The Stored Communications Act's civil cause of action is the most commonly litigated federal privacy statute in cases involving unauthorized access to email, cloud data, and social media accounts. The Eleventh Circuit has developed a distinctive body of SCA civil law—most notably through Vista Marketing, LLC v. Burkett and Snow v. DirecTV—that diverges from sister-circuit authority in important ways. Practitioners pursuing SCA civil claims in Alabama, Florida, or Georgia federal courts must understand these circuit-specific rules before filing.
I. Doctrinal Framing
Congress enacted the Stored Communications Act in 1986 as part of the Electronic Communications Privacy Act (ECPA), Pub. L. 99-508. The statute addresses a gap that the Fourth Amendment could not fill: because third-party disclosure doctrine under Smith v. Maryland and related cases had minimized constitutional protection for communications stored with third-party providers, Congress chose to create statutory privacy protections for electronically stored data. The SCA's purpose—as the legislative history makes clear—is to protect private communications that modern technology requires users to entrust to third-party service providers, including emails, cloud-stored files, social media messages, and similar data.
The SCA has two principal civil dimensions: (1) the prohibition against unauthorized access to stored communications at 18 U.S.C. § 2701; and (2) the prohibition against voluntary disclosure of stored communications by service providers at 18 U.S.C. § 2702. The civil cause of action at 18 U.S.C. § 2707 applies to both.
II. The Statutory Framework: 18 U.S.C. §§ 2701–2712
A. Section 2701: Unauthorized Access
18 U.S.C. § 2701(a) makes it unlawful to:
- Intentionally access without authorization a facility through which an electronic communication service is provided; or
- Intentionally exceed an authorization to access that facility
and thereby obtain, alter, or prevent authorized access to a wire or electronic communication while it is in electronic storage in such system.
Several definitional terms control the reach of § 2701:
"Electronic communication service" (ECS): Any service that provides users the ability to send or receive wire or electronic communications. § 2510(15). This definition encompasses email providers (Gmail, Yahoo, Outlook), social media platforms with messaging functionality (Facebook, Instagram), and cloud services that include communication features. The Eleventh Circuit in Vista Marketing, LLC v. Burkett, 812 F.3d 954 (11th Cir. 2016), recognized that email systems operated by companies for employees also qualify as ECS providers, and that a single provider may simultaneously function as both an ECS provider and a remote computing service (RCS) provider depending on the communication at issue.
"Remote computing service" (RCS): The provision to the public of computer storage or processing services by means of an electronic communications system. § 2711(2). Cloud storage services like Amazon Web Services (when used for data storage rather than communication) are the paradigm RCS provider.
"Electronic storage": Defined at 18 U.S.C. § 2510(17) as: (A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.
The meaning of "electronic storage" for opened emails is a persistent split among the circuits. The Eleventh Circuit addressed this question in Vista Marketing, acknowledging that "the law with regard to this issue is far from settled" while applying the backup-storage theory to post-delivery emails. 812 F.3d at 976.
B. Section 2702: Voluntary Disclosure Prohibition
Section 2702 prohibits both ECS and RCS providers from voluntarily disclosing the contents of stored communications to third parties except in specified circumstances. This provision protects against service providers voluntarily sharing user data with government agencies, civil litigants, or other third parties outside the SCA's disclosure framework. Civil litigants' subpoenas served on Google, Facebook, or Apple for email contents are regulated by § 2702—courts have held that the SCA generally bars compliance with civil subpoenas for content data.
C. Section 2703: Compelled Disclosure
Section 2703 governs government access to stored communications through warrants, court orders, and subpoenas. For civil practitioners, its principal relevance is establishing the disclosure framework that civil litigants cannot circumvent through civil subpoenas served on service providers. The SCA's 180-day rule on warrant requirements has been substantially modified by the Fourth Amendment's warrant requirement as applied post-Carpenter v. United States, 585 U.S. 296 (2018), but that analysis is primarily relevant to criminal proceedings.
III. Section 2707: Civil Remedies
18 U.S.C. § 2707 provides the exclusive civil cause of action for SCA violations. Its structure is as follows:
A. Standing: Section 2707(a)
"Any provider of electronic communication service, subscriber, or other person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity, other than the United States, which engaged in that violation."
Three features of § 2707(a) deserve attention:
- The mental state requirement. The conduct must be knowing or intentional—negligent or inadvertent access does not give rise to civil liability. This is a meaningful threshold in cases involving misconfigured systems or good-faith reliance on employer authorization.
- The "other person aggrieved" language. Standing is not limited to the subscriber or the service provider; any aggrieved person with a stake in the privacy of the communication may sue. This includes third parties whose communications were accessed without authorization.
