Utah Enacts New Restrictions on Law Enforcement Access to Users’ Data
Utah has become the first state to legislatively dictate that law enforcement must obtain a warrant based on probable cause before forcing internet service providers to turn over users’ content, location information, and other records stored by them. The law, passed unanimously by the Utah Legislature and signed by Governor Gary Herbert last week, adds to an already robust series of data protection laws on the books in the Beehive State.
The new law amends the 2014 Location Privacy for Electronic Devices law to make explicit that Utah state and local law enforcement may not obtain “electronic information or data transmitted by the owner of the electronic information or data to a remote computer service provider” without obtaining a search warrant (although there were already very good arguments that such information and data were already protected), absent very limited exceptions, such as consent of the user and in emergency situations relating to death, serious injury, sexual abuse, and kidnapping, among others. The term “electronic information or data” is very broadly defined to include, in essence, all data on an electronic device. These protections buttress those put in place in Utah in 2012, where the legislature required that a warrant was needed to obtain the contents of electronic communications held by providers.
The new Utah law appears to go beyond the protections in federal law by requiring that law enforcement agencies get a warrant to obtain – again subject to exceptions – even the provider’s own transactional records relating to the customers (other than certain basic subscriber records). New Utah code 77-23c-104(3) includes the broad restriction that law enforcement may not obtain “any record or information, other than a subscriber record, of a provider of an [ECS or RCS] related to a subscriber or customer without a warrant.” (emphases added). This requirement goes far further than most ECPA-style laws, though it appears to conflict with Utah’s own pre-existing statute 77-23b-4(3). How those two provisions are reconciled remains to be seen. Further bolstering the rights and remedies of affected users, law enforcement must, subject to delays specifically granted by court order, notify customers when they receive information pursuant to the warrants, and evidence obtained in contravention of this law will be excluded from criminal trials. As in federal law, the new Utah law gives providers immunity from liability if they rely in good faith on the warrants in producing responsive information.
The new bill also appears to potentially dilute users’ privacy surrounding location information. The 2014 Location Privacy for Electronic Devices law required that governmental entities obtain a warrant for “location information,” defined as “information concerning the location of an electronic device that, in whole or in part is generated or derived from or obtained by the operation of an electronic device.” The law was hailed as a model by pro-privacy groups. The new law limits the definition of “location information” to “information, obtained by means of a tracking device, concerning the location of an electronic device …” seemingly restricting the warrant requirement to situations in which the government seeks to use a Triggerfish, Stingray or similar cell site simulator. Perhaps, though, protections for other location information data maintained by providers can be revived by resorting to the warrant requirement for “transmitted data,” although GPS data does not seem to fit squarely within the definition, or from the new warrant requirement in 104(3) discussed above. Stay tuned.
Utah’s new law is one of many privacy laws passed by states in recent years (CalECPA, Texas’ law relating to search warrants for stored communications, and warrant requirements for location information in Maine, Montana, New Hampshire, California, and many others). Providers will need to keep on top of the growing number of states constraining the power of the government to access users’ electronic information and consider necessary changes to their legal process compliance efforts.