Stored Communications Act Explained: 18 U.S.C. § 2701

The Stored Communications Act, 18 U.S.C. §§ 2701-2713 (ECPA Title II), makes it a federal offense to access stored emails, voicemail, or cloud data without authorization. Unlike the Wiretap Act, it governs communications already at rest, not communications intercepted in real time.
Information last verified on 2026-07-08. This article has not yet been reviewed by a licensed lawyer.
Jurisdiction scope: This article addresses the federal Stored Communications Act, 18 U.S.C. §§ 2701-2713 (ECPA Title II), and its interaction with Fourth Amendment case law. It does not address state computer-crime or data-breach statutes, and it does not re-derive the Wiretap Act's one-party consent rule; for that, see Federal Wiretap Act and ECPA: The Complete Guide.
What the SCA regulates: data at rest, not data in transit
The Stored Communications Act prohibits intentionally accessing, without authorization, a facility through which an electronic communication service is provided, and thereby obtaining, altering, or preventing authorized access to a wire or electronic communication while it is in electronic storage (18 U.S.C. § 2701(a)). "Electronic storage" has a specific statutory meaning, borrowed from the Wiretap Act's definitions section: temporary or intermediate storage of a communication incidental to its transmission, plus any storage by a communications service for backup protection of that communication (18 U.S.C. § 2510(17)). The practical effect is a bright dividing line from the Wiretap Act: the Wiretap Act punishes catching a communication as it moves, while the SCA punishes reaching into somewhere a communication already sits, an inbox, a voicemail box, a cloud drive, after transmission has finished. Reading a coworker's already-delivered email without permission, logging into an ex-partner's cloud photo account, or a company accessing a former employee's stored messages without authorization are all SCA questions, not Wiretap Act questions, because the communication is being accessed where it already sits, not intercepted.
The unauthorized-access prohibition and its three exceptions
Section 2701(a) is the SCA's core prohibition, and it is a criminal statute: unauthorized access is punished by up to five years' imprisonment for a first offense committed for commercial advantage, malicious destruction or damage, or in furtherance of a criminal or tortious act, up to ten years for a repeat offense in that category, or up to one year for a first offense in any other case and up to five years for a repeat offense (18 U.S.C. § 2701(b)). Three exceptions in Section 2701(c) narrow that prohibition considerably. The provider exception authorizes conduct by the person or entity providing the communications service itself, so a webmail provider accessing its own servers to operate the service is not violating Section 2701. The user exception authorizes conduct by a user of the service with respect to a communication of or intended for that user, so an account holder accessing their own stored messages is not violating Section 2701, and this exception is the practical basis for describing SCA access as "authorized" when the account holder consents. The statutory-process exception authorizes conduct carried out under Sections 2703, 2704, or 2518, the SCA's and Wiretap Act's own compelled-disclosure and warrant provisions, so a provider that complies with a valid warrant or court order is not liable under Section 2701 for doing so.
Voluntary disclosure versus required disclosure: Sections 2702 and 2703
The SCA separates two questions that are easy to conflate. Section 2702 governs when a provider may voluntarily disclose a customer's stored content or records, generally prohibiting disclosure to any non-governmental entity except to the originator or an addressee, with the customer's lawful consent, to protect the provider's own rights or property, to the National Center for Missing and Exploited Children, or in a genuine emergency involving danger of death or serious injury. Section 2703 governs when the government can compel disclosure regardless of the provider's own wishes. A provider that hands over customer content to police voluntarily, outside Section 2702's narrow exceptions and without a valid Section 2703 process behind it, faces its own SCA exposure.
