What is the Federal Electronic Communications Privacy Act (ECPA)?
The Electronic Communications Privacy Act (ECPA) is a federal law that establishes standards for access to private information transmitted and stored on the Internet, such as emails, photos, or direct messages.
What does ECPA do?
ECPA sets “Privacy On” by default. The Act requires every provider of electronic communications to obtain lawful consent before releasing the contents of communications. This consent can be provided by only:
- The originator of the electronic communication;
- The addressee; or
- The intended recipient.
Failure of an online service provider to obtain lawful consent can result in private lawsuits by any person aggrieved by the disclosure.
Why should we treat letters and emails differently when it comes to fiduciary access?
Stored communications, like emails and tweets, are significantly different from letters. Unlike letters, which require an affirmative step to store, emails and messages are stored by default, require several steps to delete, and involve a third-party custodian that has responsibility by federal law to protect the privacy of the communications.
Also, due to their immediate nature, users treat electronic communications more like voice communications than like letters – and thus should receive a greater degree of privacy protection than letters. Finally, if someone stores letters under their bed or in a closet, they can expect discovery of the letters when someone cleans their room when they die. They likely do not expect the same for their confidential online communications.
Why does UFADA (Revised) only allow access to records or contents subject to a will?
ECPA distinguishes between content and transactional information, such as who is the sender or the recipient of an email. This means fiduciaries can see with whom the decedent communicated, such as banks, real estate companies, etc., and then contact those entities on behalf of the estate to gain details about the account – all without accessing the private information of the decedent or other persons contained in the emails.
ECPA allows disclosure to fiduciaries with lawful consent – i.e. a will expressly granting the disclosure. But service providers expose themselves to civil liability resulting from improper disclosure. This is why a will and indemnification are needed for disclosure of contents.
What are the problems with a disclose everything approach?
The disclose everything by default approach considers only the fiduciary’s interests. It disregards the interests of the deceased, existing federal law, and it does not protect the communications of the people who corresponded with the deceased – including highly confidential communications (e.g. with doctors, psychiatrists, addiction counselors, and clergy).
Some flaws of this approach:
- Disregards the privacy interests of third parties and decedents by essentially creating a “show me everything” rule for whoever becomes the fiduciary.
- Allows fiduciaries to obtain unfettered access to communications that the decedent understood would be kept private, and it leaves many open questions that can only be resolved through litigation.
- Can sometimes require users to twice opt-in to protecting their privacy by consenting to a fiduciary’s access in both their online account and Unless users makes these affirmative choices, everything in their online accounts is disclosed.
- Puts businesses at odds in complying with federal or state law. States cannot override federal laws, nor can a state indemnify a business from legal liability under a federal law, unless the state is willing to accept the liability. So businesses must choose whether to follow state or federal law.