The Fourth Amendment of the U.S. Constitution protects citizens’ privacy against unreasonable search and seizure. But in the internet age, it can be difficult to apply the same privacy protections to digital data—a driving reason behind why the Stored Communications Act was created.
The Stored Communications Act (SCA) helps protect digital privacy by regulating how and when internet service providers can disclose user data. Under the SCA, it is unlawful for electronic communication and remote computing services to “knowingly divulge” stored customer communication. And no one—not even government entities—can obtain electronic conversations without court authorization or the owner’s consent.
Understanding the SCA and its protection is crucial when dealing with online defamation and related privacy issues. Our attorneys at Minc Law have proven experience protecting individuals from—and helping businesses avoid—SCA violations.
In this article, we explain what the Stored Communications Act does, its benefits and drawbacks, and how to avoid violating the SCA.
Individual privacy has been an integral part of U.S. citizens’ rights since the Fourth Amendment was ratified in 1791. This amendment protects individuals and their possessions—though it was originally concerned with physical invasion.
Thanks to the internet, protections against digital invasion are now also necessary. Thus, the Stored Communications Act was born.
The SCA is a federal law that regulates internet service providers’ ability to disclose user data. It was enacted in 1986 as a part of the Electronic Communications Privacy Act. Unlike its cousin, the Wiretap Act, the SCA only governs stored (or “at rest”) electronic communications. In other words, actively transmitted communications do not fall within the SCA’s domain.
Generally, the SCA is concerned with Internet Service Providers (ISPs) because these entities store large amounts of data and personal information, including:
The SCA protects stored electronic communication from unauthorized access by third parties. Under the SCA, government entities, businesses, and other individuals cannot obtain individuals’ electronic conversations without their consent or court authorization. Electronic communication and remote computing services also cannot “knowingly divulge” stored customer communication data.
Originally, the SCA allowed government entities to compel an ISP to disclose data if it has been in storage for 180 days or less, however this section was deemed unconstitutional in the landmark Supreme Court case Carpenter v. U.S. As the law stands now, government entities must obtain a warrant before accessing stored records.
The SCA has both civil and criminal remedies which means it provides individuals with broad protection. That being said, there can also be dire consequences for entities that knowingly or even unknowingly violate the SCA’s provisions. Therefore, it is important for businesses and other entities to understand what they cannot do with personal information and data that they store.
Several terms used within the SCA hold specific meanings and parameters within the statute. While some definitions can be confusing, it is important to know how certain terms are (or will be) interpreted under the law” or “interpreted in legal disputes.”
While the SCA provides broad protection to stored electronic communication, certain components limit the law’s applicability.
The short answer is yes. As mentioned above, Congress created specific definitions to apply to the terms used in the SCA. These definitions guide law enforcement on:
The SCA governs two main service providers: electronic communication services (ECS) and remote computing services (RCS). ECSs facilitate the transmission of electronic communication and have access to that data’s storage. RCSs, on the other hand, solely provide storage for such communication.
For example, Google may be considered an ECS because it lets users send emails and access online forums. An electronic bulletin board, on the other hand, may just be considered an RCS.
The primary difference is that RCSs store electronic communication by their nature, while ECSs offer various services, including “active” forms of communication. Therefore, the SCA only prohibits divulging stored communication on ECS servers.
Furthermore, courts have held that some technologies do not fall under either category. For example, cell phones and computers do not fall under the umbrella of ECSs or RCSs. The content on a personal device is stored by an electronic communication user (as opposed to a provider).
The SCA was intended to extend Fourth Amendment protection to individuals’ online data. However, social media adds a wrinkle to this concept.
How can an individual have a reasonable expectation of privacy for communication they voluntarily post online? The Central District for the state of California addressed this question in Crispin v. Christian Audigier, Inc. in 2010. The plaintiff, Buckley Crispin, originally sued the defendant (Christian Audigier, Inc.) for a copyright violation. Crispin alleged that the defendant used his artwork on retail products without proper attribution and in violation of their usage agreement.
