The Stored Communications Act, which is codified at 18 USC 121, sections 2701-2712, is federal law that governs the conduct of electronic communication service providers and the voluntary and compelled disclosure of the contents of private electronic communications.

The purpose of the Stored Communications Act is to protect privacy of electronic communications that are not made to the public at large. Electronic communication service providers that service the public are prohibited from revealing the content of electronic communications that the store, with limited exceptions for permissible disclosure.

Are There Exceptions to When Disclosure is Permissible?

When a sender transmits an email, he or she is sending an electronic communication to an intended recipient through the services and infrastructure provided by an internet service provider. There are certain circumstances in which internet service providers and remote computing services providers are permitted to disclose the contents of electronic communications that they are storing on their servers. These exceptions to the Stored Communications Act include:

• Disclosure to the intended recipient or an agent of the intended recipient. For instance, it is permissible for an internet service provider to disclose the contents of the electronic communication (e.g., an email) to the addressed intended recipient of the electronic communication.
• With the lawful consent of the communications originator, addressee or intended recipient. If the author of the electronic communication, or the recipient or intended recipient consents to the disclosure of the contents of the electronic communication, then an internet service provider is permitted to disclose.
• Third parties employer or authorized to forward the communication to its destination. An electronic communication might have to pass through individuals in order to get to its intended recipient and these individuals are generally implicitly authorized to access the content of electronic communications.
• Disclosure is incident to providing service. It may be necessary for an employee of a internet service provider to access an electronic communication in order to forward the communication on as appropriate, i.e., the employee must know where the communication must be sent in order to get the communication to the intended recipient.
• Disclosure is necessary in order to protect the rights or property of the service provider. When the service provider’s property is placed into jeopardy, it may be permissible to disclose the contents of private electronic communications.
• Disclosure to law enforcement. Disclosure may be permissible to law enforcement, for instance, as part of an ongoing criminal investigation.
• Disclosure to a government entity in limited circumstances. There could be situations in which an ISP may disclose the contents of an electronic communication to a governmental entity. That may include the police, if it is believed that there is an emergency concerning danger of death or serious physical injury of someone.

Privacy in the Digital Age

The Stored Communications Act was meant to address aspects of privacy in the digital age that the Fourth Amendment of the Constitution does not address. The law applies to electronic communications handled and stored by internet service providers and remote computing service providers and prevents the knowing and voluntary disclosure of the contents of user’s electronic communications.

Government Access to Stored Communications: The Legal Framework

Beyond voluntary disclosure, the SCA also governs when the government can compel disclosure of stored electronic communications. The statute draws a critical distinction between content and non-content data. Under 18 U.S.C. § 2703, the government must obtain a warrant based on probable cause to compel disclosure of the actual contents of stored electronic communications held by a provider for 180 days or less. For communications stored more than 180 days, the original statute permitted compelled disclosure with a mere subpoena and notice to the subscriber — a rule that modern courts have increasingly found inadequate under the Fourth Amendment following Carpenter v. United States, 585 U.S. 296 (2018).

Non-content data — sometimes called metadata — receives weaker protection under the SCA. Records such as subscriber identity, billing information, IP addresses, and connection logs can be obtained by the government through a court order under 18 U.S.C. § 2703(d), which requires only a showing that the records are relevant and material to an ongoing investigation. This two-tier approach reflects Congress’s judgment in 1986 that metadata is less sensitive than content, though that assumption is hotly contested in contemporary litigation as metadata increasingly reveals detailed pictures of individuals’ private lives.

Civil Liability Under the SCA

The SCA is not merely a limitation on government conduct — it also creates a private right of action against private parties who improperly access or disclose stored electronic communications. Under 18 U.S.C. § 2707, any person aggrieved by a violation of the SCA may bring a civil action against the entity that committed the violation. Available remedies include actual damages (with a statutory floor of $1,000 per violation), punitive damages where the violation was willful or intentional, and reasonable attorney’s fees.

Employers who access employee email accounts, businesses that improperly share customer communications, and third parties who intercept stored messages without authorization have all faced SCA civil liability. Notable cases include Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002), where the court held that an employer’s access to a password-protected employee website could constitute an SCA violation, and Pietrylo v. Hillstone Restaurant Group, 2009 WL 3128420 (D.N.J. 2009), where a restaurant chain was found liable under the SCA for accessing a private employee MySpace group using credentials obtained through coercion.

The SCA in the Workplace Context

Employers face recurring SCA questions when investigating employee misconduct, responding to litigation holds, or implementing workplace monitoring programs. Whether an employer can access an employee’s work email account stored on a third-party cloud platform, such as Gmail or Microsoft 365, without the employee’s consent implicates both the SCA’s authorization provisions and employment law principles. Courts have generally held that an employer’s written policy granting it access to company accounts satisfies the consent exception, but the scope of that consent is often disputed.

The risk of SCA liability in employment investigations makes it essential for businesses to work with experienced internet law attorneys before accessing stored communications — even communications stored on employer-owned infrastructure. A misstep can expose the employer not only to civil liability but also to exclusion of evidence in litigation or regulatory proceedings.

Interaction with ECPA and the Fourth Amendment

The SCA is one component of the broader Electronic Communications Privacy Act of 1986 (ECPA), which also includes the Wiretap Act (Title I) and the Pen Register Act (Title III). The Wiretap Act covers interception of communications in real-time transit, while the SCA covers communications at rest in storage. Understanding which statute applies to a given fact pattern is critical for both litigants and compliance counselors.

Courts have increasingly applied Fourth Amendment principles to SCA analysis in the wake of Carpenter, where the Supreme Court held that government access to seven days of cell-site location information constitutes a search requiring a warrant. Lower courts are wrestling with how broadly Carpenter‘s reasoning extends to email, social media messages, and other stored communications. Businesses and individuals that believe their stored communications have been accessed improperly by a government actor should consult with counsel familiar with the evolving intersection of the SCA and the Fourth Amendment.

Practical Implications for Businesses

For any business that transmits, stores, or handles electronic communications on behalf of customers or employees, the SCA creates significant compliance obligations and litigation risk. Service providers — a category that now encompasses a wide range of cloud-based business applications — must understand which compelled disclosure requests are legally sufficient and which require a warrant. Responding to an invalid subpoena by disclosing customer communications without requiring a valid legal process can expose the provider to SCA civil liability.

Businesses should maintain a clear, written policy governing how law enforcement requests for stored communications are handled, designate a person responsible for reviewing such requests, and retain experienced counsel for review before any disclosure is made. Equally important is a comprehensive privacy policy that accurately describes how stored communications are protected and under what circumstances they may be disclosed.

Contact a Stored Communications Act Lawyer

Whether you are a service provider evaluating a government disclosure request, an employer conducting a workplace investigation, or an individual whose private communications have been improperly accessed, the attorneys at Revision Legal can help. We advise businesses on SCA compliance, represent parties in SCA civil litigation, and counsel clients on the intersection of federal privacy statutes with emerging Fourth Amendment doctrine. Contact us using the form on this page or call us at 855-473-8474.