Electronic Communications Privacy Act

The ECPA is a federal law that governs the privacy of electronic communications, including email, phone calls, and data stored electronically. If your business handles customer communications or stores user data, you should understand how this law applies.

Disclaimer: This guide is for educational purposes only and does not constitute legal advice. For specific questions about the ECPA and your obligations, consult a qualified attorney.

What Is the ECPA?

The Electronic Communications Privacy Act was enacted on October 21, 1986. It extended government restrictions on wiretaps to include electronic data transmissions and added new provisions for stored electronic communications. The ECPA amended Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (the federal wiretap statute) and created two new acts:

  • The Wiretap Act (Title I) -- Governs the real-time interception of electronic communications
  • The Stored Communications Act (Title II, or SCA) -- Governs access to stored electronic communications and records held by service providers
  • The Pen Register Act (Title III) -- Governs the collection of metadata (such as phone numbers dialed or email addresses communicated with) as opposed to the content of communications

The Wiretap Act (Title I)

The Wiretap Act prohibits the intentional interception of wire, oral, or electronic communications. "Interception" means acquiring the contents of a communication while it is in transit. For website operators and businesses, this has several practical implications:

  • You generally cannot monitor or record employee emails, chats, or phone calls without consent (laws vary by state -- some require all-party consent, others allow one-party consent)
  • You cannot intercept communications between your customers and third parties
  • If you provide a communication service (such as a messaging platform or email service), you have obligations regarding the interception of users' communications

There are exceptions. The "provider exception" allows providers of electronic communication services to intercept communications in the normal course of business to protect their rights or property (for example, scanning for malware or enforcing terms of service). The "consent exception" allows interception when at least one party to the communication consents, though state laws may impose stricter requirements.

The Stored Communications Act (Title II)

The Stored Communications Act (SCA) is the part of the ECPA most relevant to website operators. It governs access to stored electronic communications and subscriber records held by electronic communication services (ECS) and remote computing services (RCS).

The SCA creates restrictions on two types of access:

  • Government access -- Law enforcement must generally obtain a warrant, court order, or subpoena to access stored communications, depending on the type of information and how long it has been stored
  • Private party access -- The SCA prohibits unauthorized access to stored communications by private individuals and companies. If you operate a service that stores user communications (like a forum, messaging feature, or email service), you must protect that data from unauthorized access.

Under the SCA, a provider of an electronic communication service generally may not knowingly divulge the contents of a stored communication to third parties, with several exceptions (such as when the sender or recipient consents, when disclosure is necessary for providing the service, or when required by law).

How the ECPA Affects Website Owners

While the ECPA was written in 1986 -- well before the modern web -- its provisions still apply to many online activities. Here is how it may affect your business:

  • Contact forms and stored messages -- If your website collects messages through contact forms, stores customer emails, or operates any kind of messaging system, the SCA may restrict how you share or disclose that data
  • Employee monitoring -- If you provide employees with company email or communication tools, the ECPA governs how you can monitor those communications. Having a clear, written policy that employees acknowledge is important.
  • Session recording and analytics -- Tools that record user sessions, keystrokes, or interactions on your website may raise ECPA concerns if they capture the contents of communications (such as form inputs or chat messages)
  • Law enforcement requests -- If you receive a request from law enforcement for user data or communications, the ECPA dictates what types of legal process are required before you can disclose that information
  • Third-party integrations -- If you use third-party tools that process or store user communications (live chat services, CRM systems, helpdesk software), you should understand what data those services access and how they protect it

ECPA Limitations and Modernization Efforts

The ECPA was written nearly four decades ago and has been widely criticized for not keeping pace with modern technology. Some of its provisions create distinctions that made sense in the era of dial-up bulletin boards but are confusing when applied to cloud storage, social media, and modern web applications.

The most significant update came with the Supreme Court's 2018 decision in Carpenter v. United States, which held that the government generally needs a warrant to access historical cell-site location information. Congress has also considered various reform bills over the years, and the CLOUD Act of 2018 addressed issues related to law enforcement access to data stored overseas.

Penalties for Violations

Violations of the ECPA can result in both criminal and civil penalties:

  • Wiretap Act violations -- Criminal penalties of up to five years in prison and fines. Civil liability allows recovery of actual damages (minimum $100 per day per violation or $10,000, whichever is greater), punitive damages, and attorney fees.
  • Stored Communications Act violations -- Criminal penalties of up to five years for intentional unauthorized access (up to 10 years for repeat offenses). Civil liability allows recovery of actual damages (minimum $1,000), and attorney fees.

Practical Steps for Website Owners

  1. Have a clear privacy policy -- Disclose what data you collect, how you store it, and under what circumstances you might share it. Link to this from your website.
  2. Secure stored communications -- Use encryption and access controls to protect stored customer messages, emails, and form submissions
  3. Get consent for monitoring -- If you record user sessions, use live chat, or monitor employee communications, obtain appropriate consent and document it
  4. Establish a law enforcement request policy -- Know what types of legal process (warrant, subpoena, court order) are required before disclosing different types of user data, and consult an attorney before responding
  5. Review third-party tools -- Audit the third-party services you use to understand what user data they access and how they handle it
  6. Create employee communication policies -- If your business provides email or messaging tools to employees, have a written policy about monitoring and privacy expectations

For more on data privacy requirements, see our guide on GDPR Compliance, which covers the European Union's comprehensive data protection regulation.

Need a website that respects user privacy?

We build websites with privacy in mind, including proper data handling, secure forms, and clear privacy policies.

View Our Services Contact Us