During the course of discovery for this case, the defendant subpoenaed four social media sites for Crispin’s subscriber information and communications relating to the defendant. The defendant claimed this information was relevant to the case. However, Crispin argued that the defendant violated the SCA.
The court held that social media platforms are ECSs because profiles have restricted access to the public. The court also found that private messages on social media are also protected under the SCA because:
Like all laws, the SCA has its benefits and its drawbacks. It is difficult for lawmakers to craft privacy statutes because they must balance national security with individuals’ Fourth Amendment right to privacy.
The main benefit of the SCA is that it gives individuals a sense of security when using email, text messages, online forums, and social media. For example, in 2010, the class-action plaintiffs in Robbins v. Lower Merion School District charged two area high schools with spying on students. The plaintiffs claimed that the schools were remote-activating webcams in school-issued laptops, violating students’ privacy.
The defendants admitted to secretly monitoring students, taking over 66,000 images of the victims. The court issued preliminary injunctions that banned the remote activation of web cameras on student computers.
Additionally, if a government agent suspects nefarious activity, they must use legal channels to access an individual’s electronic communication. They must obtain a subpoena by presenting evidence to a court that the information is valuable to the case.
This safeguard ensures that law enforcement must obtain a subpoena (at the very least) before accessing your data.
One of the biggest drawbacks to a law regulating online privacy is that technology inevitably develops.
One of the SCA’s original sections, § 2703, is a prime example. This section allowed the government to obtain protected data without a warrant—as long as they could show it was “relevant and material to an ongoing criminal investigation.” In U.S. v. Warshak, the defendant (Warshak) and his mother were charged with various business-related crimes, including fraud and money laundering. However, at trial, the ISP was compelled to turn over Warshak’s emails without obtaining a warrant first.
Warshak and his mother were found guilty. On appeal, the court held the SCA unconstitutional to the extent it permitted the government to obtain the emails without a warrant. However, because the government agents relied on the SCA in good faith, they found that a reversal of the conviction was unwarranted.
In 2018, the seminal Supreme Court case Carpenter v. United States deemed this section particularly problematic. In Carpenter, police collected 127 days’ worth of cell site location data from a robbery suspect’s service provider. Law enforcement used the data to catalog an extensive history of the defendant’s physical movements.
The Supreme Court found those actions to be a “search” under the Fourth Amendment and should have only been obtainable with a warrant. Essentially, Carpenter ruled that components of §2703 were unconstitutional.
When the SCA was drafted, Congress could not have known how extensive the data collected by ECSs and RCSs could be. Therefore, a judicial remedy was needed to maintain the statute’s constitutionality.
Because technology is constantly changing, the provisions set when the SCA was created in 1986 cannot comprehensively apply today. The more ISPs and other data storage services evolve, the more difficult it is to comply with national and international privacy laws.
The SCA is powered by court interpretations and case law, but court decisions may be unpredictable as interpretation methods change with the presiding judges. Deciding whether a server is a communications center or data storage site can be difficult, and many service providers are unsure whether complying with a subpoena would violate user privacy rights.
As court interpretations change to address technology advancements, the SCA may become less and less applicable. Without regular reforms to the SCA, many legal experts doubt the effectiveness and desirability of this law.
When it comes to the government’s ability to obtain protected data, legal precedent is murky at best. The SCA makes a distinction between the following types of communications:
Data held by RSC providers receives a lower level of protection by the SCA, which reflects the intention of the Fourth Amendment. The SCA is meant to strengthen the Fourth Amendment privacy protections concerning the internet. However, it can be difficult to apply these principles in law.
The court in Warshak v. U.S. found that even emails held by RCS providers should have a reasonable expectation of privacy. They held that subpoenaing the RCS provider should not trump the Fourth Amendment’s protection of privacy without a warrant.
Later, in U.S. v. Warshak, the Sixth Circuit claimed the SCA’s allowing the government to obtain emails without a warrant was unconstitutional.