The government-access framework: warrant, court order, or subpoena
Section 2703 sets a tiered structure for what process the government needs, depending on the category of data sought. Under Section 2703(a), the government must obtain a warrant, issued under the Federal Rules of Criminal Procedure or an equivalent state warrant procedure, to compel disclosure of the contents of communications held in electronic storage. Under Section 2703(b), contents held by a remote computing service can be obtained either through a warrant, without prior notice to the subscriber, or through an administrative subpoena or a Section 2703(d) court order, generally with notice to the subscriber that can be delayed under Section 2705 in appropriate cases. Under Section 2703(c), non-content subscriber and transactional records, name, address, session times, and similar account information, can be obtained through a warrant, a Section 2703(d) court order, the subscriber's own consent, or in some cases an administrative or grand jury subpoena, a materially lower bar than what content requires. A Section 2703(d) order itself requires the government to offer specific and articulable facts showing reasonable grounds to believe the records sought are relevant and material to an ongoing investigation, a standard well below Fourth Amendment probable cause.
Warshak and the practical end of the storage-age distinction
As originally written, the SCA drew a line based on how long content had been stored: content held 180 days or less required a warrant, while older content could be obtained with only a subpoena or a Section 2703(d) order. The Sixth Circuit rejected that distinction as a matter of constitutional law in United States v. Warshak, 631 F.3d 266 (6th Cir. 2010), holding that email users retain a reasonable expectation of privacy in email content held by a commercial provider, so the Fourth Amendment requires a probable-cause warrant regardless of the email's age. The underlying communications were still admitted at trial there, because the government agents had relied in good faith on the SCA's then-existing text, but the decision changed practice nationwide: DOJ and FBI policy now calls for a warrant for stored content regardless of age, and most major providers will not release content without one, even though Warshak is formally binding only within the Sixth Circuit (Kentucky, Michigan, Ohio, and Tennessee).
Carpenter v. United States and the limits of a Section 2703(d) order
Carpenter v. United States, 585 U.S. 296 (2018), addressed a different category of SCA-governed data: historical cell-site location information (CSLI). Prosecutors had used Section 2703(d) orders, not warrants, to obtain 127 days of a suspect's CSLI from his wireless carriers, cataloging his movements near several robbery locations. The Supreme Court held that compelling this category of data through a mere Section 2703(d) order violates the Fourth Amendment; before compelling a carrier to turn over historical CSLI, the government must get a warrant. The Court was explicit that its holding was narrow: it did not disturb the general third-party doctrine, and it left real-time CSLI, tower dumps, and other business records untouched. Carpenter's effect on SCA practice is significant but bounded, it forecloses the Section 2703(d) route specifically for historical cell-site records, without rewriting the rest of Section 2703's tiered framework.
Civil and criminal liability under the SCA
Beyond the criminal penalties in Section 2701(b) described above, Section 2707 gives any provider, subscriber, or other person aggrieved by a knowing or intentional SCA violation a private right of action. A prevailing plaintiff can recover the sum of actual damages and any profits made by the violator, subject to a $1,000 statutory-damages floor, punitive damages where the violation was willful or intentional, and reasonable attorney fees and litigation costs. A defendant has a complete defense for good-faith reliance on a court warrant or order, a grand jury subpoena, a legislative authorization, or a good-faith determination that the conduct was permitted under the statute. A civil action under Section 2707 must be brought within two years of the date the claimant discovered, or reasonably should have discovered, the violation.
SCA versus Wiretap Act: resolving the confusion
The two statutes are frequently conflated because both come from the same 1986 legislation and both can apply to the same underlying dispute at different moments in time. The distinction that matters is timing, not the type of technology involved.
| Fact pattern | Governing statute | Typical government-access standard |
|---|---|---|
| A phone call is being listened to while it is happening | Wiretap Act (18 U.S.C. §§ 2510-2523) | Title III super-warrant (18 U.S.C. §§ 2516-2518) |
| An email sitting in an inbox is read without authorization | Stored Communications Act (18 U.S.C. §§ 2701-2713) | Warrant under 18 U.S.C. § 2703(a), per Warshak |
| Historical cell-site location records are sought from a carrier | Stored Communications Act | Warrant, per Carpenter, not a bare § 2703(d) order |
| Basic subscriber account information is sought from a provider | Stored Communications Act | Subpoena, consent, or § 2703(d) order under § 2703(c) |
For a full walkthrough of the Wiretap Act side of that table, including its penalties, exceptions, and interaction with state consent laws, see Federal Wiretap Act and ECPA: The Complete Guide (2026). For the bigger picture of how both statutes fit alongside state laws like CIPA, see Federal recording laws: the complete hub.
