Accordingly, we solicited supplemental briefing concerning the proper interpretation of section 2702. In that briefing, all parties now concede that communications configured by the social media user to be public fall within section 2702(b)(3)'s lawful consent exception to section 2702's prohibition, and, as a result, may be disclosed by a provider. As we will explain, this concession is well taken in light of the relevant statutory language and legislative history.
The parties differ, however, concerning the scope of the statutory lawful consent exception as applied in this setting. Defendants emphasize that even those social media communications configured by the user to be restricted to certain recipients can easily be shared widely by those recipients and become public. Accordingly, they argue that when any restricted communication is sent to a "large group" of friends or followers the communication should be deemed to be public and hence disclosable by the provider under the Act's lawful consent exception. On this point we reject defendants' broad view and instead agree with providers that restricted communications sent to numerous recipients cannot be deemed to be public-and do not fall within the lawful consent exception. Yet we disagree with providers' assertion that the Act affords them "discretion" to defy an otherwise proper criminal subpoena seeking public communications.
In light of these determinations we conclude that the Court of Appeal was correct to the extent it found the subpoenas unenforceable under the Act with respect to communications addressed to specific persons, and other communications that were and have remained configured by the registered user to be restricted. But we conclude the court's determination was erroneous to the extent it held section 2702 also bars disclosure by providers of communications that were configured by the registered user to be public, and that remained so configured at the time the subpoenas were issued. As we construe section 2702(b)(3)'s lawful consent exception, a provider must disclose any such communication pursuant to a subpoena that is authorized under state law.
Ultimately, whether any given communication sought by the subpoenas in this case falls within the lawful consent exception of section 2702(b)(3), and *1251must be disclosed by a provider pursuant to a subpoena, cannot be resolved on this record. Because the parties have not until recently focused on the need to consider the configuration of communications or accounts, along with related issues concerning the reconfiguration or deletion history of the communications at issue, the record before us is incomplete in these respects. Accordingly, resolution of whether any communication sought by the defense subpoenas **729falls within the statute's lawful consent exception must await development of an adequate record on remand.
We will direct the Court of Appeal to remand the matter to the trial court to permit the parties to appropriately further develop the record so that the trial court *81may reassess the propriety of the subpoenas under the Act in light of this court's legal conclusions.
I. FACTS AND LOWER COURT PROCEEDINGS
A. Grand Jury Proceedings and Indictment2
According to testimony before the grand jury, at midday on June 24, 2013, Jaquan Rice, Jr., was killed and his girlfriend, B.K., a minor, was seriously injured in a drive-by shooting at a bus stop in the Bayview district of San Francisco. Various surveillance videos showed a vehicle and someone firing a handgun from the rear window on the driver's side. A second person was depicted leaving the vehicle from the rear passenger-side door and firing a gun with a large attached magazine.
Witnesses identified defendant Derrick Hunter's 14-year-old brother, Quincy, as one of the shooters. During questioning in the early morning hours after the events, police homicide detectives told Quincy that they had "pulled all Instagram ... [and] Facebook stuff," and were aware that he knew the shooting victim. Quincy related that the victim had "tagged" him on Instagram in a video featuring guns. The detectives responded that they had been "working all day" on the matter and had "seen those posts." Quincy admitted that he shot the victim six times-and asserted that the victim "would have done the same thing to us."3
Quincy stated that "Nina," his girlfriend's sister, had provided the car in which he, his brother, and one other male had driven. Within a few minutes *1252of the shooting, police had stopped Nina, whose real name is Renesha Lee (hereafter sometimes Renesha), while driving the vehicle shown in the videos.
Renesha was codefendant Lee Sullivan's then girlfriend. She had rented the car used in the shooting and gave varying accounts of the events. According to her testimony before the grand jury, during the course of multiple interviews on the day and night of the killings, she initially "just made up names and stuff." Eventually she told the police that defendant Derrick Hunter and his younger brother Quincy were among those who had borrowed her car. Renesha did not mention defendant Sullivan's name until a few days later, when she "told them the truth about [Sullivan]," and that he had been involved along with the Hunter brothers.
Renesha related that on the day of the shooting she had driven with Sullivan and the Hunter brothers to a parking lot where they "got out and walked to Quincy['s] house." She explained that Sullivan told her the three young men were going to a store. Renesha recalled that she replied she would remain at the house and talk to her sister. She testified that Sullivan had not been wearing gloves when he and the others initially approached her to borrow the car, but she noticed that he was wearing gloves when they came out of *82Quincy's house and when they departed. According to Renesha, Sullivan drove away with the Hunter brothers in the backseat. She testified that when the three returned the car to her shortly thereafter it contained the phones of Sullivan and Derrick Hunter. She also testified that she had never seen Sullivan or either of the Hunter brothers with a gun. **730Renesha explained that she had initially not revealed Sullivan's involvement because she had been scared and "just didn't want to have no parts of it because I'm the one that still has to live and walk these streets." She elaborated that once the police informed her that she might be arrested for murder, she "told them the truth," and yet still avoided implicating Sullivan until later in the process because she remained fearful of him. She maintained that after being threatened with prosecution she eventually told the full truth about Sullivan's role.
