
Every text you send, every email you write, and every call you make travels through invisible pipelines, and somewhere along the way, someone may be collecting this data. The Electronic Communications Privacy Act (ECPA) was designed to stop that. Passed in 1986, it was revolutionary for its time. But the internet it was written to govern looks nothing like the internet we interact with today.
Understanding ECPA is critical if you've ever wondered whether your communications are truly private, whether a company can share your data without your permission, or whether you have legal recourse when someone intercepts your messages without consent.
Congress enacted the Electronic Communications Privacy Act to extend government restrictions on wiretapping to include digital communications. At its core, ECPA prohibits unauthorized interception of wire, oral, and electronic communications, and it covers both government actors and private individuals.
The law is divided into three major parts, often referred to as titles:
Together, these three titles create a framework that touches nearly every form of electronic communication. But the details matter enormously, and so do the exceptions.
When ECPA functions as intended, it creates meaningful barriers to surveillance. Here's what that looks like in real terms:
If law enforcement wants to read your emails, they must comply with the SCA. For emails stored fewer than 180 days, they generally need a warrant backed by probable cause.
If your employer, a competitor, or a third-party vendor intercepts your business communications without consent, you may have a federal civil claim. ECPA allows victims to sue for actual damages, statutory damages of at least $10,000, punitive damages in egregious cases, and attorney's fees.
If a data broker or analytics company accesses your stored messages without authorization, the Stored Communications Act may give you standing to pursue a lawsuit even without proving concrete financial harm.
Despite its scope, ECPA has significant blind spots that leave millions of Americans exposed.
Because ECPA has limits, privacy attorneys increasingly rely on a patchwork of complementary laws to protect clients:
The California Consumer Privacy Act (CCPA) and CPRA give California residents the right to know what data is collected, the right to delete it, and the right to opt out of its sale. Companies that violate these laws face fines and consumer lawsuits.
The Computer Fraud and Abuse Act (CFAA) can apply when someone accesses a system or account without authorization — including former partners who access your email account, employers who exceed authorized access, or hackers who breach databases holding your information.
State wiretapping laws in states like Illinois, Maryland, and Pennsylvania require all parties to consent before a communication can be recorded. These laws often provide broader protection than ECPA.
HIPAA protects health information held by covered entities and business associates. When a healthcare company suffers a breach or improperly discloses your records, HIPAA enforcement follows.
The Illinois Biometric Information Privacy Act (BIPA) has become one of the most powerful privacy statutes in the country, allowing individuals to sue companies that collect fingerprints, facial scans, or other biometric data without proper consent.
1. In re: Google LLC Street View Electronic Communications Litigation (9th Cir., 2023) — Plaintiffs alleged that Google's Street View vehicles intercepted payload data from unencrypted Wi-Fi networks. The Ninth Circuit allowed Wiretap Act claims to proceed, rejecting Google's argument that the data was "readily accessible to the general public."
2. Facebook v. Duguid (U.S. Supreme Court, 2021) — While centered on the TCPA, this case shaped how courts think about automated digital communications and consent, with wide-ranging implications for how companies can reach individuals using stored number lists.
3. Brickman v. Fitbit (N.D. Cal., 2022) — Users sued Fitbit under the SCA and state privacy statutes, alleging the company disclosed health and location data to third-party advertisers without adequate consent. The case settled for a significant sum and required policy changes.
4. Patel v. Facebook (9th Cir., 2019) — In a landmark BIPA ruling, the court found that Facebook's facial recognition feature violated Illinois law without concrete injury being required. The case ultimately settled for $650 million.
5. In re: TikTok, Inc. Consumer Privacy Litigation (N.D. Ill., 2022) — A consolidated class action alleged TikTok collected biometric data, browsing history, and device information without proper disclosure or consent. Claims under BIPA, ECPA, and state law proceeded past early dismissal motions.

Data privacy violations don't always come with obvious signs. You might have a claim if:
These situations may give rise to claims under ECPA, state privacy statutes, BIPA, the CFAA, or other applicable law. The key is getting a qualified legal evaluation before time runs out, because statutes of limitations on privacy claims can be short.
The Lyon Firm focuses on representing individuals whose digital privacy has been violated. In an era where corporations and institutions hold more personal data than ever, having experienced counsel is essential.
We understand the technology. Privacy litigation is technical. Our attorneys know how data flows, how consent mechanisms work, and where companies typically cut corners. That knowledge shapes every case we build.
We know the statutes. From ECPA and the SCA to BIPA, CCPA, and state wiretapping laws, The Lyon Firm stays current on the legal tools available to protect your rights. We pursue every viable avenue.
We work on contingency. In most data privacy cases, you pay nothing unless we recover for you. That means cost is never a barrier to finding out whether you have a claim.
We hold companies accountable. Large corporations count on individuals not knowing their rights — or not having the resources to assert them. We exist to change that equation.
We are actively investigating data privacy violations. If you believe your communications were intercepted, your biometric data was collected without consent, your health records were exposed, or your personal data was sold without authorization, contact The Lyon Firm today for a free, confidential consultation.
Taking the first step doesn’t have to be complicated. In just a few minutes, you can share the basics of your case, and our team will guide you from there: