Utah Becomes First State to Curtail Warrantless Searches of Personal Data Transmitted to Third Parties
Utah recently enacted the nation’s first privacy law that protects its citizens from unbounded government invasion into personal electronic information shared with third parties. The new law requires the government to get a warrant to obtain personal electronic information transmitted to a third party.1 Specifically, the Electronic Information or Data Privacy Act (“EIDP”) provides that “a law enforcement agency may not obtain, without a search warrant issued by a court upon probable cause: (i) the location information, stored data, or transmitted data of an electronic device; or (ii) electronic information or data transmitted by the owner of the electronic information or data to a remote computing service provider.”
Information obtained in violation of the EIDP is subject to exclusion from criminal proceedings “as if the records were obtained in violation of the Fourth Amendment[.]” However, the law does permit warrantless searches of electronic information or data in certain circumstances, including “in accordance with a judicially recognized exception to warrant requirements.” One such exception, for exigent circumstances, allows for warrantless searches when law enforcement reasonably believes that evidence will be destroyed before officers can get a search warrant.
The EIDP also includes a notice provision that requires that law enforcement notify the owner of the electronic information within 14 days after the information is obtained (1) that a warrant was obtained, (2) the kind of warrant issued, (3) the period of time for which the collection was authorized, (4) the offense specified in the warrant, and (5) the identity of the law enforcement agency that sought the warrant. The notice period can be extended for an additional 90 days where there is “reasonable cause to believe” that certain exigent circumstances exist to delay notification.
The Utah law follows the Supreme Court’s recent conclusion in Carpenter v. United States that the Third Party Doctrine does not apply to cell-site location information (“CSLI”) which is created each time a person’s cell phone connects to a cell site.2 The Third Party Doctrine provides a warrant generally is not required for law enforcement to obtain information transmitted to a third party on the basis that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”3
Under Carpenter, law enforcement must obtain a search warrant to obtain an individual’s CSLI from a cellular provider. The Court cautioned, however, that its decision was “narrow” and did not extend to other types of electronic information transmitted to third parties.4 Indeed, Justice Alito, writing in dissent, argued that “[l]egislation is much preferable to the development of an entirely new body of Fourth Amendment caselaw for many reasons, including the enormous complexity of the subject, the need to respond to rapidly changing technology, and the Fourth Amendment’s limited scope.”5
Perhaps Utah’s privacy law will push Congress to consider broader data privacy legislation that protects citizens’ personal electronic information from misuse by the government. In the meantime, companies must contend with an expanding set of patchwork regulations governing electronic information, including when responding to a government request for data obtained from a Utah citizen.
2 Carpenter v. United States, 138 S. Ct. 2206 (2018).
3 Id. at 2016.
4 Id. at 2220.
5 Id. at 2261 (Alito, J., dissenting).
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.