The Electronic Communications Privacy Act (ECPA) was enacted in 1986 and is composed of three acts: the Wiretap Act, the Stored Communications Act (SCA), and the Pen Register Act. Much of ECPA is directed at law enforcement, providing the “Fourth Amendment like privacy protections” to electronic communications. However, ECPA’s three acts also contain privacy obligations relevant to non-governmental actors. ECPA is perhaps the most comprehensive federal law on electronic privacy, as it is not sector-specific, and many of its provisions apply to a wide range of private and public actors. Nevertheless, its impact on online privacy practices has been limited. As some commentators have observed, ECPA “was designed to regulate wiretapping and electronic snooping rather than commercial data gathering,” and litigants attempting to apply ECPA to online data collection have generally been unsuccessful.
The Wiretap Act applies to the interception of a communication in transit. A person violates the Act if, among other acts, he “intentionally intercepts . . . any wire, oral, or electronic communication.” The Wiretap Act defines an “electronic communication” broadly, and courts have held that the term includes information conveyed over the internet. Several thresholds must be met for an act to qualify as an unlawful “interception.” Of particular relevance are three threshold issues. First, the communication must be acquired contemporaneously with the transmission of the communication. Consequently, there is no “interception” where the communication in question is in storage. Furthermore, the acquired information must relate to the “contents” of the communication, defined as information concerning the “substance, purport, or meaning of that communication.” As a result, while the Act applies to information like the header or body of an email, the Act does not apply to non-substantive information automatically generated about the characteristics of the communication, such as IP addresses.
Third, individuals do not violate the Wiretap Act if they are a “party to the communication” or received “prior consent” from one of the parties to the communication. The party-to-the-communication and consent exceptions have been subject to significant litigation; in particular, courts have often relied on the exceptions to dismiss suits alleging Wiretap Act violations due to online tracking, holding that websites or third-party advertisers who tracked users’ online activity were either parties to the communication or received consent from a party to the communication.
The SCA prohibits the improper access or disclosure of certain electronic communications in storage. With respect to improper access, a person violates the SCA if he obtains an “electronic communication” in “electronic storage” from “a facility through which an electronic communication service is provided” by either: (1) “intentionally access[ing] [the facility] without authorization” or (2) “intentionally exceed[ing] an authorization.” Although the statute does not define the term “facility,” most courts have held that the term is limited to a location where network service providers store communications. However, courts have differed over whether a personal computer is a “facility.” Most courts have excluded personal computers from the reach of the SCA,258 but some have disagreed