Beyond Carpenter: Why America’s 1986 Privacy Law Is Struggling in the Age of Smartphones
Nearly every modern smartphone functions as a continuous location sensor. It records movements through cellular networks, GPS satellites, Wi-Fi signals, and Bluetooth proximity systems. The result is a persistent digital record of human activity capable of revealing where individuals live, travel, work, socialize, and worship.
Yet the primary federal statute governing government access to digital communications—the Electronic Communications Privacy Act (ECPA)—was enacted in 1986. At the time, Congress could not have anticipated an era where billions of individuals would carry location-tracking devices in their pockets.
The Supreme Court attempted to address part of this technological gap in Carpenter v. United States, a landmark 2018 decision requiring law enforcement to obtain a warrant before accessing historical cell-site location information. However, Carpenter left numerous questions unresolved, including the legality of real-time tracking, mass location searches, and government purchases of commercial location data.
A policy proposal titled “Beyond Carpenter: A Legislative Framework for Mobile Location Privacy” argues that patching ECPA to incorporate Carpenter’s holding is insufficient. Instead, the report proposes creating an entirely new statutory chapter—Chapter 120 of Title 18—to comprehensively regulate government acquisition of mobile location information.
The proposal arrives at a moment when courts, lawmakers, and technology companies are all confronting the same fundamental question: how should privacy law adapt to a world where location tracking is both ubiquitous and commercially valuable?
The Electronic Communications Privacy Act: A Law Built for the Analog Era
When Congress enacted the Electronic Communications Privacy Act in 1986, the digital ecosystem looked dramatically different. Mobile phones were rare and incapable of continuous tracking. Internet services were limited primarily to early email systems and bulletin board networks.
ECPA expanded federal privacy protections to emerging electronic communications systems. The statute created three major legal frameworks:
- The Wiretap Act – regulating interception of real-time communications
- The Stored Communications Act (SCA) – regulating access to stored communications
- The Pen Register Act – regulating collection of dialing and routing information
Each component of ECPA reflected the technological architecture of the 1980s. Communications were largely discrete events—phone calls, pager messages, or individual email transmissions.
Smartphones changed that paradigm entirely. Today’s mobile devices constantly emit signals that reveal a user’s approximate location, often with remarkable precision.
These signals can be aggregated into detailed behavioral profiles capable of reconstructing daily routines, travel patterns, and social relationships.
Carpenter v. United States: The Supreme Court Confronts Digital Tracking
In Carpenter v. United States, the Supreme Court addressed whether law enforcement could obtain historical cell-site location information (CSLI) from wireless carriers without a warrant.
Federal investigators had obtained more than four months of CSLI from multiple carriers while investigating a string of robberies. The records allowed authorities to reconstruct the defendant’s movements across multiple cities.
Under the traditional third-party doctrine, information voluntarily shared with a company could often be obtained by the government without a warrant. Prosecutors argued CSLI fell into this category because the data was stored by telecommunications providers.
The Supreme Court rejected this reasoning.
Chief Justice John Roberts wrote that cell phone location data provides an “intimate window into a person’s life,” revealing patterns of movement that traditional surveillance methods could never achieve.
Because individuals carry smartphones nearly everywhere, the Court concluded that historical location data deserves heightened constitutional protection.
The ruling established a new principle: law enforcement must generally obtain a warrant before accessing historical CSLI.
But Carpenter Did Not Resolve the Entire Surveillance Landscape
Although Carpenter represented a major step forward for digital privacy, the Court intentionally limited the scope of its decision.
The ruling did not address:
- Real-time cell phone tracking
- Geofence warrants targeting all devices in an area
- Cell tower dumps collecting identifiers from thousands of phones
- Government purchases of location data from brokers
- Short-term location tracking
- Data collected from mobile applications rather than carriers
These unanswered questions have created a fragmented legal environment where courts must interpret how Fourth Amendment protections apply to emerging surveillance technologies.
Geofence Warrants and Tower Dumps: The Rise of Mass Location Searches
Two investigative techniques have become particularly controversial in recent years: geofence warrants and cell tower dumps.
Geofence Warrants
A geofence warrant compels a technology company—often a location data provider—to identify all mobile devices present within a specified geographic area during a particular time period.
For example, investigators may draw a digital perimeter around a crime scene and request location data for every phone detected inside that boundary.
The initial dataset may contain hundreds or thousands of devices belonging to individuals who have no connection to the alleged crime.
Authorities then conduct additional filtering steps to identify potential suspects.
Cell Tower Dumps
A tower dump involves collecting identifying information for all mobile devices connected to a particular cellular tower during a specified timeframe.
Because urban towers may handle communications for thousands of phones simultaneously, tower dumps can capture large quantities of location information about innocent individuals.
Both methods raise constitutional questions about whether mass digital searches violate Fourth Amendment protections against unreasonable searches and seizures.
The Data Broker Loophole
Another emerging controversy involves government purchases of commercial location data.
