United States: New Utah Privacy Law Expands Warrant Requirement For Individuals' Data Held By Electronic Communications Service Providers

On March 27, 2019, Utah Governor Gary Herbert signed HB 57, a bill designed to increase privacy protections by requiring law enforcement to obtain a search warrant before being able to access a person's data held by electronic communication or remote computing service providers, including location information.

The bill, called the "Electronic Information or Data Privacy Act," was introduced by Representative Craig Hall (R-Utah), who stated that the goal of the bill "is to provide the same protections we have in the physical world and apply those to the electronic world."

Just last year, in Carpenter v United States, 138 S.Ct. 2206 (2018), the Supreme Court declared a Fourth Amendment privacy right for cell phone location data. The Court revised its long-held "reasonable expectation of privacy" test and ruled that law enforcement obtaining cell site location information records from a person's cell phone service provider constitutes a search under the Fourth Amendment and requires a warrant.

Even when such ruling expanded the privacy protection to information shared with a third party, it was a narrow decision referring only to location data in possession of wireless providers. Chief Justice Roberts recognized this and admitted that further expansion of these protections would be better achieved through state legislatures that could develop an "entirely new body of Fourth Amendment case law."

Following the Chief Justice's hint, Utah enacted the "Electronic Information or Data Privacy Act" that protects electronic data held by a third party from warrantless access by law enforcement. Specifically, subject to a few exceptions, the law imposes a warrant requirement for law enforcement to obtain (i) location information, stored data, or transmitted data of an electronic device, or (ii) electronic information or data transmitted by the owner thereof to a remote computing service provider. As used here, the term "electronic information or data" means "information or data including a sign, signal, writing, image, sound, or intelligence of any nature transmitted or stored in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system."

Notably, this law expressly carves out an exception for "subscriber records," defined as "a record or information of a provider of an electronic communication service or remote computing service that reveals the subscriber's or customer's: (a) name; (b) address; (c) local and long distance telephone connection record, or record of session time and duration; (d) length of service, including the start date; (e) type of service used; (f) telephone number, instrument number, or other subscriber or customer number or identification, including a temporarily assigned network address; and (g) means and source of payment for the service, including a credit card or bank account number." By exempting such subscriber records from the warrant requirement, the Utah law tracks the familiar set of non-content records that can be obtained through a 2703(c)(2) subpoena under the federal Stored Communications Act (SCA), 18 U.S.C. §§ 2701 et seq.

Finally, the new Utah law requires that law enforcement agencies notify the owner of electronic information or data in question, or of the electronic device, once they have executed a search warrant to access that information. This must be completed within 14 days after law enforcement obtains the information pursuant to the warrant. Later, law enforcement must destroy the information in an unrecoverable manner as soon as reasonably possible after it was collected.

Utah's new law will no doubt impact how electronic communications and remote computer service providers handle law enforcement requests for electronic evidence – especially as other states follow Utah's lead – and could well lead to litigation over how such state law requirements operate alongside the federal SCA. In this evolving legal landscape, providers of telecommunications, digital messaging, and other electronic communications or remote computing services should reexamine how they handle law enforcement requests for electronic evidence. Providers facing an uptick in electronic evidence requests may also want to consider sharing specific guidelines through the ISP List used by law enforcement agencies for sending requests.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.