The California Supreme Court has answered another long-outstanding Electronic Communications Privacy Act (“ECPA”) question, this time about the contours of the lawful consent exception in 18 U.S.C. § 2702(b)(3). In Facebook, Inc. v. Superior Court, 417 P.3d 725, 744 (Cal. 2018), the court concluded that electronic communication service providers must produce “publicly configured” data in response to a subpoena issued under the Stored Communications Act (“SCA”)—the Act leaves no discretion for the providers to refuse to do so.
In Facebook, defendants variously served criminal subpoenas on Facebook, Instagram, and Twitter (“the Providers”), seeking public and private content, including deleted material, that had been posted by a homicide victim and a key prosecution witness. The Providers challenged the subpoenas, asserting that that Section 2702(a) of ECPA prohibited them from divulging the requested communications, and that the prohibition applied broadly and did not depend on whether communications in question were configured to be public or private. The defendants did not contest the Providers’ assertion that 2702(a) prohibited Providers from disclosing the communications they sought, but instead argued that the SCA violated their constitutional rights under the Fifth and Sixth Amendments. The trial court agreed with the defendants’ constitutional claims, the Court of Appeals rejected them. The Providers appealed.
The California Supreme Court first observed that while 2702(a) of the Stored Communications Act generally prohibits Providers from disclosing content of communications, that prohibition does not apply to communications configured to be public because the public setting creates implied consent. The court pointed to, among other things, the fact that under section 2511(2)(g)(i), it is not unlawful to access electronic communications configured to be readily accessible to the general public, as well as to legislative history demonstrating that Congress expected providers to be able to disclose publicly configured communications. The court did not stop there, however. It then concluded that when accompanied by lawful process (in this case, a defense subpoena), a provider may not refuse to disclose the content of public communications. It must disclose it. The court rejected the argument that 2702(b)(3) gives Providers the discretion to provide content if they choose, but does not require them to do so. In doing so, the court followed the reasoning of Negro v. Superior Court, where the California Court of Appeals held that the use of the word “may” in Section 2702(b)(3)’s consent exception was not meant to be a grant of discretionary power to providers, but rather an exception to a general prohibition on disclosure.
The court left open some important questions. For example, the court discussed the possibility that previously public communications may be deleted, or changed to private communications, but declined to answer whether such changes could be read as a revocation of consent to disclosure. Nor did the court opine on the level of effort Providers must undertake to monitor and log public vs. private communications, although it cautioned that, “there is no indication that Congress intended that Providers would be categorically relieved from the burden of compliance with an otherwise lawful” subpoena.
So, what are the key takeaways for Providers, particularly in the social media space?
- The court rejected the defendants’ argument that lawful consent should extend to communications designated by a user to be viewable to specific friends and followers, such as posts in a large private group. As it stands, only posts designated to be public must be disclosed under the SCA’s implied consent exception.
- Accordingly, Providers may want to invest in ways to better track the configuration of communications and accounts as public, private, or deleted. Providers may have a strong argument that changing a post from public to private is implicitly a revocation of consent, at least before a California court. Knowing that a user made their account private at a particular point in time may turn out to be the deciding factor in whether a provider can shield its user’s communications from disclosure.
- Because compulsory process + an ECPA exception (like consent) = mandatory production of content, even without a warrant, providers may want to adapt their law enforcement policies to reflect that they are required to turn over content in response to a subpoena when an ECPA exception applies.