Our mobile phones hold vast amounts of personal information—photos, messages, locations, even biometric data. This wealth of information makes them indispensable tools for daily life but also prime targets for surveillance by businesses, government agencies, and malicious actors.

Beyond adjusting your device settings to protect your privacy, it’s essential to understand your rights under cell phone privacy laws. This post breaks down key laws and regulations, what they mean for you, and how you can better protect your data.

Your Fundamental Rights

The Fourth Amendment protects you from unreasonable search and seizure by the government, but how does this apply to cell phones? Two major Supreme Court cases have set outer boundaries for federal, state, local, and corporate actors:

1. Riley v. California
   In this case, the Court ruled that law enforcement cannot search a cell phone without a warrant, even if they arrest the phone’s owner. This decision was significant because the Court recognized that the wealth of personal information stored on cell phones made a search far more invasive than checking a person’s wallet or bag.
   
   How this applies to you: Authorities cannot legally search your cell phone without a warrant; however, there are ways this protection can be bypassed. For instance, law enforcement may use hacking tools to access phone data or subpoena cloud backups stored by companies like Apple or Google.
2. Carpenter v. United States
   This case saw law enforcement using location data stored by a suspect’s carrier to track his movement. The Court ruled that this action violated the suspect’s Fourth Amendment rights, recognizing that cell phone location data is inherently private and should be protected from unwarranted searches.
   
   How this might apply to you: Law enforcement must obtain a warrant to access your location data stored by carriers. However, this protection isn’t absolute. In practice, authorities often use emergency exceptions to access data without a warrant. Additionally, carriers and data brokers continue to sell de-identified location data, which can be traced back to individuals, allowing third parties and law enforcement to access this information without judicial oversight. In other words, if authorities can simply buy the location data on the commercial market, they don't need a warrant.

Federal Law and Regulations

1. Electronic Communications Privacy Act (ECPA)
   The ECPA regulates law enforcement’s ability to intercept and access digital communications such as emails and text messages. It sought to balance the privacy expectations of citizens with the legitimate needs of law enforcement.
   
   How this might apply to you: Under the ECPA, authorities generally cannot access the content of your texts or calls without a warrant. However, they may access text or call metadata—such as timestamps, phone numbers, and call durations—with less stringent requirements, such as a subpoena or court order, rather than a warrant.
   
   Critics argue that even metadata can reveal sensitive personal patterns and associations, such as who you communicate with, how often, and when, raising significant privacy concerns. While the ECPA requires legal authorization, the lower threshold for accessing metadata has been criticized for not providing the same level of protection as the content of communications.
2. Telecommunications Act
   This Act requires telcos to protect the confidentiality of Consumer Proprietary Network Information (CPNI) and regulates how they use it. CPNI is generally any information that appears on your phone bill, including details about your subscription plan, phone numbers you called, and the time, duration and location of your calls.
   
   How this applies to you and your telco:

   • • Your carrier must protect your CPNI.
   • • Your carrier can only use your CPNI to provide you with phone service or other services necessary for provision of this phone service.
   • • Your carrier can market new services and promotions to existing customers, provided they have obtained your consent.

   While CPNI can also be used in other ways, such as with third parties for marketing and advertising, your carrier must obtain your consent before doing so. Depending on your carrier, you may need to actively opt out of such data-sharing programs. See our guide on how to opt out if you’re a customer of AT&T, Verizon, and T-Mobile.
3. Communications Assistance for Law Enforcement Act (CALEA)
   CALEA was enacted partly to fill the gaps left by the ECPA to ensure that law enforcement can still conduct certain types of communications surveillance when needed. This law requires telcos to have the technical capabilities to facilitate lawful surveillance.
   
   How this applies to telcos: When presented with a warrant, telcos are legally obligated to support law enforcement with communication interception, including:

   • • intercepting texts and calls as they are being sent or received,
   • • sharing text and call metadata, and communications content with law enforcement.
4. Computer Fraud and Abuse Act (CFAA)
   The CFAA criminalizes unauthorized access to protected computers and networks. The Court recognizes that “protected computers” include the mobile phones we use today, as they perform many functions traditionally associated with computers, like internet browsing, email, and data storage.
   
   How this might apply to you: Anyone who accesses your cell phone, private messages, photos, location, and other data without authorization, such as through hacking, phishing, or malware is violating this law.
5. Children’s Online Privacy Protection Act (COPPA)
   COPPA restricts the collection of data from children under 13. It applies to websites, online services, and mobile apps. Under this law, the Federal Trade Commission (FTC) requires developers to obtain verifiable parental consent before collecting data from their users.
   
   How this might apply to you: Before a site, service, or mobile app collects data from children under 13 years old, they must obtain parents’ verifiable consent through acceptable methods established by the FTC, among other privacy and security measures. For more information, see the FTC’s resources on COPPA and a guide for safeguarding privacy and security on your child’s cell phone.
6. Foreign Intelligence Surveillance Act (FISA)
   This law allows intelligence agencies to monitor electronic communications, including phone calls and text messages for national security purposes. The law’s primary focus is on the surveillance of foreign nationals, but it also has implications for citizens.
   