In presenting the case to the grand jury, the prosecution contended that defendants and Quincy were members of Big Block, a criminal street gang, and that Rice was killed for two reasons: (1) Rice was a member of West Mob, a rival gang, and (2) Rice had publicly threatened defendant Derrick Hunter's younger brother Quincy on social media. Inspector Leonard Broberg, a gang *1253expert and member of the San Francisco Police Department Gang Task Force, testified that in his opinion the alleged crimes were committed for the benefit of the Big Block gang. He explained that "gangsters are now in the 21st century, and they've taken on a new aspect of being gangbangers, and they do something they call cyber banging. [¶] They will actually be gangsters on the internet. They will issue challenges; they will show signs of disrespect, whether it's via images or whether it's via the written word. ... [¶] [They use] Facebook, ... Instagram, Socialcam, Vine ... [and] YouTube. ... They will disrespect each other in cyberspace." Inspector Broberg described a YouTube video made by victim Rice and shared by him via his Facebook account, in which he gave a tour of his West Point/ Middle Point neighborhood and identified specific places where he could be located-including the bus stop where he was shot. Broberg characterized the video as a challenge to others. In a subsequent declaration, Broberg explained that he "rel[ies] heavily on records from social media providers such as Facebook, Instagram, and Twitter to investigate and prosecute alleged gang members for gang crimes," and that in the present case, he "relied in part on" such records to secure evidence that Rice, Sullivan, and the Hunter brothers "were members of rival gangs and that the shootings were gang related." The same declaration adds: "We [the police] have not sought search warrants as to Renesha Lee."4
Defendants were indicted and are presently charged with the murder of Rice and the attempted murder of B.K. They also face various gang and firearm enhancements. ( Pen. Code, §§ 187, 664, 186.22, subd. (b)(1), 12022, subd. (a), 12022.53, subds. (d) & (e)(1).)
B. Description of the Subpoenas
Prior to trial, in late 2014, both defendants served subpoenas duces tecum ( Pen. Code, § 1326, subd. (b) ) on Twitter. Defendant Sullivan's subpoena sought "[a]ny *83and all public and private content" that had been "published by" Renesha Lee, who was identified by an attached photocopied screen shot of one of her Twitter accounts. The request specified no temporal boundary and stated that it "includes but is not limited to" (1) so-called record data, consisting of "user information [and] associated e-mail addresses," "activity logs," and "location data"; and (2) content information, such as "photographs, videos, private messages, ... posts, status updates, ..., and comments including information deleted by the account holder." It further sought the identity and contact information concerning the custodian of records who *1254could authenticate the requested materials. Defendant Hunter's subpoena, issued a few weeks later, sought all "accounts" and tweets originating from Renesha Lee's "account and in response to or linking her account" from the beginning of 2013 "to the present." Neither defendant sought from Twitter any communication concerning victim Rice.
Only defendant Sullivan served subpoenas on Facebook and Instagram. The Facebook **731subpoena requested information regarding the accounts of both Rice and Renesha Lee. The language of the subpoena tracked Sullivan's request to Twitter, broadly seeking "[a]ny and all public and private content," including deleted material, that had been "published by" either Rice or Renesha Lee, each of whom was identified by an attached photocopied screen shot of that person's Facebook account. As with Sullivan's subpoena served on Twitter, the subpoena specified no temporal boundary and sought the same record data, content, and authentication information mentioned above.
Sullivan's subpoena served on Instagram similarly sought "[a]ny and all public and private content," including deleted material, published by Rice and Renesha Lee, each of whom was again identified by photocopied screen shots showing their account information.5 In all relevant respects the demands for record, content, and authentication information tracked the demands directed to the other social media providers.
C. Providers' Responses to the Subpoenas
Counsel for Facebook and its subsidiary Instagram responded to the Sullivan subpoenas by a single letter in December 2014, asserting that as providers governed by federal statute (the SCA), they are precluded under that law from divulging the requested stored communications. The letter stated that under the SCA only the government may compel covered providers to divulge such stored content. Accordingly, the letter recommended that defense counsel instead seek the requested information directly from the account holder or from "any party to the communication"-persons who, unlike a covered provider, are "not bound by the SCA." Alternatively, the letter suggested that defense counsel might "work[ ] with the prosecutor to *1255obtain" the requested information via an *84additional search warrant issued by the government.6 A few days later, different counsel in the same law firm responded similarly on behalf of Twitter to defendant Sullivan.
Eventually all three providers moved to quash the subpoenas. They reiterated the assertions in their letters that defendants might try to obtain the requested information directly from the social media user who posted the communication, or from any recipient7 -or perhaps via an additional search warrant issued by the prosecution.8 They also **732objected that the requests as drafted were overbroad and vague. In any event, providers asserted, disclosure directly from them , as entities covered by the SCA, was barred by that federal law. In that respect providers' motions relied upon section 2702(a), which broadly states that a covered "person or entity" such as providers *1256"shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service ." (Italics added.) Based on this language, providers asserted that the SCA's prohibition on a provider entity's ability to disclose any content information applies broadly and does not depend on whether the registered *85user configured a given communication as private/restricted as opposed to public. Moreover, providers asserted, none of section 2702(b)'s exceptions to the bar on disclosure by a provider applies here. Nor, they observed, does the Act contemplate procedures for criminal defendants to compel production of such communications.
D. Defendants' Opposition to the Motions to Quash
Defendants opposed the motions to quash,9 but they did not contest providers' assertion that section 2702(a) prohibits providers from disclosing any of the sought communications-even those configured by the registered user to be public. Nor did defendants challenge providers' assertion that none of section 2702(b)'s exceptions apply in this case. Instead, defendants argued that their federal constitutional rights under the Fifth and Sixth Amendments to a fair trial, to present a complete defense, and to cross-examine witnesses support their subpoenas and render the SCA unconstitutional to the extent it purports to afford providers a basis to refuse to comply with their subpoenas. Defendants acknowledged that no court had ever so held, and asked the trial court to be the first in the nation to do so.
Defendants presented offers of proof concerning the information sought from the various accounts. The prosecution had secured from Facebook and Instagram some of the available social media communications attributed to Rice and, as obligated, had shared that information with defendants in the course of discovery.10 Regarding the information concerning Rice's communications, defendants asserted that review of the full range of content from those various accounts is required in order to "locate exculpatory evidence" and to confront and cross-examine Inspector Broberg, in order to challenge his assertion that the shooting was gang related. In support defendants cited Broberg's grand jury testimony and attached examples of five **733Facebook *1257screen shots reflecting videos alleged to have been posted by Rice. Counsel asserted that the subpoenaed records would show that Rice was "a violent criminal who routinely posted rap videos and other posts threatening Quincy Hunter and other individuals."
