Skip to main content
A room full of servers at a data center

What is the Stored Communications Act?

Written by Joseph Lyon on . Posted in Class Action, Common Client Questions, Data Breach.

Every time you send an email, store a file in the cloud, or exchange a private message on a platform, that information doesn’t simply vanish — it lives on servers, potentially accessible to third parties. The question is: what stops someone from reading it without your permission?

For millions of Americans, the answer lies in a federal law that most people have never heard of: the Stored Communications Act (SCA). Enacted in 1986 and embedded within the broader Electronic Communications Privacy Act, the SCA remains one of the most consequential digital privacy statutes on the books. As data breaches multiply and corporate surveillance expands, understanding this law has never mattered more. Contact our lawyers to discuss related cases. 

What Is the Stored Communications Act?

The Stored Communications Act governs how electronic communications held in storage can be accessed, disclosed, and used. In plain terms, it prohibits unauthorized access to emails, private messages, voicemails, and other communications that are stored with a third-party service provider — think Gmail, iCloud, Slack, or your internet service provider.

Congress crafted the SCA to address a specific gap: once your communication leaves your device and travels to a service provider, traditional Fourth Amendment protections — which guard against government intrusion in your physical home — become legally murky. The SCA was designed to fill that gap and give stored digital communications a meaningful shield against both government overreach and private misconduct.

Who Does the SCA Cover?

The statute applies primarily to two categories of service providers: Electronic Communication Services (ECS) and Remote Computing Services (RCS). An ECS provides users the ability to send or receive electronic communications — your email provider is the classic example. An RCS stores or processes data on behalf of users — cloud storage platforms like Dropbox or Google Drive fit squarely in this category.

The SCA imposes obligations on both types of providers, restricting when and how they can hand over your data. Crucially, it also creates liability for anyone who accesses that stored data without lawful authorization.

What Does the SCA Actually Prohibit?

The core prohibition is broad: the SCA makes it unlawful to intentionally access, without authorization, a facility through which an electronic communication service is provided, and thereby obtain, alter, or prevent authorized access to stored electronic communications. It also prohibits service providers from voluntarily disclosing the contents of stored communications to parties not entitled to receive them. On the civil side, victims of SCA violations may recover:

  • Actual damages suffered as a result of the violation
  • Statutory damages of no less than $1,000 per violation
  • Punitive damages where the defendant acted with a culpable mental state
  • Attorney’s fees and litigation costs

Common Real-World SCA Violations

Despite its age, the SCA regularly surfaces in cutting-edge disputes. The following scenarios represent the most common contexts in which SCA claims arise today:

  • Employer Access to Employee Communications Employers who access workers’ personal email accounts, private messages, or cloud storage without explicit authorization frequently run afoul of the SCA — even when those communications occurred on company devices. Courts have consistently held that a company’s ownership of a device does not automatically confer the right to access personal accounts accessed through it.
  • Data Broker and Third-Party Disclosures When service providers share the contents of stored communications with data brokers, advertisers, or analytics firms without proper user consent, they may be violating the SCA’s disclosure provisions. This has become increasingly relevant as platform ecosystems grow more intertwined.
  • Government Overreach Without Proper Legal Process Law enforcement agencies must follow strict procedures — typically obtaining a warrant supported by probable cause — before compelling a provider to disclose the contents of stored communications. Accessing stored data through improper subpoenas or informal pressure on providers can constitute an SCA violation.
  • Domestic and Intimate Partner Surveillance Installing spyware, accessing an ex-partner’s email account, or using shared account credentials to monitor communications without consent are actionable under the SCA. Courts have awarded significant damages in these cases.

The SCA and Corporate Data Practices

The SCA intersects in complex ways with modern data practices. Companies that aggregate communications data, build user profiles from message metadata, or share communication contents through API integrations face genuine SCA exposure — particularly when their terms of service fail to clearly authorize such uses.

Recent litigation has tested the SCA’s reach into social media platforms, messaging applications, and enterprise software. Courts have grappled with whether reading email content for advertising targeting constitutes “access” under the statute, and whether automated scanning differs legally from human review. These questions remain actively litigated, making legal counsel essential for anyone navigating an SCA dispute.