   How this might apply to you: Law enforcement can:

   • • intercept communications (content and metadata) of foreign nationals with judicial approval from the Foreign Intelligence Surveillance Court,
   • • access stored communication data of foreign nationals.

   If you communicate with any non-U.S. citizens overseas, you may be incidentally caught in surveillance. In fact, privacy advocates and organizations have published data suggesting that intelligence agencies are using FISA to perform warrantless searches of Americans’ private phone calls, emails, and text messages.
7. E911 and Advanced Mobile Location (AML)
   Telcos are required to make available location-based technologies like AML that enhance location accuracy when users call emergency services.
   
   How this applies to telcos: Telcos must have the technical capability to help emergency services accurately identify a caller’s location when s/he dials emergency numbers. AML will send the caller’s precise location to help responders locate the caller more effectively.
8. FTC Regulations
   The FTC’s role is to enforce against unfair or deceptive business practices, including companies’ data privacy and security practices. Through enforcement actions, the FTC has penalized companies for failing to safeguard consumer data or misrepresenting their privacy practices, indirectly helping to protect mobile users’ privacy.

   
   
9. Other Federal Cybersecurity Mandates
   To protect against cyber threats that could impact public safety, entities like the FTC, Federal Communications Commission, and Department of Homeland Security have introduced cybersecurity mandates that apply to telcos. These mandates include rules around safeguarding customer data, implementing regular security audits, and how carriers can use and share CPNI.
   
   How this applies to telcos: Telcos must secure their networks against vulnerabilities to prevent breaches that could have public safety implications and take sufficient safeguards to protect user data.
   
   Despite these mandates, major telcos continue to suffer from frequent data breaches. See our telco data breach timeline for the latest updates.
   
   If you believe your telco’s data privacy and security practices are unfair or deceptive, or if you have reason to believe that your telcos are violating your cell phone and data privacy rights, you can report this to both agencies at these respective sites: FCC Consumer Complaints and FTC Report a Fraud.

State-Level Privacy Protections for Cell Phone Users

Some states have enacted strong privacy laws that apply to mobile users and that go beyond federal protections:

1. California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
   Under these laws, California residents have extensive rights over their personal data, including the right to know what data is collected, to request deletion, and to opt out of data sales.
   
   The CPRA, which builds on the CCPA, goes even further, mandating stricter protections and establishing a state agency to enforce these rights. See the State of California Department of Justice website for more information on these laws.
2. Illinois Biometric Information Privacy Act (BIPA)
   BIPA regulates how companies obtain, use, store, and dispose of biometric data like fingerprints or facial scans.
   
   How this might apply to you: If you are an Illinois resident, your telco must:

   • • obtain your written consent before collecting your biometric data,
   • • develop and publicly disclose a biometric data retention and destruction policy, including length of time the data will be stored and the process for securely destroying the data after it is no longer needed.

   To understand why major telcos collect biometric data and how they use, store, and dispose it, see T-Mobile and AT&T’s privacy notices on biometric information.

To find out what the current data privacy laws are in your state, check out this resource.

Future of Cell Phone Privacy Laws

As we move into 2025, here’s a look at how cell phone privacy laws might change under a new administration:

• • Continued rollback of privacy protections: The previous Trump administration repealed broadband privacy rules, allowing telcos and internet service providers to track and sell customers’ online information with greater ease. This shift prioritized a business-friendly approach that reduces restrictions on data collection and use. This approach of favoring industry interests over stricter consumer privacy protections may continue.
• • Expanded government surveillance powers: The Trump and Biden administration both defended Section 702 of the Foreign Intelligence Surveillance Act, allowing warrantless surveillance of foreign nationals’ electronic communications. The prioritization of national security interests may lead to expanded data collection and sharing practices that have implications on the privacy of American citizens.
• • Push for weakened encryption: Trump’s previous Justice Department advocated for weakening end-to-end encryption to allow government access. This stance, which has significant repercussions for mobile users’ privacy and security, could be revived.

Understanding cell phone privacy laws is crucial as our devices continue to play an integral role in our lives. These laws aim to balance individual privacy, national security, and business interests, but gaps remain. From location data and metadata access to surveillance and breaches, the risks are real and evolving.

Staying informed about your rights is the first step toward protecting your privacy. Whether it’s limiting the data you share, adjusting your device settings, or opting out of invasive data practices, small actions can go a long way.

For those seeking a higher level of privacy and protection, Cape offers a solution designed with your security in mind. At Cape, we prioritize privacy with:

• • Minimal Data Collection and Retention: We only collect what’s absolutely necessary to operate our services, reducing exposure to breaches or unauthorized access. What little information we do collect is retained for the shortest duration possible to minimize the amount of data available for exploitation or access. For example, call data records (CDRs) are only retained for 60 days.
• • Stringent Law Enforcement Request Policy: We challenge overbroad requests for user data and notify users of any legal process, giving you the chance to defend your rights.

Read more here in our Privacy Policy. By choosing Cape, you can trust that your privacy is our priority. Regulations may evolve, but we’re committed to staying ahead of the curve to help you safeguard your personal information. Together, we can navigate the challenges of modern privacy and build a safer digital future.