Although the prosecution had secured and shared some of Rice's Facebook communications and a portion of the Instagram posts attributed to him, the prosecution had not sought from providers the social media communications of their key witness, Renesha Lee. Nevertheless, it appears from the record that at least one of Renesha Lee's Twitter accounts was public and contained numerous tweets that were accessible to defense counsel. Counsel evidently accessed that account and identified content that, they asserted, indicated a strong likelihood that other similar, yet undiscovered-and possibly deleted-communications might exist. Defendants alleged *86that the prosecution's case turns on Renesha Lee's credibility and that "she is the only witness who implicates Sullivan in the killing."11 Moreover, defendants explained, they sought additional corroborating information, consistent with that found already in Renesha Lee's public tweets, to demonstrate that she was motivated by jealous rage over Sullivan's involvement with other women and that she had repeatedly threatened others with violence.
In support of these assertions defendants' opposition appended, as an exhibit, photocopied screen shots of what was represented as two of Renesha Lee's Twitter accounts. They quoted a September 2013 tweet showing a photograph of a hand holding a gun and making specific threats: "I got da. 30 wit dat extend clip..... BIIIITCH I WILL COME 2YA FRONT DOOR....." Various other tweets from both accounts suggested a similar theme. Defendants asserted their need for and intention to use these and any other similar tweets, posts, comments, or messages, including deleted content, made by Renesha Lee on Twitter, Facebook, or Instagram, in order to impeach her anticipated testimony at trial. Defense counsel stated that, despite diligent efforts, Renesha Lee could not be located to be served with a subpoena duces tecum.
E. The Hearing on the Motions to Quash
The first session of the bifurcated hearing on the motions to quash was held in early January 2015. The trial court began by explaining that, in light of the pleadings, it was inclined to find the sought material "critical" to the defense against the pending charges, and to conclude that "defendants have a *1258[constitutional] right to ... information that's authentic ... [and] reliable." The court questioned providers' alternative proposal that the prosecution could or should issue additional search warrants to them (the service providers) on behalf of defendants: "First, I think the District Attorney's office is going to ... say[ ], ... our job is not to perform your investigation for you. And, besides, the Penal Code ... authorizes search warrants to be obtained [only] under certain circumstances, and ... not to find evidence that might support an affirmative defense or mitigate a mental state [or impeach a witness]." The court also expressed concern about defendants' ability to obtain any tweets or posts that may have been deleted by the account holder, and regarding how those communications might be authenticated sufficiently to be allowed into evidence. In that respect, the court questioned whether Renesha Lee would be willing to "take ownership" of tweets attributed to her and quoted above, "[s]ome [of which] could be subjecting her to criminal liability."
The trial court next addressed Twitter's assertion that any "deleted contents" would "not [be] reasonably available" and hence providers would "not ... be able to produce deleted contents or authenticate deleted content." The court expressed skepticism concerning Twitter's assertion that it would be unable to produce deleted content, observing:
**734"[W]hat I ... know from my time in discovery [is] that when I delete e-mails, they are not all deleted. [¶] Now, I don't know ... to what extent they are kept on some server or archive that could be retrieved through some sort of search function, or whether some forensic *87computer person has a way of reconstructing files or not. [¶] So ... if you are going to say that you complied and ... state under penalty of perjury [supported by a] showing ... that you have done what you can do, that's a separate thing. But, I doubt very much I am going to change my position that this material is critical, it has to be produced, and you are the ones holding it." Accordingly, the court tentatively denied the motions to quash and ordered that the materials be provided to it for in camera review pursuant to Penal Code section 1326. At the same time, the trial court allowed additional briefing to be filed before it ruled finally on the matter.
In its subsequent brief Twitter reiterated its assertion that section 2702 of the SCA fails to "distinguish between 'private' and 'public' content for purposes of its restrictions on providers' disclosure" and it maintained that "service providers are prohibited from producing any content, regardless of status." Facebook and Instagram asserted in their own subsequent brief that section 2702 of the SCA bars the requested discovery and that the Act "contains no exception for criminal defense subpoenas." Consistent with their broad assertion that no exception applied under section 2702, they did not address whether any of the sought communications had been configured by the account holder to be public or private/restricted. Twitter, by contrast, directly confronted that issue in its own final supplemental responsive brief, noting *1259that one of the accounts in question is public, and that "[a]s of this filing, anyone can visit the account and review its content, including messages, photos, and videos. In fact, defendant has already done this and included some public content from the account in ... support of his Opposition [brief]."12
In response, defendants contested the assertions by Facebook and Instagram that defendants could gain access to the sought communications by other means.13 They argued that unless providers are ordered to comply with the subpoenas, they will be deprived of the information they need and also will be hampered in their effort to "persuade a jury that the records in question originated from Ms. Lee's social media accounts."
After considering the additional briefing, in late January 2015 the trial court confirmed its earlier conclusions, commenting that it would be "untenable" to deny the requested material to defendants. The court further explored with the parties the issues of deleted communications and burdens that compliance would impose *88on providers. In that regard counsel for providers asserted that deleted tweets "don't persist in backup for all eternity" and to the extent some remained in storage, "they are going to be very cumbersome and burdensome to obtain." The court responded that it had insufficient information with which to weigh the benefit of production versus burdens, and noted that it could easily impose a temporal restriction on the information sought in order to render the **735request more reasonable and less burdensome. The court then asked counsel to address recovery of deleted content concerning "your other clients"-Facebook and Instagram. But that discussion never occurred, producing an evidentiary lacuna as to those providers. Thereafter, neither the parties nor the court addressed whether any of the sought tweets had been configured as public, or whether, for any time period, the user had *1260protected the account and made tweets sent during that time accessible to followers only. Nor did the court or parties address the privacy configurations of the remaining Facebook and Instagram communications sought by defendants.
F. The Trial Court's Ruling on the Motions to Quash
The trial court finalized its tentative rulings, denying all three motions to quash and ordering that providers submit all of the sought materials for its in camera review by a deadline in late February 2015.14 The court stated that it understood providers might seek writ review challenging its oral production order, and recognized that the Court of Appeal might stay its production order.
