ECPA

ECPA sets rules for when government can access electronic communications. Passed in 1986, its framework distinguishes between communications content (higher protection), stored communications (varying by age), and metadata (lower protection). The law has been criticized as outdated for the cloud computing era.

The Electronic Communications Privacy Act of 1986 established the legal framework for government access to electronic communications in the US. It has three main parts: Title I (Wiretap Act) requires warrants for real-time interception of content. Title II (Stored Communications Act) governs access to stored communications with varying standards—a warrant for content under 180 days old, but only a subpoena for older content (though DOJ policy now requires warrants). Title III (Pen Register Act) covers metadata collection with minimal judicial oversight. ECPA’s framework predates cloud computing and treats email stored on servers differently than physical mail. Courts have struggled to apply 1986 concepts to modern services. The CLOUD Act amended ECPA to clarify extraterritorial application. For international users, ECPA’s relatively weak protections for stored data and metadata are a concern when using US services.