Limitations and Exceptions You Should Know

No privacy law is absolute, and the SCA is no exception. The statute carves out several notable exceptions:

  • Provider access for service provision: Providers may access stored communications to the extent necessary to provide the service itself.
  • User consent: Access is lawful when the user whose communication is at issue has authorized it — making clear, unambiguous consent a central battleground in many cases.
  • Law enforcement with proper process: Government agencies may compel disclosure pursuant to valid legal process, though the type of process required varies by the age and nature of the communication.
  • Emergency exceptions: Providers may disclose contents to law enforcement in circumstances involving an imminent danger of death or serious injury.

Understanding whether an exception applies often requires a fact-intensive legal analysis. The line between authorized access and a clear SCA violation is not always obvious, which is precisely why having experienced data privacy counsel matters.

Why Choose The Lyon Firm for Your SCA Case?

Data privacy law is the foundation of many of our cases. The Lyon Firm has built its reputation by aggressively protecting individuals and businesses whose digital privacy rights have been violated, and the Stored Communications Act is a cornerstone of that work.

When you retain The Lyon Firm, you gain a legal team that combines deep statutory knowledge with litigation experience in both federal and state courts. We know how SCA cases are won and lost — from the technical evidence required to establish unauthorized access, to the damages theories most likely to move a jury or secure a favorable settlement.

  • Focused, full-service data privacy practice — not a generalist firm dabbling in tech law
  • Proven track record pursuing SCA claims against corporations, employers, and individuals
  • Experience handling civil litigation alongside regulatory frameworks including ECPA and CCPA
  • Transparent, client-centered communication from intake through resolution
  • We evaluate your case with no obligation — and we don’t accept cases we don’t believe in

Whether you believe your stored communications were accessed by an employer, a platform, a former partner, or a government agency without proper authorization, The Lyon Firm has the knowledge and determination to pursue accountability on your behalf.

Frequently Asked Questions About the Stored Communications Act

Does the SCA protect my text messages? Generally, yes. Text messages stored by your carrier or on a cloud backup service can fall under SCA protection. However, messages still being transmitted in real-time are governed by a separate provision of the Electronic Communications Privacy Act known as the Wiretap Act. Courts continue to refine where the line between “in transit” and “in storage” falls for modern messaging platforms, making case-specific analysis critical.

Can I sue my employer under the SCA for reading my personal emails? Potentially, yes. If your employer accessed your personal email account without your authorization, that access may constitute an SCA violation. The key legal questions are whether the account qualifies as an electronic communication service and whether your employer had actual authorization. Company policies granting broad access rights to company-owned devices don’t automatically extend to personal accounts hosted by third-party providers.

What is the statute of limitations for an SCA claim? The SCA provides a two-year statute of limitations, running from the date on which the claimant first discovered the violation. Acting promptly once you suspect a violation is strongly advisable, as evidence can degrade or become unavailable over time.

Does the SCA apply to social media messages? Courts have increasingly held that private messages sent through social media platforms — Instagram DMs, Facebook Messenger, X direct messages — can fall within the SCA’s scope, since those platforms qualify as electronic communication service providers. Unauthorized access to another person’s social media account to read their private messages is a textbook example of potential SCA liability, and has been the basis for civil lawsuits and criminal referrals alike.

What’s the difference between the SCA and CCPA? The SCA is a federal criminal and civil statute specifically targeting unauthorized access to stored communications. The CCPA (California) is a broader consumer data protection framework governing how businesses collect, process, and share personal data. Many of The Lyon Firm’s cases involve overlapping claims under multiple statutes, which is why comprehensive legal analysis matters from the outset.

What evidence do I need to bring an SCA case? Successful SCA claims typically require evidence establishing: (1) that the defendant intentionally accessed a facility providing an electronic communication service; (2) that the access was unauthorized or exceeded authorization; and (3) that stored communications were obtained, altered, or blocked as a result. The Lyon Firm works with technical experts to build the evidentiary record necessary to support your claim.

CONTACT THE LYON FIRM TODAY

Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.