After discussing the need for a preservation order (see post , fn. 47), the court vacated the trial date, which had been set for the next day. All parties agreed to reconvene in early March, after the trial court had an opportunity to conduct in camera review of the information that the providers had been ordered to produce, or alternatively at a later date pending resolution of the writ proceeding providers intended to file contesting the court's oral production order.
G. The Writ of Mandate Proceeding
Providers jointly filed a petition for a writ of mandate in the Court of Appeal contending that the trial court abused its discretion in denying the motions to quash. They asked the appellate court to "preserve the status quo" by issuing an immediate stay of the trial court's production order and planned in camera review. That court stayed the trial court's production order and issued an order to show cause asking why the relief sought in the petition should not be granted.
After full briefing and oral argument, the Court of Appeal filed an opinion concluding that the SCA barred enforcement of defendants' pretrial subpoenas and rejecting defendants' arguments that the Act violated their rights under the Fifth and Sixth Amendments to the federal Constitution. Reviewing the relevant case law with respect to the constitutional claims, the appellate court concluded: "The consistent and clear teaching of both United States Supreme Court and California Supreme Court jurisprudence is that a criminal *1261defendant's right to pretrial discovery is limited, and lacks any solid constitutional foundation." (Italics in original.) The appellate *89court stressed, however, that its conclusion was confined to "this stage of the proceedings " and limited to the "pretrial context in which the trial court's order was made." (Italics in original.) It observed that defendants would remain free to seek "at trial the production of the materials sought here." The appellate court commented that the trial judge who would eventually conduct the trial "would be far better equipped" than the appellate court itself "to balance [defendants'] need for effective cross-examination and the policies the SCA is intended to serve," and suggested that the SCA might eventually need to be declared unconstitutional to the extent it precludes enforcement of such a trial subpoena issued by the trial court itself, or by defendants, with production to the court. With respect to the pretrial context, however, the appellate court directed the trial court to vacate its order denying providers' motions to quash the pretrial subpoenas, and to grant the motions to quash.
II. PROPER INTERPRETATION OF THE STORED COMMUNICATIONS ACT
Because the parties agreed in the trial court that the SCA precluded providers from **736complying with defendants' subpoenas and the court accepted that proposition, the trial court proceeded on the assumption that providers' refusal to comply with the subpoenas raised only constitutional questions. It then decided the matter by resolving those constitutional issues in defendants' favor. As explained above, the Court of Appeal likewise viewed the case as raising only constitutional issues, and its decision in providers' favor was grounded on the appellate court's conclusion that defendants' constitutional claims were not viable in the pretrial context.
In their initial briefing in this court, the parties again proceeded on the assumption that the litigation raised only constitutional issues, and they debated the merits of defendants' constitutional contentions. Defendants reiterated the view that their federal constitutional right to due process under the Fifth Amendment, and their confrontation, compulsory process, and effective assistance of counsel rights under the Sixth Amendment, require that the Act be declared unconstitutional to the extent it precludes the enforcement of their subpoenas in this case. They candidly recognized that case authority supporting their position is sparse. Ultimately, they suggested that we should overrule or distinguish our own decisions (especially People v. Hammon (1997) 15 Cal.4th 1117, 65 Cal.Rptr.2d 1, 938 P.2d 986 and its progeny) in order to declare the SCA unconstitutional as applied and uphold their pretrial subpoenas. Providers, by contrast, asserted that no decision of any court supplies authority supporting defendants' entitlement to pretrial enforcement of their subpoenas. They argued that, to the extent defendants might later at *1262trial be able to establish a due process right to the information they seek in order to secure a fair trial, their remedy at trial would not lie in a judicial declaration that the SCA is unconstitutional as applied to them. Instead, providers asserted, the trial court should at that time put the prosecution to a choice: (1) use its authority under the Act to acquire the sought materials on behalf of defendants and share them with defendants at trial, or (2) suffer consequences in the form of an adverse evidentiary ruling at trial, including potentially pivotal instructions to the jury, or outright dismissal of the prosecution's case.
As mentioned, our initial review of the SCA and the relevant legislative history of the pertinent provisions, as well as prior judicial decisions addressing related issues, led us to question the validity of the statutory interpretation of the SCA on which *90the case was litigated below. Specifically, we questioned whether the relevant statute, section 2702(a), which appears to bar providers from disclosing electronic communications configured by the user to be private or restricted, also bars providers from disclosing communications that had been configured by the user to be public. Accordingly, we requested supplemental briefing directed to that issue, identifying the portions of the legislative history that appeared most relevant.
As explicated post , part III.A., in the ensuing supplemental briefing all parties concede that section 2702(b)(3)'s lawful consent exception permits providers to disclose public communications. In order to understand the relevant provisions of the SCA and why we also conclude that the statute should be so construed, it is appropriate to review the Act's general history, the language of the relevant statutory provisions, the specific legislative history of those provisions, and prior relevant case law.
A. The SCA-History and General Background
Congress enacted the Electronic Communications Privacy Act in 1986. (ECPA; Pub.L. No. 99-508, 100 Stat. 1860. ) Title I of that law, amending the prior "Wiretap Act," addresses the interception of wire, oral, and electronic communications. (§§ 2510-2521.) Title II of the law, set out in chapter 121, is often referred to as the Stored Communications Act, or SCA. It addresses unauthorized access to, and voluntary and compelled disclosure of, such communications and related information. ( §§ 2701 - 2712.)
Prior to the ECPA's enactment, the respective judiciary committees of the House of Representatives and the Senate prepared detailed reports concerning the legislation.
