Utah Sets Limits on Law Enforcement’s Ability to Gather Individuals’ Electronically Transmitted Data

Utah enacted a sweeping data privacy law that affects how employers and corporations respond to police demands for data. With this new law, Utah becomes the first state to protect electronic information individuals disclose to third parties.

Utah’s law requires a search warrant for a law enforcement agency conducting a criminal investigation or prosecution to obtain (i) location information, stored data, or transmitted data of an electronic device or (ii) electronic information or data transmitted by the owner of the electronic information or data to a remote computing processing center. The law further provides that any use of the information gathered must be related to the subject or objective of the warrant. 

Legally, Utah’s new law is an outgrowth of developing federal law in the area of data privacy. The “third party doctrine” provides that individuals have no reasonable expectation of privacy when they share their data with a third party. Court decisions over the last decade eroded this doctrine, however. In 2010, the Sixth Circuit held that the government may not compel a commercial ISP to turn over the contents of a subscriber’s emails without a warrant.  In 2012, the Supreme Court decided that installing a GPS tracking device on a vehicle and using the device to monitor the vehicle’s travels constituted a Fourth Amendment search. Two years later, the Supreme Court held that the police generally may not search digital information on a cellphone seized from an arrestee without a warrant. And last summer, the Supreme Court ruled that law enforcement could no longer access a person’s cell phone location data from a third-party provider without a warrant and invited legislatures to craft broader data privacy protections.

Practically, Utah’s action comes on the heels of a New York Times article detailing how Google allows law enforcement to access its Sensorvault database, which contains location records involving hundreds of millions of devices worldwide. According to the New York Times, Google opens its Sensorvault data from its users’ phones in response to warrants from law enforcement agencies around the country, without the individuals’ consent.

Businesses will need to reevaluate their procedures for responding to law enforcement data demands in the wake of the new warrant requirement in Utah. Other technologically sophisticated states, such as California or New York, may take the Utah legislature’s lead.