What is ECPA?
The Electronic Communications Privacy Act, a US law that governs government access to electronic communications and stored data, widely considered outdated.
ECPA (1986) was written before the internet era and provides weaker protections for digital communications than physical mail.
Key Provisions
- Wiretap Act (Title I): Real-time interception requires a warrant
- Stored Communications Act (Title II): Access to stored data has weaker protections
- Pen Register Act (Title III): Metadata collection requires only a court order
The 180-Day Rule
Emails stored on a server for more than 180 days can be obtained with just a subpoena (no warrant needed). This was written when email was downloaded and deleted from servers — it assumed long-stored emails were "abandoned."
Reform Efforts
- The Email Privacy Act has been proposed multiple times to require warrants for all email access
- Some courts have found the 180-day rule unconstitutional
- Major email providers (Google, Microsoft) voluntarily require warrants regardless
Why It Matters
ECPA is a reminder that privacy laws often lag technology by decades. A law written for 1986 technology governs 2026 digital communications.
Related Terms
CLOUD Act
A US law that allows federal law enforcement to compel US-based technology companies to provide data stored on servers regardless of where the data is physically located.
Fourth Amendment
The US Constitutional amendment protecting against unreasonable searches and seizures, which forms the legal basis for many digital privacy rights.
Subpoena
A legal order requiring a person or company to provide testimony, documents, or other evidence in legal proceedings. Service providers may receive subpoenas demanding user data, which is why privacy-focused services minimize data collection.
Have more questions?
Use our guided flow to get the right next privacy step for ECPA.
Open Guided Flow