**737Each explained that the main goal of the ECPA in general, and of the SCA in particular, was to update then existing law in light of dramatic *1263technological changes so as to create a "fair balance between the privacy expectations of citizens and the legitimate needs of law enforcement." (H.R. Rep. No. 99-647, 2d Sess., p. 19 (hereafter House Report); see also Sen. Rep. No. 99-541, 2d Sess., p. 3 (hereafter Senate Report) [speaking of protecting both "privacy interests in personal proprietary information" and "the Government's legitimate law enforcement needs"].)15 Each report also highlighted a related objective: to avoid discouraging the use and development of new technologies.16 These three themes-(1) protecting the *91privacy expectations of citizens, (2) recognizing the legitimate needs of law enforcement, and (3) encouraging the use and development of new technologies (with privacy protection being the primary focus)-were also repeatedly emphasized by the bill authors in their debate remarks.17 As this history reveals, and as a leading commentator on the SCA has explained, Congress was concerned that "the significant privacy protections that apply to homes in the physical world may not apply to 'virtual homes' in cyberspace," and hence "tried to fill this possible gap with the SCA." (Kerr, A User's Guide to *1264the Stored Communications Act, and a Legislator's Guide to Amending It (2004) 72 Geo. Wash. L.J. 1208, 1210.)18
B. Key Provisions of the SCA
1. Rules regarding unauthorized access to stored communications: Sections 2701 and 2511(2)(g)(i)
Section 2701(a) provides that, subject to specified exceptions, "whoever ... intentionally accesses without authorization a facility through which an electronic communication **738service is provided" or "intentionally exceeds an authorization to access that facility" and "thereby obtains" an "electronic communication while it is in electronic storage in such system" commits an offense punishable by a fine or imprisonment. At the same time, a separate provision contained in another part of the ECPA, section 2511(2)(g)(i), articulates a substantial limitation on section 2701's access prohibition: "It shall not be unlawful under ... chapter 121 [that is, the SCA] ... [¶] ... to ... access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public."19
2. Rules prohibiting disclosure by service providers and listing exceptions under which providers are permitted to disclose "communications" or "customer records": Section 2702
Section 2702 addresses disclosure by certain covered service providers-and by *92no other person or entity. ( Wesley College v. Pitts (D.Del. 1997) 974 F.Supp. 375, 389.) Subsection (a)(1) declares that, subject to specified exceptions, "a person or entity providing an electronic communication service [20 ] to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service ." (Italics added.) *1265Similarly, and again subject to the same exceptions, subsection (a)(2) declares that "a person or entity providing remote computing service [21 ] to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service ...." (Italics added.) Finally, subsection (a)(3) bars any service provider from knowingly divulging any non-content "record or other information pertaining to a subscriber or customer" to any governmental entity.
The next two subsections of section 2702-(b) and (c)-list exceptions to the general prohibition on disclosure by a service provider set forth in subsection (a). Subsection (b) describes eight circumstances under which a provider "may divulge the contents of a communication." As relevant here, subparts (1)-(3) of subsection (b) permit disclosure: (1) "to an addressee or intended recipient of such communication or an agent of such addressee or intended recipient"; (2) pursuant to section 2703, which, as described below, permits a "governmental entity" to compel a covered provider to disclose stored communications by search warrant, subpoena or court order; and (3) "with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of [a] remote computing service" (italics added). As explained below, some of the communications sought under the subpoenas at issue here may fall within the lawful consent exception set forth in section 2702(b)(3).22
Finally, subsection (c) of section 2702 describes six circumstances under which a covered provider may divulge non-content information -that is, any "record or other information pertaining to a subscriber or to a customer of such service (not including the contents of communications...)."23 As **739relevant *1266here, the last of these exceptions permits disclosure "to any person other than a governmental entity" (§ 2702(c)(6) )-which includes defendants in this case.24 *933. Rules governing compelled disclosure by a service provider to a governmental entity: Section 2703
As alluded to above, section 2703 governs compelled disclosure by covered providers to a "governmental entity." It sets forth the rules under which law enforcement entities may compel ECS and RCS providers to disclose private as well as public communications made by users and stored by covered service providers.25
C. House and Senate Reports Concerning the Relevant Provisions
The 1986 congressional reports took special note of then-existing electronic bulletin boards-early analogues to the social media platforms at issue here. In the course of these discussions, the respective judiciary committees focused on the configuration of posts as being private or public and indicated an understanding that section 2701, governing unauthorized access to communications, was intended to cover and protect only private and not public posts. Significantly, the reports indicated the same understanding regarding section 2702's ban on provider disclosure of electronic communications, as reflected in that section's lawful consent exception to the ban.
The extensive House Report, issued first, repeatedly focused on the public/private theme. It did so initially in a passage addressing section 2511(2) of the ECPA, which as noted above states in subsection (g)(i) that it "shall not be unlawful" under either the omnibus ECPA or its SCA subset to "access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." The committee explained that under this provision, it would be "permissible to intercept electronic communications *1267made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public " and that "[t]he term 'configure' is intended to establish an objective standard of design configuration to begin determining whether a system receives privacy protection ." (House Rep., supra , at p. 41.) Later, when the report addressed the SCA's analogue to this access rule, it explained that section 2701 would not "hinder the development or use of 'electronic bulletin boards' or other comparable services. The Committee believes that where communications are readily accessible to the general public, the sender has, for purposes of Section 2701(a), extended an 'authorization' to the public to access those communications . A person may reasonably conclude that a communication is readily accessible to the general public if the ... means of access [is] widely known, and if a person does not, in the course of gaining access, encounter any warnings, encryptions, password requests, or other indicia of intended privacy. To access a communication on such a system should not be a violation of the law ." (House *94Rep., supra , at p. 62, italics added.) On the other hand, the report noted, some electronic bulletin boards may provide, in addition to a public forum, private e-mail services-and it **740observed: " Section 2701 would apply differently to the different services. Those ... electronic communications which the service provider attempts to keep confidential would be protected, while the statute would impose no liability for access to features configured to be readily accessible to the general public ." (Id ., at p. 63, italics added.) The subsequent Senate Report similarly focused on electronic bulletin boards and repeatedly echoed the same public/private distinction. (Sen. Rep., supra , at pp. 8-9, 35-36.)
The House Report next turned to the provision that we must construe here, section 2702, prohibiting disclosure by covered providers of communications contents. The committee revealed its understanding that the theme of distinguishing between public and private posts carried over from section 2701's access rule and applied as well to section 2702's bar on the divulging of communications by providers.