- Governmental immunity. Section 2707(a) expressly excludes the United States from civil liability, though governmental violations triggering § 2707 may result in administrative discipline under § 2707(d).
B. Available Relief: Section 2707(b)–(c)
Section 2707(b) authorizes "appropriate relief," including:
- Preliminary and other equitable or declaratory relief
- Damages under subsection (c)
- Reasonable attorney's fees and other litigation costs
Section 2707(c) governs damages:
- Actual damages plus violator's profits: The court may assess actual damages suffered by the plaintiff plus any profits the violator made from the violation.
- Statutory minimum of $1,000: "In no case shall a person entitled to recover receive less than the sum of $1,000."
- Punitive damages: Available for willful or intentional violations.
- Attorney's fees and costs: Available to the successful plaintiff upon court assessment.
C. The $1,000 Statutory Floor—Eleventh Circuit's Actual Damages Prerequisite
The most consequential Eleventh Circuit SCA rule is its holding in Vista Marketing, LLC v. Burkett that statutory damages of $1,000 are not available absent a finding of actual damages. In Vista Marketing, a jury found that the defendant had violated the SCA 450 times but awarded zero actual damages and zero punitive damages. The district court awarded $50,000 in statutory damages. The Eleventh Circuit vacated the statutory damages award and held that the phrase "person entitled to recover" in § 2707(c) refers back to a party that has first established "actual damages"—reading the provision in light of the Supreme Court's construction of analogous language in Doe v. Chao, 540 U.S. 614 (2004). 812 F.3d at 971.
This holding creates a circuit split. The majority of circuits and several district courts have held that proof of actual damages is not required to trigger the $1,000 statutory minimum—the statute's "may assess" language for actual damages combined with "in no case shall . . . receive less than $1,000" was intended by Congress to create a floor protecting victims whose actual harm is difficult to quantify. The Fifth Circuit has since aligned with the Eleventh Circuit's position. The Fourth Circuit and various district courts have reached the opposite conclusion.
Practical implications for Eleventh Circuit practitioners:
- SCA plaintiffs must plead and prove at least some actual damages to unlock the $1,000 statutory floor.
- Actual damages include: emotional distress, reputational harm, economic loss from disclosed information, disruption of business operations, cost of remediation.
- In the absence of provable actual damages, the SCA civil claim may be technically viable but may not result in meaningful monetary recovery in the Eleventh Circuit.
D. Two-Year Statute of Limitations: Section 2707(f)
Section 2707(f) bars SCA civil actions commenced "later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation." The Eleventh Circuit applied this limitations period in a 2024 unpublished decision, Boyle v. TracFone Wireless, No. 23-14100 (11th Cir. Aug. 7, 2024), affirming dismissal of a § 2707 claim as time-barred where the plaintiff first discovered or had a reasonable opportunity to discover the violation more than two years before filing. The "reasonable opportunity to discover" standard is an objective test; subjective ignorance does not toll the period if a reasonable person would have investigated earlier.
E. Good Faith Defense: Section 2707(e)
Section 2707(e) provides a complete defense to civil and criminal liability for conduct taken in good faith reliance on a court warrant, grand jury subpoena, or statutory authorization. The defense also covers reliance on wiretap orders under 18 U.S.C. § 2518(7) and good-faith determinations that certain SCA disclosure exceptions applied.
IV. Eleventh Circuit SCA Applications
A. Snow v. DirecTV, 450 F.3d 1314 (11th Cir. 2006)
Snow v. DirecTV, Inc. addressed the SCA's applicability to online password-protected discussion forums. The Eleventh Circuit affirmed dismissal of Snow's § 2701 civil claim, holding that for a plaintiff to state an SCA civil claim arising from access to publicly accessible internet communications, the plaintiff must affirmatively allege and demonstrate that the communications were "not readily accessible to the general public." 450 F.3d at 1321. Snow's website allowed any member of the public to register, making it insufficiently restricted to trigger SCA protection.
Snow establishes the "not readily accessible" pleading requirement for Eleventh Circuit SCA claims involving web-hosted content. Plaintiffs relying on § 2701 must plead facts affirmatively showing that access to the relevant communications was restricted, not merely that registration was required. The distinction between minimal self-registration (insufficient) and access controls that genuinely limit the population of authorized users (sufficient) is a factual question that has generated substantial litigation.
