on the premises against one defendant, the other had no reasonable expectation in the same search because it was not his apartment, “[t]he seizure of this heroin invaded no right of privacy of person or premises which would entitle Wong Sun to object to its use at his trial”).

[148] CAL. PENAL CODE § 1546.1(e)(2) (West 2017).

[149] Executing Warrants, supra note 58, at 19; See Orin Kerr, Warrant to Search Phone Did Not Allow Opening Folder Unlikely to Contain Evidence Sought, Court Rules, WASH. POST (Oct. 29, 2015), /news/volokh-conspiracy/wp/2015/10/29/warrant-to-search-phone-did-not-allow-opening-folder-unlikely-to-contain-evidence-sought-court-rules/.

[150] Executing Warrants, supra note 58, at 11.

[151] Id. at 26.

[152] See Godwin, supra note 52.

[153] Freiwald, supra note 21.

[154] Jacob Gershman, California Adopts New Strict Digital Privacy Law, WALL ST. J. (BLOGS) (Oct. 9, 2015),

[155] Id.

[156] See CAL. PENAL CODE § 1546.1(b)(1) (West 2017).

[157] Orin Kerr, Searches and Seizures in a Digital World, 119 HARV. L. REV. 531, 582–84 (2005).

[158] Horton v. California, 496 U.S. 128, 144–45 (1990).

[159] Id. at 136–37.

[160] People v. Herrera, 357 P.3d 1227, 1228 (Colo. 2015).

[161] Id. at 1235.

[162] Id. at 1230.

[163] Professor Kerr took issue with the court’s reasoning in a recent article, but he agreed with its conclusion. The court had said that opening the folder was not permitted by the warrant itself because doing so would violate the particularity requirement of the Fourth Amendment. Id. at 1228. However, as Kerr pointed out in his article, the particularity requirement is about the “facial validity of a warrant”, not about how it is executed. See Kerr, supra note 148.

[164] People v. Herrera, 357 P. 3d at 1229.

[165] Id. at 1232.

[166] Id. at ¶ 23.

[167] Id. at ¶ 35 (“If we were to hold that any text message folder could be searched because of the abstract possibility that it might have been deceptively labeled, we would again be faced with a limitless search … . We instead proceed cautiously in applying the plain view doctrine to searches involving digital data. Cf. People v. Gall, 30 P.3d 145, 154 (Colo. 2001) (noting privacy concerns with a search that follows the lawful seizure of a computer “container” that could reasonably contain writings identified in a search warrant). Where such a search does not meet the traditional requirements of Fourth Amendment doctrine, it should not be permitted.”).

[168] See discussion supra Part II.B.

[169] CAL. PENAL CODE § 1546.2 (a) (West 2017).

[170] § 1546.1 (b).

[171] § 1546.1 (b)(1–4).

[172] § 1546.1 (a).

[173] § 1546.1(a)(3).

[174] Jack Smith, The Constitution Can’t Defend You From Predictive Policing — Here’s Why, POLICY MIC (Nov. 10, 2015),

[175] This term has been used to describe surveillance practices that result in the massive collection of personal data. DANIEL J. SOLOVE, THE DIGITAL PERSON TECHNOLOGY AND PRIVACY IN THE INFORMATION AGE 33–34 (2004).

[176] You are Being Tracked: How License Plate Readers Are Being Used to Record American’s Movements, ACLU,

[177] Id.

[178] Cyrus Farivar, We Know Where You Have Been: Ars Acquires 4.6M License Plate Scans from the Cops, ARS TECHNICA (Mar. 24, 2015), -4-6m-license-plate-scans-from-the-cops/.

[179] Cyrus Farivar, EFF, ACLU Appeal License Plate Reader Case to California Supreme Court, ARS TECHNICA (June 16, 2015), supreme-court/.

[180] CAL. PENAL CODE § 1546 (f).

[181] Id. at (h).

[182] One company, Persistent Surveillance Systems, has developed a surveillance camera that can be attached to small aircraft and will record for hours at a time. This will give the police a “time machine” they can simply rewind as they need it. They could be placed at the highest points of a town or city and provide continuous surveillance. Crump & Harwood, supra note 83.

[183] See Phil Willon and Melanie Mason, Governor Vetoes Bill That Would Have Limited Police Use of Drones, L.A. TIMES (Sept. 28, 2015), of-drones-20140928-story.html. In fact, Governor Brown vetoed several bills regarding the use of drones this term. Most related to privacy and would have mandated civil or criminal penalties for unauthorized drone use. The Governor stated the reason he vetoed the bills was that he was unwilling to create more crimes. See also Lorraine Reich, Gov. Brown Has Our Back, Or Does He? (Opinion), THE UNION (Nov. 5, 2015), opinion/columns/18905936-113/lorraine-reich-gov-brown-has-our-back-or.

[184] Smith, supra note 173.