Frequently asked questions
Disclaimer
This article provides general legal information about the Stored Communications Act, 18 U.S.C. §§ 2701-2713, as verified on 2026-07-08. It does not constitute legal advice and does not create an attorney-client relationship. The application of this law depends on specific facts, including the type of data at issue, how it was accessed, and the jurisdiction involved. Readers should consult a lawyer licensed in their jurisdiction before accessing another person's stored communications or responding to a government request for stored data.
Related articles
- Federal recording laws: the complete hub
- Federal Wiretap Act and ECPA: The Complete Guide (2026)
- What Is the ECPA?
- CIPA: California Invasion of Privacy Act Explained
Last updated: 2026-07-08. Statutes cited reflect their in-force version as of 2026-07-08.
Frequently Asked Questions
Is reading someone's stored text messages a Wiretap Act violation or an SCA violation?
It is a Stored Communications Act question, 18 U.S.C. 2701, because the messages already came to rest in storage on a device or with a carrier. The Wiretap Act, 18 U.S.C. 2510-2523, applies only to communications intercepted while they are being transmitted.
Does the SCA require a warrant for old emails?
The statute's text originally allowed a subpoena or court order for content stored more than 180 days, but United States v. Warshak, 631 F.3d 266 (6th Cir. 2010), held the Fourth Amendment requires a warrant for email content regardless of age, and DOJ and FBI policy now follow that practice nationwide.
Can my employer access my work email under the SCA?
Often yes, under the provider exception in 18 U.S.C. 2701(c)(1), because employers typically operate or contract for the email service itself. This is a general description, not an assessment of any specific employer's policy or a specific employee's situation.
What is the SCA's provider exception?
Section 2701(c)(1) exempts conduct authorized by the person or entity providing the wire or electronic communications service. It allows a communications provider to access its own systems to operate the service, but it does not authorize selling or disclosing communication content beyond that scope.
Does Carpenter v. United States mean the government always needs a warrant for stored data?
No. Carpenter, 585 U.S. 296 (2018), held that a warrant is required specifically for historical cell-site location records obtained under 18 U.S.C. 2703(d). The Court expressly limited its holding and did not disturb the SCA's lower standards for other categories of data, such as basic subscriber records.
What are the penalties for violating the SCA?
Criminal penalties under 18 U.S.C. 2701(b) range from up to one year for a first offense with no aggravating purpose to up to ten years for a repeat offense committed for commercial advantage or a tortious purpose. Civil plaintiffs can recover actual damages, a $1,000 statutory floor, punitive damages, and attorney fees under 18 U.S.C. 2707.
How long do I have to sue under the SCA?
18 U.S.C. 2707 sets a two-year limitations period, running from the date the claimant discovered the violation or reasonably should have discovered it.
Sources and References
- 18 U.S.C. § 2701 via Cornell LII: unauthorized access to stored communications, penalties, and exceptions(law.cornell.edu)
- 18 U.S.C. § 2702 via Cornell LII: voluntary disclosure of customer communications or records(law.cornell.edu)
- 18 U.S.C. § 2703 via Cornell LII: required disclosure of customer communications or records(law.cornell.edu)
- 18 U.S.C. § 2707 via Cornell LII: SCA civil action, $1,000 statutory damages floor, two-year limitations period(law.cornell.edu)
- 18 U.S.C. § 2711 via Cornell LII: definitions for the Stored Communications Act chapter(law.cornell.edu)
- 18 U.S.C. § 2510(17): statutory definition of 'electronic storage'(uscode.house.gov).gov
- United States v. Warshak, 631 F.3d 266 (6th Cir. 2010): warrant required for stored email content regardless of age(courtlistener.com)
- Carpenter v. United States, 585 U.S. 296 (2018): official slip opinion, warrant required for historical CSLI obtained via § 2703(d) order(supremecourt.gov).gov
- Electronic Communications Privacy Act of 1986, Pub. L. 99-508, source of the Stored Communications Act (Title II)(congress.gov).gov