What is The Electronic Communications Privacy Act (ECPA)?

Every text you send, every email you write, and every call you make travels through invisible pipelines, and somewhere along the way, someone may be collecting this data. The Electronic Communications Privacy Act (ECPA) was designed to stop that. Passed in 1986, it was revolutionary for its time. But the internet it was written to govern looks nothing like the internet we interact with today.

Understanding ECPA is critical if you’ve ever wondered whether your communications are truly private, whether a company can share your data without your permission, or whether you have legal recourse when someone intercepts your messages without consent.

What Is the ECPA and Why Does It Exist?

Congress enacted the Electronic Communications Privacy Act to extend government restrictions on wiretapping to include digital communications. At its core, ECPA prohibits unauthorized interception of wire, oral, and electronic communications — and it covers both government actors and private individuals.

The law is divided into three major parts, often referred to as titles:

• Title I — The Wiretap Act makes it illegal to intentionally intercept any wire, oral, or electronic communication. This means law enforcement generally cannot tap your phone or read your messages in real time without a court order. Private parties face the same prohibition. If a company or individual intercepts your communications without consent, that’s a federal violation.
• Title II — The Stored Communications Act (SCA) addresses data at rest — emails sitting in your inbox, files stored on a server, messages in the cloud. Under the SCA, service providers cannot voluntarily disclose the contents of stored communications to third parties, including the government, without proper legal process or your consent.
• Title III — The Pen Register Act governs the collection of metadata — who you called, when, and for how long — without capturing the actual content. It requires government agencies to obtain a court order before deploying pen register or trap-and-trace devices.

Together, these three titles create a framework that touches nearly every form of electronic communication. But the details matter enormously, and so do the exceptions.

How ECPA Actually Protects You in Practice

When ECPA functions as intended, it creates meaningful barriers to surveillance. Here’s what that looks like in real terms:

If law enforcement wants to read your emails, they must comply with the SCA. For emails stored fewer than 180 days, they generally need a warrant backed by probable cause. For older emails — a distinction that has been narrowed significantly through court decisions and the ECPA Amendments Act — similar protections have expanded over time.

If your employer, a competitor, or a third-party vendor intercepts your business communications without consent, you may have a federal civil claim. ECPA allows victims to sue for actual damages, statutory damages of at least $10,000, punitive damages in egregious cases, and attorney’s fees.

If a data broker or analytics company accesses your stored messages without authorization, the Stored Communications Act may give you standing to pursue a lawsuit even without proving concrete financial harm.

Where ECPA Falls Dangerously Short

Despite its scope, ECPA has significant blind spots that leave millions of Americans exposed.

• The law is decades behind technology. ECPA was written before smartphones existed. Before cloud storage. Before social media. Before apps that track your every movement, purchase, and preference. Many of the privacy threats people face today weren’t contemplated by Congress in 1986.
• The third-party doctrine weakens your protections. Under long-standing legal precedent, information you voluntarily share with a third party, like a phone carrier or an email provider, may have reduced legal protection. This means that data your service provider collects about you can sometimes be shared with the government more easily than the content of your communications.
• Metadata is not fully protected. ECPA offers weaker protections for metadata than for actual content. In many cases, this metadata reveals more about your life than the content itself.
• Business records and app data fall outside ECPA’s reach. Most location data, browsing history, and app activity collected by tech companies isn’t covered. Data brokers can aggregate and sell this information with very few restrictions under federal law.
• The consent exception is broad. If one party to a communication consents to interception, federal law is generally satisfied. This means apps with buried consent language in their terms of service may operate legally even when most users have no idea their data is being collected.

Other Laws That Can Fill the Gaps

Because ECPA has limits, privacy attorneys increasingly rely on a patchwork of complementary laws to protect clients:

The California Consumer Privacy Act (CCPA) and CPRA give California residents the right to know what data is collected, the right to delete it, and the right to opt out of its sale. Companies that violate these laws face fines and consumer lawsuits.

The Computer Fraud and Abuse Act (CFAA) can apply when someone accesses a system or account without authorization — including former partners who access your email account, employers who exceed authorized access, or hackers who breach databases holding your information.

State wiretapping laws in states like Illinois, Maryland, and Pennsylvania require all parties to consent before a communication can be recorded. These laws often provide broader protection than ECPA.

HIPAA protects health information held by covered entities and business associates. When a healthcare company suffers a breach or improperly discloses your records, HIPAA enforcement — and sometimes private litigation — follows.

The Illinois Biometric Information Privacy Act (BIPA) has become one of the most powerful privacy statutes in the country, allowing individuals to sue companies that collect fingerprints, facial scans, or other biometric data without proper consent.

Five Recent ECPA and Digital Privacy Lawsuits Worth Knowing

1. In re: Google LLC Street View Electronic Communications Litigation (9th Cir., 2023) — Plaintiffs alleged that Google’s Street View vehicles intercepted payload data from unencrypted Wi-Fi networks. The Ninth Circuit allowed Wiretap Act claims to proceed, rejecting Google’s argument that the data was “readily accessible to the general public.”

2. Facebook v. Duguid (U.S. Supreme Court, 2021) — While centered on the TCPA, this case shaped how courts think about automated digital communications and consent, with wide-ranging implications for how companies can reach individuals using stored number lists.

3. Brickman v. Fitbit (N.D. Cal., 2022) — Users sued Fitbit under the SCA and state privacy statutes, alleging the company disclosed health and location data to third-party advertisers without adequate consent. The case settled for a significant sum and required policy changes.

4. Patel v. Facebook (9th Cir., 2019) — In a landmark BIPA ruling, the court found that Facebook’s facial recognition feature — used to suggest photo tags — violated Illinois law without concrete injury being required. The case ultimately settled for $650 million.

5. In re: TikTok, Inc. Consumer Privacy Litigation (N.D. Ill., 2022) — A consolidated class action alleged TikTok collected biometric data, browsing history, and device information without proper disclosure or consent. Claims under BIPA, ECPA, and state law proceeded past early dismissal motions.

You May Have a Case and Not Even Know It

Data privacy violations don’t always come with obvious signs. You might have a claim if:

• A company shared your private messages, location data, or health records without your consent
• An app collected your biometric data — face scans, fingerprints, voiceprints — without telling you
• Your employer intercepted your personal communications on a work device without disclosure
• A data breach exposed your sensitive personal information due to inadequate security
• A former partner, employer, or third party accessed your accounts or messages without permission

These situations may give rise to claims under ECPA, state privacy statutes, BIPA, the CFAA, or other applicable law. The key is getting a qualified legal evaluation before time runs out — because statutes of limitations on privacy claims can be short.

Why Hire The Lyon Firm for Your Data Privacy Case

The Lyon Firm focuses on representing individuals whose digital privacy has been violated. In an era where corporations and institutions hold more personal data than ever — and where the legal framework to protect that data is still catching up — having experienced counsel is essential.

We understand the technology. Privacy litigation is technical. Our attorneys know how data flows, how consent mechanisms work, and where companies typically cut corners. That knowledge shapes every case we build.

We know the statutes. From ECPA and the SCA to BIPA, CCPA, and state wiretapping laws, The Lyon Firm stays current on the legal tools available to protect your rights. We pursue every viable avenue.

We work on contingency. In most data privacy cases, you pay nothing unless we recover for you. That means cost is never a barrier to finding out whether you have a claim.

We hold companies accountable. Large corporations count on individuals not knowing their rights — or not having the resources to assert them. We exist to change that equation.

We are actively investigating data privacy violations. If you believe your communications were intercepted, your biometric data was collected without consent, your health records were exposed, or your personal data was sold without authorization, contact The Lyon Firm today for a free, confidential consultation.