B. Vista Marketing, LLC v. Burkett, 812 F.3d 954 (11th Cir. 2016)
As discussed above, Vista Marketing established the actual damages prerequisite for § 2707(c) statutory damages in the Eleventh Circuit. The case also confirms that webmail accounts—email stored on a service provider's servers after delivery—are protected by the SCA, applying the theory that such storage constitutes "backup protection" of the communication within § 2510(17)(B). The opinion explicitly acknowledged the circuit split on the opened-email question and declined to fully resolve it, but applied the backup-storage protection to the facts. 812 F.3d at 976.
V. Application to Cloud, Email, and Social Media Account Access
The modern SCA landscape extends well beyond the "electronic bulletin board" cases of the early 2000s. Courts across the circuits have applied SCA civil liability to the following contexts:
Email accounts: The paradigm SCA civil case. Unauthorized access to Gmail, Outlook, or a corporate email system—whether by a spouse in divorce proceedings, an employer accessing an employee's personal account, or an outsider using stolen credentials—constitutes access to an ECS facility without authorization under § 2701. Vista Marketing confirms Eleventh Circuit coverage of such access.
Cloud storage: Services like Dropbox, Google Drive, and iCloud, when operating as RCS providers, are covered by § 2702's disclosure restrictions. Access by unauthorized users to a shared cloud folder may constitute a § 2701 violation where the folder is restricted from the accessing party.
Social media private messaging: Private messages on Facebook, Instagram, Twitter/X, and similar platforms are stored by ECS providers and are protected under the SCA. Courts have relied on Crispin v. Christian Audigier, Inc. and related cases to distinguish private messages (protected) from public posts (not protected as "electronic storage"). Practitioners should evaluate whether the communications at issue were configured as private or public before asserting SCA protection.
Employer email monitoring: Employers who access employee personal email accounts stored on third-party systems violate § 2701 unless they have proper authorization. Employer monitoring of company-issued email accounts—where employees have been notified that the company may access communications—typically falls within the "authorized access" exception.
VI. Practice Notes
Plead actual damages with particularity. Under the Eleventh Circuit's Vista Marketing rule, SCA complaints that allege only statutory violations without identifying actual harm will not entitle plaintiffs to the $1,000 statutory minimum. Complaints should specifically identify: economic losses traceable to the unauthorized access; costs of investigation and remediation; emotional distress (with supporting factual allegations); reputational harm; and any profits the defendant obtained from using the accessed communications.
Establish non-public accessibility. Under Snow, plaintiffs must affirmatively plead that the communications were not readily accessible to the general public. For email and social media accounts, this typically involves identifying access controls: password protection, account permission settings, private-messaging configurations, and the population of users authorized to access the relevant system.
Two-year limitations: act quickly. The § 2707(f) limitations period runs from when the plaintiff first discovered or had a reasonable opportunity to discover the violation—not from when actual harm materialized. Forensic indicators of unauthorized access (unusual login activity, unfamiliar device logins, unexpected forwarding rules) may trigger the discovery clock even if the full extent of harm is not yet known.
Pair with CFAA claims. SCA § 2701 and CFAA § 1030 cover similar conduct but with materially different authorization frameworks. Post-Van Buren, a defendant who used authorized credentials to access off-limits areas may be vulnerable to SCA liability even if CFAA liability is foreclosed. Counsel should plead both claims and analyze authorization issues under each statute's distinct framework.
State court litigation. SCA claims may be filed in state court; the Act creates a federal cause of action but does not vest exclusive jurisdiction in federal courts. State court filing may be advantageous where federal standing (post-TransUnion) is uncertain.
VII. Open Questions
The SCA's "electronic storage" definition and its application to post-delivery emails remains unsettled in the Eleventh Circuit. Vista Marketing addressed the issue in a non-definitive way, and the broader circuit split means that sophisticated defendants may challenge SCA coverage of opened emails even in the Eleventh Circuit. Additionally, the $1,000 statutory floor circuit split may invite future Supreme Court resolution; the current asymmetry creates incentives to file SCA cases in circuits that permit statutory damages without actual damages.
VIII. Closing
The SCA's civil cause of action remains a powerful tool for victims of email, cloud, and social media account intrusions—but Eleventh Circuit practitioners face two circuit-specific constraints not present everywhere else: the Snow "not readily accessible" pleading requirement for web-hosted content, and the Vista Marketing actual-damages prerequisite for statutory damages. Building complaints that address both constraints from the outset is the standard of care for SCA civil practice in the Eleventh Circuit.
Talk to Yates Anderson
If you are litigating a matter in this area — or weighing whether to — the working analysis above only goes so far. Request a case evaluation and a Yates Anderson attorney will respond within one business day.
Informational only. Not legal advice. No attorney-client relationship is created by reading this post. Consult a licensed attorney in your jurisdiction.