The report observed that although section 2702(a) articulates a general prohibition on disclosure by a provider, section 2702(b)(3), setting out one of eight exceptions to that rule, permits such a provider to divulge contents "with the lawful consent of the originator or any addressee or intended recipient" of the communication. (House Rep., supra , at p. 66.) The committee explained that, in its view, implied lawful consent by a user-and hence permissible disclosure by service providers-would readily be found with regard to communications configured by the user to be accessible to the public. It stressed that consent as contemplated by section 2702(b)(3) "need not take the form of a formal written document of consent." (Ibid .) The report viewed consent to disclosure as being implied by a user's act of posting publicly, and/or by a user's acceptance of a provider's *1268terms of service: "Consent may ... flow from a user having had a reasonable basis for knowing that disclosure or use may be made with respect to a communication, and having taken action that evidences acquiescence to such disclosure or use -e.g. , continued use of such an electronic communication system ." (Ibid ., italics added.) The report explained that "[a]nother type of implied consent might be inferred from the very nature of the electronic transaction. For example, a subscriber who places a communication on a computer 'electronic bulletin board,' with a reasonable basis for knowing that such communications are freely made available to the public, should be considered to have given consent to the disclosure or use of the communication ." (Ibid ., italics added.) Moreover, the report continued, "If conditions governing disclosure or use are spelled out in the rules of an electronic communication service, and those rules are available to users or in contracts for the provision of such services, it would be appropriate to imply consent on the part of a user to disclosures or uses consistent with those rules ." (Ibid ., italics added.) In other words, the committee indicated its understanding that with regard to electronic communications configured by the user to be accessible to the public, a covered service provider would be free to divulge those communications under section 2702(b)(3)'s lawful consent exception. Nothing in the subsequent Senate Report took issue with this analysis. (Sen. Rep., supra , at pp. 36-38.)
D. Cases Construing the SCA in Light of the House and Senate Reports
Prior decisions have found that Facebook and Twitter qualify as either an ECS
*95or RCS provider and hence are governed by section 2702 of the SCA.26 All parties assume the same with respect to all three providers before us. We see no reason to question this threshold determination.
Only a few decisions have construed the relevant provisions of the SCA, and nearly all have concerned civil litigation. Most have focused on claims that a party had obtained unauthorized access to stored communications **741under section 2701, and hence are not directly applicable here. Two decisions have addressed the question we face in this criminal matter-whether section 2702 bars covered service providers from divulging social media communications in response to a subpoena. For context-and because, as we will see, one of the key section 2702 disclosure cases subsequently relied on some of *1269the section 2701 access cases-it is useful to briefly address the access cases before discussing the disclosure decisions.
1. "Unauthorized access" cases interpreting section 2701
Konop v. Hawaiian Airlines, Inc. (9th Cir. 2002) 302 F.3d 868 ( Konop ) concerned asserted unauthorized access to communications on a restricted and password-protected electronic bulletin board. The Ninth Circuit panel, citing some of the passages set out in the two judiciary committee reports noted above, concluded that this legislative history "suggests ... Congress wanted to protect electronic communications that are configured to be private, such as email and private electronic bulletin boards" and that Congress intended the configuration of communications would " 'establish an objective standard [for] determining ... privacy protection.' " ( Id ., at pp. 875 & 879, fn. 8, quoting House Rep., supra , at p. 41.) Subsequently, Snow v. DirecTV, Inc. (11th Cir. 2006) 450 F.3d 1314, quoted and extended Konop 's observation. The Eleventh Circuit concluded that in light of section 2511(2)(g)(i) and some of the legislative history described earlier, Congress intended to confine the reach of section 2701's access bar to those stored electronic communications that were configured to be restricted and not readily accessible to the general public. ( 450 F.3d at pp. 1320-1321.)
More recently, in Ehling, supra , 961 F.Supp.2d 659, a federal district court addressed a party's asserted unauthorized access to a user's restricted Facebook posts. The court highlighted the House Report's understanding that the configuration of communications would determine whether any given post is "accessible to the public" ( id ., at p. 666 ), and it relied on section 2511(2)(g)(i) (permitting access to communications that are "readily accessible to the general public") as well as Konop and Snow in concluding that "the SCA covers: (1) electronic communications, (2) that were transmitted via an electronic communication service, (3) that are in electronic storage, and (4) that are not public. " ( Ehling, supra, at p. 667, italics added.) The court found that Facebook "posts ... configured to be private meet all four criteria." ( Ibid . ) In reaching this conclusion the court observed that decisions "interpreting the SCA confirm that information is protectable as long as the communicator actively restricts the public from accessing the information ." ( Id ., at p. 668, italics added.)
*96The Ehling court elaborated: "The touchstone of the Electronic Communications Privacy Act is that it protects private information. The language of the statute makes clear that the statute's purpose is to protect information that the communicator took steps to keep private." ( Ehling, supra, 961 F.Supp.2d at p. 668.) It reasoned: "Facebook allows users to select privacy settings .... Access can be limited to the user's Facebook friends, to *1270particular groups or individuals, or to just the user. The Court finds that, when users make their Facebook ... posts inaccessible to the general public, [those ] posts are 'configured to be private' for purposes of the SCA.... [W]hen it comes to privacy protection, the critical inquiry is whether Facebook users took steps to limit access to the information [in their posts]. Privacy protection provided by the SCA does not depend on the number of Facebook friends that a user has." ( Ibid ., italics added.)27
2. "Prohibited disclosure" cases interpreting section 2702
In addition to the civil decisions construing section 2701's access rules and recognizing a **742public/private distinction in that setting, a few civil cases have concerned section 2702's prohibition on disclosure, as applied to third party subpoenas designed to compel providers to divulge electronic communications by the providers' users.
