What Is the ECPA? Electronic Communications Privacy Act

The ECPA is the Electronic Communications Privacy Act of 1986, Pub. L. 99-508, the federal law that sets baseline rules for intercepting phone calls, emails, and other electronic communications in the United States. It has three titles: the Wiretap Act, the Stored Communications Act, and the pen register statute.
Information last verified on 2026-07-08. This article has not yet been reviewed by a licensed lawyer.
What does ECPA stand for?
ECPA stands for the Electronic Communications Privacy Act of 1986, Pub. L. 99-508. Congress passed it to extend the older 1968 Wiretap Act, which had covered wire and oral communications like phone calls, to the newer world of email, pagers, and computer-to-computer data transmission. It did that by amending the existing Wiretap Act and adding two entirely new sets of rules, the Stored Communications Act and the pen register statute, so that "ECPA" today refers to a package of three related but distinct laws codified at 18 U.S.C. §§ 2510-2523, 2701-2713, and 3121-3127.
What does the ECPA actually do?
ECPA is not a single rule. It has three titles, and knowing which one applies to a given fact pattern is the key to using it correctly.
- Title I, the Wiretap Act (18 U.S.C. §§ 2510-2523). Prohibits intentionally intercepting a wire, oral, or electronic communication while it is being transmitted, in real time. This is the part of ECPA people usually mean when they ask "is it legal to record this conversation."
- Title II, the Stored Communications Act (18 U.S.C. §§ 2701-2713). Prohibits intentionally accessing a stored communication, such as an email sitting in an inbox or a voicemail, without authorization. It also sets the process the government must follow to compel a provider to disclose stored content. See our Stored Communications Act Explained for the full depth on this title.
- Title III, pen register and trap-and-trace (18 U.S.C. §§ 3121-3127). Regulates devices or processes that capture dialing, routing, addressing, or signaling metadata about a communication, not its content. Installing one without a court order is a federal crime under 18 U.S.C. § 3121.
Who has to follow the ECPA?
ECPA binds everyone: private individuals, businesses, communications providers, and the government, though each faces different rules under it. A private individual recording their own conversation is governed by the one-party consent rule in 18 U.S.C. § 2511(2)(d). A communications provider, an email host or a phone carrier, gets a narrower exception under 18 U.S.C. § 2511(2)(a)(i) to monitor its own network for abuse, fraud, or service delivery, but cannot sell communication content to third parties under that exception. Government investigators face the strictest rules of all: intercepting a live communication requires a Title III super-warrant under 18 U.S.C. §§ 2516-2518, while compelling a provider to hand over stored data follows the tiered warrant, court-order, and subpoena framework set out in 18 U.S.C. § 2703.
The ECPA's most important rule: one-party consent
For most everyday recording questions, the rule that matters is 18 U.S.C. § 2511(2)(d): a participant in a phone call, in-person conversation, or video call may record it without telling the other participants, unless the recording is made for the purpose of committing a crime or a tort. That is a federal floor, not a ceiling, so it applies everywhere in the United States unless a stricter state law displaces it for in-state recordings. Roughly 12 states, including California under its Invasion of Privacy Act, require the consent of every party instead. The full penalty structure, the tortious-purpose exception, and how the federal floor interacts with those stricter state laws are covered in depth in Federal Wiretap Act and ECPA: The Complete Guide (2026).
Is the ECPA the same as HIPAA or GDPR?
No. ECPA is a US federal statute about intercepting and accessing communications; it predates HIPAA (health-information privacy, 1996) and the EU's GDPR (data protection, 2018) and addresses a narrower problem. HIPAA governs how covered health entities handle protected health information. GDPR is a European data-protection regulation with no direct US analogue. ECPA does not regulate general data collection; it targets interception of communications in transit and unauthorized access to communications already in storage.
Frequently asked questions
Disclaimer
This article provides general legal information about the Electronic Communications Privacy Act of 1986, Pub. L. 99-508, as verified on 2026-07-08. It does not constitute legal advice and does not create an attorney-client relationship. Readers should consult a lawyer licensed in their jurisdiction before recording a conversation or accessing stored communications.
Related articles
- Federal recording laws: the complete hub
- Federal Wiretap Act and ECPA: The Complete Guide (2026)
- Stored Communications Act Explained
- One-party consent states: full list and rules
Last updated: 2026-07-08. Statutes cited reflect their in-force version as of 2026-07-08.
Frequently Asked Questions
What does ECPA stand for?
ECPA stands for the Electronic Communications Privacy Act of 1986, Pub. L. 99-508. It is the federal law that governs intercepting live communications, accessing stored communications, and installing pen register or trap-and-trace devices in the United States.
When was the ECPA passed?
Congress enacted the Electronic Communications Privacy Act on October 21, 1986, as Pub. L. 99-508. It amended the 1968 Wiretap Act and added the Stored Communications Act and the pen register statute as new titles.
Does the ECPA apply to text messages?
Yes, in two different ways depending on timing. A text message intercepted while it is being transmitted falls under the Wiretap Act, 18 U.S.C. 2510-2523. A text message already delivered and sitting on a phone or with a carrier falls under the Stored Communications Act, 18 U.S.C. 2701-2713, if someone accesses it without authorization.
What is the difference between the ECPA and the Wiretap Act?
The Wiretap Act is one part of the ECPA, specifically Title I, codified at 18 U.S.C. 2510-2523. The ECPA as a whole also includes Title II, the Stored Communications Act, and Title III, the pen register and trap-and-trace statute. People often use 'ECPA' and 'Wiretap Act' interchangeably, but the Wiretap Act is narrower.
Does the ECPA apply outside the United States?
The ECPA is a US federal statute and its core prohibitions apply to conduct and communications connected to the United States. Cross-border data requests to US providers are also addressed by the CLOUD Act, enacted in 2018, which amended the Stored Communications Act at 18 U.S.C. 2713 to address preservation and disclosure of data regardless of where it is stored.
What happens if someone violates the ECPA?
It depends on which title. A Wiretap Act violation is a federal felony punishable by up to five years under 18 U.S.C. 2511, plus civil damages with a $10,000 per-violation floor under 18 U.S.C. 2520. A Stored Communications Act violation carries criminal penalties under 18 U.S.C. 2701(b) and a separate civil remedy with a $1,000 floor under 18 U.S.C. 2707.
Sources and References
- Electronic Communications Privacy Act of 1986, Pub. L. 99-508(congress.gov).gov
- 18 U.S.C. § 2510: ECPA Title I definitions(uscode.house.gov).gov
- 18 U.S.C. § 2511: Wiretap Act prohibition and one-party consent exception(uscode.house.gov).gov
- 18 U.S.C. § 2701: Stored Communications Act, ECPA Title II(uscode.house.gov).gov
- 18 U.S.C. § 3121: pen register and trap-and-trace prohibition, ECPA Title III(uscode.house.gov).gov