Many mobile apps integrate advertising or analytics software development kits (SDKs) that collect precise GPS coordinates. These datasets are often aggregated and sold by data brokers to marketers, hedge funds, and other commercial clients.
Some government agencies have purchased these datasets for investigative purposes.
Critics argue that this practice allows authorities to circumvent the warrant requirement established in Carpenter by purchasing location information rather than compelling disclosure from telecommunications carriers.
Supporters contend that the data originates in the commercial marketplace and therefore falls outside traditional Fourth Amendment restrictions.
The lack of clear statutory guidance has turned the issue into one of the most contentious debates in modern surveillance law.
The Proposed Legislative Solution: Chapter 120
The “Beyond Carpenter” proposal attempts to address these gaps by creating a comprehensive statutory framework regulating government acquisition of mobile location information.
Rather than modifying existing provisions of ECPA, the proposal recommends establishing a new chapter within the federal criminal code dedicated specifically to location surveillance.
Key Features of the Proposed Framework
- Uniform warrant requirement for all government acquisition of location data
- Judicial approval process for geofence and tower dump searches
- Emergency exceptions for imminent threats to safety
- Minimization requirements limiting unnecessary data collection
- Notice provisions informing affected individuals
- A statutory suppression rule allowing courts to exclude improperly obtained evidence
The proposal draws heavily from the structure of the Wiretap Act, which requires detailed judicial oversight for interception of communications.
Comparison: ECPA vs Proposed Chapter 120
| Feature | Current ECPA Framework | Proposed Chapter 120 |
|---|---|---|
| Coverage of Location Data | Indirect and fragmented | Explicit statutory regulation |
| Warrant Requirement | Depends on interpretation of Carpenter | Uniform warrant requirement |
| Geofence Warrants | No clear statutory framework | Two-stage judicial authorization |
| Tower Dumps | Limited statutory guidance | Structured judicial oversight |
| Government Purchase of Data | Legal gray area | Covered under warrant requirement |
| Suppression Remedy | Limited statutory remedies | Explicit suppression rule |
Timeline of U.S. Digital Surveillance Law
| Year | Milestone |
|---|---|
| 1968 | Omnibus Crime Control Act establishes federal wiretap framework |
| 1986 | Electronic Communications Privacy Act enacted |
| 2001 | USA PATRIOT Act expands surveillance authorities |
| 2013 | Snowden revelations expose global surveillance programs |
| 2018 | Carpenter v. United States establishes warrant requirement for CSLI |
| 2020s | Rapid growth of geofence warrants and commercial location datasets |
The Private Sector Location Data Economy
Location data has become one of the most valuable assets in the digital advertising ecosystem. Mobile applications routinely collect precise geographic coordinates for analytics, personalization, fraud detection, and marketing attribution.
Advertising technology platforms aggregate billions of location signals into datasets capable of mapping consumer behavior at massive scale.
These datasets power services ranging from targeted advertising to retail analytics and urban planning.
However, the same datasets can also expose sensitive patterns of movement, raising concerns about how the information may be accessed or shared.
Compliance Challenges for Mobile Apps and Technology Companies
Companies that collect location data face increasing scrutiny from regulators, courts, and consumers. Location information is widely considered among the most sensitive categories of personal data.
Organizations must navigate a complex regulatory environment that includes:
- Consumer consent requirements
- Data minimization obligations
- Transparency disclosures
- Government access requests
- Cross-border transfer restrictions
As privacy regulations evolve globally, companies must maintain detailed visibility into how location data flows across their systems.
The Role of Privacy Compliance Platforms
Managing these obligations increasingly requires specialized privacy governance tools. Modern compliance platforms help organizations identify where sensitive data exists, how it is processed, and which third parties receive access.
Solutions that we’ve developed here at Captain Compliance provide capabilities including:
- Automated data discovery and mapping
- Cookie and mobile SDK scanning
- Privacy notice generation
- Consent management
- Data subject access request automation
- Vendor risk assessments
These capabilities allow organizations to monitor how location data is collected across websites, mobile applications, and third-party services.
As regulators increasingly focus on tracking technologies and behavioral data collection, implementing robust compliance frameworks has become essential for organizations operating in digital markets.
The Future of Location Privacy Regulation
Smartphones have fundamentally transformed the relationship between individuals and surveillance technology. Devices carried voluntarily by billions of people now generate detailed records of human movement on a global scale.
The challenge facing policymakers is determining how existing legal frameworks should adapt to these realities.
The proposal to create a new statutory chapter governing location surveillance represents one possible approach. By establishing clear rules for government acquisition of mobile location data, lawmakers could reduce uncertainty for courts, investigators, and technology companies alike.
Whether Congress ultimately adopts such reforms remains uncertain. However, the ongoing expansion of digital tracking technologies ensures that the debate over location privacy will remain at the forefront of technology policy discussions.
The next evolution of American privacy law may depend on whether lawmakers can modernize a statute written in the 20th century for a world defined by 21st-century mobile technology.
