This post was authored by William S. Fallon, Associate in Robinson+Cole’s Business Litigation group.

In Chatrie v. United States, No. 25-112 (U.S. June 29, 2026), the Supreme Court took another step in redefining digital privacy under the Fourth Amendment, building directly on its landmark decision in Carpenter v. United States, 585 U.S. 296 (2018). These cases signal that businesses holding customer data face an evolving legal landscape worth understanding.

The Fourth Amendment protects “persons, houses, papers, and effects” against unreasonable government searches, and thus generally requires a warrant based on probable cause before the government can search people, their homes, or their belongings. Under the long-standing “third-party doctrine,” however, information voluntarily shared with a third-party company, like a bank or phone company, historically lost that protection. In Carpenter, 585 U.S. at 310 n.3, 316, though, the Court carved out a “narrow” exception, holding that police need a warrant to obtain seven days of a cellphone user’s location data from a wireless carrier, even though the carrier held that location data , not the cellphone user. 

Chatrie went even further—the Court held that police need a warrant to access a user’s Google location history, even if the data covers only two hours, is held by a third-party company, and is voluntarily shared by the user. The Court again refused to apply the third-party doctrine, reasoning that such location data is “not truly ‘shared’” simply because a user enables Google to track his or her location.

Chatrie’s reasoning matters for any business that holds customer data. The Supreme Court now treats information on a company’s servers—emails, photographs, location logs, etc.—as information a user might “reasonably view[] as his own,” even when that information has been voluntarily conveyed to the company. Custodians of that data increasingly find themselves positioned between their customers and the government, fielding law enforcement demands for the customers’ data. As courts continue to recognize strong privacy interests in hosted data, those protections influence a custodian’s legal exposure, shape its obligations when responding to law enforcement and government demands, and inform customer expectations regarding the security and privacy of their data.

The third-party doctrine may continue to change—and erode. Justice Gorsuch’s separate opinions in Carpenter and Chatrie illustrate where this could lead. In both Carpenter and Chatrie, the Court sought to find an escape hatch from its third-party doctrine without expressly overruling the doctrine—an approach that detractors view as confusing—but Justice Gorsuch believes he has identified a workable route forward. Building off his separate opinion in Carpenter, where he urged an approach to Fourth Amendment protections grounded in property law and statutes, Justice Gorsuch’s Chatrie concurrence applied those theories, treating location history as Chatrie’s personal property under state digital-property statutes and finding “hints” of the same reasoning in the majority’s acknowledgement that users regard such data as their own.

In practice, this approach would look to what statutes, traditional property law, and a company’s own contracts say about who owns and controls customer data, and it would use those sources to decide whether the data stays protected once a customer hands it over. For companies that hold customer data, that makes the terms of their privacy policies, terms of service, and consent forms all the more important, because those documents may increasingly bear on how customer data is treated constitutionally. Whatever direction the doctrine takes, Chatrie is a useful signal that courts are willing to recognize privacy interests in third party data , and that businesses should account for that trend as they design their data practices.