a. O'Grady and related cases regarding subpoenas to providers seeking e-mail communications
The first group of decisions addresses requests for disclosure by e-mail providers of their users' e-mail communications. A leading example is O'Grady, supra , 139 Cal.App.4th 1423, 44 Cal.Rptr.3d 72, in which a California appellate court held section 2702 prevented an email service provider from complying with a subpoena issued on behalf of Apple Computer (Apple). Apple sought the e-mail communications of an online news magazine to discover the identities of those who leaked confidential information about an impending Apple product. In concluding that section 2702 prohibited disclosure by the provider of such private e-mails ( O'Grady, at pp. 1440-1451, 44 Cal.Rptr.3d 72 ), the court distinguished between public posts that were made available "to the world," and the "contents of private [e- mail] messages" at issue in that case. ( Id., at p. 1449, 44 Cal.Rptr.3d 72, italics omitted.) The court noted that it would reach a different conclusion, and presumably find disclosure permissible, "if the discovery [could] be brought within one of the statutory exceptions-most obviously, a disclosure with the consent of a party to the communication" under the lawful consent exception of section 2702(b)(3). ( O'Grady, at p. 1446, 44 Cal.Rptr.3d 72 ; see also id. , at p. 1447, 44 Cal.Rptr.3d 72.) Likewise, other courts have concluded that section 2702 bars e-mail service providers from divulging private e-mail communications in response *1271to third party civil subpoenas when, as in O'Grady , no exception to the Act's prohibitions on disclosure is applicable. (See, e.g., In re Subpoena Duces Tecum to AOL, LLC (E.D.Va. 2008) 550 F.Supp.2d 606, 611 ["[a]greeing with the reasoning in *97O'Grady " and declining to enforce a subpoena seeking production of private e-mail communications absent an applicable exception to the prohibition on disclosure].)
b. Viacom and Crispin-regarding subpoenas served on providers seeking social media communications
Two additional section 2702 disclosure cases are more pertinent to our present inquiry because they concerned disclosure by service providers, not of private e-mail, but of social media communications . As explained below, these decisions reflect an understanding that Congress intended section 2702 to prohibit disclosure by providers of only private or restricted, but not public, social media communications.
The first opinion, Viacom Int'l Inc. v. YouTube Inc. (S.D.N.Y. 2008) 253 F.R.D. 256, addressed efforts by copyright owners to compel a social media provider, YouTube, to divulge stored information regarding videos that users had configured as private or restricted. ( Id ., at p. 264.) The federal district court quoted the House Report's observation, noted ante , part II.C., that one who posts a communication with a reasonable basis for knowing that it will be available to the public should be considered to have implicitly consented to such disclosure under section 2702(b)(3). ( 253 F.R.D. at p. 265.) The court held, however, that YouTube was barred under section 2702(a) from disclosing "videos that [users] have designated as private and chosen to share only with specified recipients"-and that on the facts presented, section 2702(b)(3)'s lawful consent exception was inapplicable. ( Viacom , at pp. 264-265.)
The second decision, Crispin, supra, 717 F.Supp.2d 965, also concerned disclosure by a social media service provider under section 2702 in response to a civil discovery subpoena. The plaintiff in Crispin , an artist, sued the defendants, clothing manufacturers, asserting they violated a license to use his art. The defendants in turn issued subpoenas to various service providers, including Facebook and social media provider MySpace. The subpoenas broadly sought all manner of communications, ranging from public to private, between the plaintiff and others. The plaintiff moved to quash the subpoenas on various grounds, including that the providers were barred by section 2702 from making the disclosures. A magistrate concluded that the section did not apply, and declined to quash the subpoenas with respect to any of the communications.
**743*1272On review, the district court, relying on the legislative history of the SCA and the decision in Konop , supra , 302 F.3d 868, discussed above, determined first that so-called "private messaging" communications, like the e-mails in Konop , were configured to be private and hence protected from disclosure by service providers under section 2702(a). ( Crispin, supra, 717 F.Supp.2d at p. 987.) Turning to the other communications, Facebook posts and MySpace comments, the court analogized those communications to the technology that existed in 1986-postings on a " 'computer bulletin board' " system. ( Id ., at p. 980.) The court concluded that "a completely public [bulletin board system] does not merit protection under the SCA"-and that " '[o ]nly electronic bulletin boards which are not readily accessible to the public are protected under the Act .' " ( Id ., at p. 981, italics added.) In other words, the court determined that Facebook posts and MySpace comments configured by registered users to be public are not protected from disclosure under section 2702(a) of the Act. But, the court reasoned, those communications would not be subject to disclosure by a provider if the user, like users of older restricted-access electronic *98bulletin boards, had configured the post or comment to be accessible only by a restricted group. ( Crispin , at p. 981.)
Accordingly, the court in Crispin determined that the dispositive question was whether the posts had been configured by the user as being "sufficiently restricted that they are not readily available to the general public." ( Crispin, supra , 717 F.Supp.2d at p. 991.) Further, the court found that any restrictive privacy configuration employed by the user should be honored, and would bar disclosure by a service provider under section 2702 of the SCA, even if the restricted group is comprised of all of a user's Facebook friends. ( Crispin , at p. 990.)28
Applying these principles to the motion to quash the civil subpoenas before it, the Crispin court observed that the parties had provided an incomplete record regarding the nature of the various private message services and other posts and comments services offered by those social media entities. Accordingly, the court remanded the matter "so that [the magistrate] can direct the parties to develop a fuller evidentiary record regarding plaintiff's privacy settings and the extent of access allowed to his Facebook [posts] and MySpace comments." ( Crispin, supra , 717 F.Supp.2d at p. 991.)
*1273The gist of Crispin 's discussion and treatment was that communications configured by the user to be restricted in some manner fall within section 2702's prohibition on disclosure by providers and are not subject to a civil subpoena directed to those providers. On the other hand, the subpoenas would be enforceable to the extent they sought Facebook posts and MySpace comments that had been configured by the registered user to be publicly accessible.