[185] Matt Stroud, The Minority Report: Chicago’s New Police Computer Predicts Crimes, But is it Racist?, VERGE (Feb. 19, 2014), -but-is-it-racist.

[186] Smith, supra note 183.

[187] Jack Smith, Police Are Sweeping Up Tweets and Friending You on Facebook, Whether You Know It or Not, POLICY MIC (Nov. 11, 2015), #.UCcLPqh5B. 

[188] Dave Maass, California Cops Are Using These Biometric Gadgets in the Field, ELEC. FRONTIER FOUND. (Nov. 4, 2015),

[189] See Marvin Heiferman, Who’s Who? The Changing Nature and Uses of Portraits, N.Y. TIMES (BLOGS) (Nov. 16, 2015), pl-share.

[190] Illinois’s law is called the Biometric Information Privacy Act, 740 I.L.C.S. 14, P.A. 95-994, [hereinafter “BIPA”] and Texas has Tex. BC. Code Ann. § 503.001: Capture or Use of Biometric Identifier,

[191] BIPA, at § 20(b).

[192] Id. at § 10; § 503.001(a).

[193] Id. at § 25(e)(“Nothing in this Act shall be construed to apply to a contractor, subcontractor, or agent of a State agency or local unit of government when working for that State agency or local unit of government.”); Texas’s law exempts disclosures made to the police. § 503.001(c)(1)(D).

[194] Facial recognition is not only a tool of law enforcement. Face First, a California company, has a system that will enable retailers to know when “high-value customers” as well as “litigious individuals” enter their stores. See Hal Hodson, Face Recognition Row Over Right to Identify You in the Street, NEW SCIENTIST (Jun. 19, 2015),

[195] See Peter Moskowitz, The Future of Policing Is Here, and It’s Terrifying, GQ (Nov. 9, 2015 2:27 PM),

[196] UAE Mounts Facial Recognition Cam in Police Car Light, PLANET BIOMETRICS (Nov. 3, 2015),

[197] Photos are submitted by police agencies, so the photos can be post-arrest booking photos or stills from video feeds. The F.B.I. also will keep the photos it receives when conducting background checks for job candidates. Jose Pagliery, FBI Launches a Face Recognition System, CNN MONEY (Sept. 16, 2014), 16/technology/security/fbi-facial-recognition/.

[198] Pagliery, supra note 196.[199] Id.

[200] Id.

[201] Maass, supra note 187.

[202] Id.

[203] Local Police Agencies Expand Use of Facial Recognition Devices, CBS8 (Nov. 24, 2015), story/30573053/local-police-agencies-expand-use-of-facial-recognition-devices.

[204] Maass, supra note 187.

[205] Local Police Agencies Expand Use of Facial Recognition Devices, supra note 202.

[206] Maass, supra note 187.

[207] John Patrick Pullen, How Windows 10 Could Kill Passwords Forever, TIME (Nov. 30, 2015), 4128834/windows-10-hello-facial-recognition/.

[208] Note, this practice is permissible if the suspect for identification purposes and only if the suspect has been detained as part of a criminal investigation. Local Police Agencies Expand Use of Facial Recognition Devices, supra note 202.

[209] Peter Moskowitz, The Future of Policing Is Here, and It’s Terrifying, GQ (Nov. 9, 2015 2:27 PM),

[210] Id.

[211] CAL. PENAL CODE § 1546.1(a) (West 2017)

[212] John Patrick Pullen, How Windows 10 Could Kill Passwords Forever, TIME (Nov. 30, 2015), 4128834/windows-10-hello-facial-recognition/.

[213] Note, this practice is only permissible if the suspect for identification purposes and only if the suspect has been detained as part of a criminal investigation. Local Police Agencies Expand Use of Facial Recognition Devices, supra note 202.

[214] Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193, 195 (1890); Justice Brandeis further articulated this point in his dissenting opinion in Olmstead:

The protection guaranteed by the amendments is much broader in scope. The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness. They recognized the significance of man’s spiritual nature, of his feelings and of his intellect. They knew that only a part of the pain, pleasure and satisfactions of life are to be found in material things. They sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the government, the right to be let alone – the most comprehensive of rights and the right most valued by civilized men. To protect, that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment.

Olmstead, 277 U.S. at 478 (emphasis added).

[215] Smith v. City of Artesia, 772 P.2d 373, 376 (N.M. Ct. App. 1989).

[216] Professor Phillip Rogaway, Why Most Cryptographers Don’t Care About Mass Surveillance (Andrew W. Mellon Foundation John E. Sawyer Seminar) (Sept. 22, 2015).

[217] Executing Warrants, supra note 58, at 11.

Leave a Reply

Your email address will not be published.

I accept that my given data and my IP address is sent to a server in the USA only for the purpose of spam prevention through the Akismet program.More information on Akismet and GDPR.