In 2013, the Fifth Circuit ruled that court orders could compel cell phone providers to reveal historical cell site information. However, in Carpenter v. United States, the Supreme Court ruled that a warrant is required for the government to obtain that data.
Like most laws, there are exceptions to the SCA. In the following instances, it is not a violation to access or divulge stored electronic communication:
A service provider is always within their rights to disclose communication data to its intended recipient (or their agent). For example, a stored email addressed to Sally Jones can be divulged to Sally or her legal agent.
It is also acceptable to share communication with someone authorized to forward that data to its destination. You can also divulge protected data with facilities meant for forwarding that data to its recipient.
Another defense to the SCA is if sharing protected data is necessary for protecting the service provider’s rights or property.
A key aspect of the SCA is that the owner of stored communication has a “reasonable expectation of privacy” for that data. In other words, they can be sure no one will monitor their stored electronic communication.
When they give another individual or entity access to their stored communication, that expectation of privacy vanishes. The owner should no longer believe their communication is private. Therefore, consent is a complete exception to the SCA.
The NCMEC is a national nonprofit dedicated to finding missing children and eliminating child sexual exploitation. Unfortunately, child exploitation is on the rise in the digital age—so the SCA carves out an exception in relevant cases.
If stored customer communication includes evidence of the exploitation of children, releasing it is not an SCA violation.
The exception for releasing data to government agencies is narrow. A service provider can only allow access to stored customer data under certain circumstances:
There are civil and criminal penalties for violating the SCA. You should know what kinds of relief you can get from a violation—and what consequences you may face from violating it yourself. Like most laws, the penalties become more severe for multiple violations.
Any victim of an SCA violation may file a lawsuit against the violator. If successful, the court may assess damages incurred, including attorney fees. As a baseline, the statute requires no less than $1,000 in damages.
Different sections of the SCA have varying implications for violators. Anyone who unlawfully accesses stored electronic communications can face a fine and up to 10 years in prison.
Section 2701 of the SCA lays out specific punishments based on the violation’s severity. Every violator is subject to a fine, but they may also (or instead) be sentenced to jail time. Violators who acted for commercial gain, malicious destruction, or to commit another crime can face:
For any other case, punishments include:
Due to the potential consequences of violating the SCA, it is crucial to understand how to navigate consumer privacy protections. Below, we discuss tips for navigating the SCA and knowing when to disclose communication data.
While most businesses are not recognizable ECSs or RCSs, many do store or monitor electronic communication in their systems. So regardless of whether you believe you are subject to the SCA, it is important to understand your rights and responsibilities.
If your business is served with a subpoena for stored electronic communication, your options include:
Disclosure prohibitions make it unlawful for certain technology providers to divulge information. A business may not disclose a customer’s stored electronic communication unless served with a warrant.
Access prohibitions limit third parties’ ability to access electronic communications without sufficient authorization. A business may not access stored electronic communication unless they have proper authorization or the owner’s consent.
Understanding the nuances and provisions set forth in the SCA and ECPA are vital to our practice here at Minc Law.
While we do not litigate specifically for Stored Communications Act and Electronic Communications Privacy Act claims, we do help individuals and businesses remove damaging online content that may have been unlawfully published online.
Further in the course of filing John Doe lawsuits to identify anonymous online perpetrators, our attorneys remain vigilant and aware of the limitations set forth in the SCA and ECPA when subpoenaing online platforms and ISPs.
★★★★★
“Attorney Dorrian Horsey at Minc Law represented me in a content removal effort and was successful. She was very open with me about the process, and helped me understand the approach that she took. She was great to work with and very supportive of my effort. Thank you!”
Steven S.
August 11, 2023
If you have found unwanted or damaging online content that may have been unlawfully published about you online, reach out to schedule your initial, no-obligation consultation by calling us (216) 373-7706, speaking with a Chat Representative, or filling out our online contact form.
This page has been peer-reviewed, fact-checked, and edited by qualified attorneys to ensure substantive accuracy and coverage.