In reaching these conclusions Crispin relied heavily on the SCA's access provisions and related case law-and it focused generally on section 2702's disclosure bar without also considering specifically the lawful consent exception set out in section 2702(b)(3). Accordingly, the decision can be read as concluding that if Congress intended to withhold liability under section 2701 concerning those who access public communications, Congress must also have intended not to protect those same public communications from disclosure by covered providers under section 2702. Under this view, which appears to have been endorsed by some commentators,29 the Act *99simply would not cover or protect communications that have been configured to be public. We do not endorse this reading of the Act, however. Instead, we conclude that, by virtue of section 2702(a), the Act generally **744and initially prohibits the disclosure of all (even public) communications-but that section 2702(b)(3)'s subsequent lawful consent exception allows providers to disclose communications configured by the user to be public. Thus, although we agree with the result in Crispin , we conclude that the decision in that case should have been grounded on the lawful consent exception to the general prohibition.
As observed ante , part II.C., the House Judiciary Committee discussed the public/private distinction articulated under section 2511(2)(g)(i) of the ECPA, and revealed that it viewed that same distinction as carrying over and applying under the related access provision of the SCA, section 2701. The House Report then proceeded to describe the disclosure provision, section 2702, in a manner showing that it considered the same public/private distinction to apply in that context as well via the lawful consent exception *1274contained in section 2702(b)(3). We conclude that the Crispin decision properly focused on the user's configuration of communications, and it also reached the correct result-even though it did not explicitly rely, as it should have, on the lawful consent exception and legislative history illuminating that exception.30
E. Conclusion Regarding Section 2702(b)(3)'s Lawful Consent Exception
In light of the foregoing analysis, we conclude that communications configured by a social media user to be public fall within section 2702(b)(3)'s lawful consent exception, presumptively permitting disclosure by a provider.
*100III. APPLICATION TO THIS CASE
A. Overview: The Parties' General Agreement in Their Supplemental Briefs That Public Communications May Be Disclosed Under the Lawful Consent Exception; Limitation of Our Analysis to That Statutory Issue; and the Need for Remand to the Trial Court
As alluded to earlier, in supplemental briefs concerning section 2702 filed in response **745to questions posed by this court, both parties now agree that a social media communication configured by a registered user to be public falls *1275within section 2702(b)(3)'s lawful consent exception.31 In reaching this conclusion, providers retreat from their assertions that no exception to the prohibition applies with respect to any of the sought communications. Providers concede that, based on the legislative history described earlier, "[w]hen a user chooses to make a communication freely accessible to the public, he or she has necessarily consented to its disclosure." Accordingly, providers acknowledge that "as applied to communications that are available to the public, [ section 2702(b)(3)'s] lawful consent exception allows a provider to disclose communications to any member of the public."
Nevertheless, both parties urge us to address not only the scope of the lawful consent exception, but also the constitutional issues originally framed and briefed. As alluded to in footnote 31, and as explained below, we find it proper at this point to address only the statutory issues, and not the constitutional claims.
As observed earlier, in the lower court proceedings the parties did not focus on the public/private configuration distinction. The trial court made no determination whether any communication sought by defendants was configured to be public (that is, with regard to the communications before us, one as to which the social media user placed no restriction on who might access it) or, if initially configured as public, was subsequently reconfigured as restricted or deleted. Nor is it clear that the trial court made a sufficient effort to require the parties to explore and create a full record concerning defendants' need for disclosure from providers -rather than from others who may have access to the communications. Consequently, at this point it is not apparent that the court had sufficient information by which to assess defendants' need for disclosure from providers when it denied the motions to quash and allowed discovery on a novel constitutional theory. In any event, because *1276the *101record is undeveloped, we do not know whether any sought communication falls into either the public or restricted category-or if any initially public post was thereafter reconfigured as restricted or deleted.
In light of our interpretation of the Act, it is possible that the trial court on remand might find that providers are obligated to comply with the subpoenas at least in part. Accordingly, although we cannot know how significant any sought communication might be in relation to the defense, it is possible that any resulting disclosure may be sufficient to satisfy defendants' interest in obtaining adequate pretrial access to additional electronic communications that are needed for their defense. For these reasons, we will not reach or resolve defendants' constitutional claims at this juncture. Instead, we conclude that a remand to the trial court is appropriate.
In order to provide guidance to the trial court on remand, we discuss two issues regarding the statutory question that have been raised by the parties in their supplemental briefs.
**746B. Defendants' Contention That Implied Consent to Disclosure by a Provider Is Established When a Communication Is Configured by the User to Be Accessible to a "Large Group" of Friends or Followers
The parties now generally agree that communications configured by a social media user to be public fall within section 2702(b)(3)'s lawful consent exception and presumptively may be disclosed by a provider. Beyond this point of agreement, the parties disagree starkly concerning the proper scope and interpretation of the implied consent exception.
Defendants advance an expansive interpretation of the exception. They argue that a user's implied consent to disclosure by providers under section 2702(b)(3) should be triggered not only by communications configured by the user to be public, but also by those configured by the user to be restricted , but nonetheless accessible to a "large group" of friends or followers. Defendants contend that, in practice, social media users "lose[ ] control over dissemination once the information is posted," and can have no reasonable expectation of privacy even with regard to such restricted communications in light of the fact that any authorized recipient can easily copy any communication and share it with others. (Cf. Moreno v. Hanford Sentinel, Inc . (2009) 172 Cal.App.4th 1125, 1129-1130, 91 Cal.Rptr.3d 858 [social media user had no reasonable expectation that a communication configured as restricted would not be shared with others and hence could not maintain a tort action for public disclosure of private facts].) Defendants observe that the internet, attendant technology, and social media itself did not exist when Congress *1277considered and enacted the SCA. (See ante , fn. 18.) Therefore, they assert, section 2702 of the Act, generally prohibiting providers from disclosing stored communications, "should be deemed inapplicable" on the ground that "social media posts to large groups are essentially public posts in which the user has no reasonable expectation of privacy."
In support, defendants rely primarily on distinguishable decisions finding social media communications discoverable in civil litigation from a social media user, not, as here, from a social media provider. (E.g., Fawcett v. Altieri (N.Y.Sup.Ct. 2013) 38 Misc.3d 1022, 960 N.Y.S.2d 592, 597 [private social media posts may be compelled from a user in civil discovery "just as material from a personal diary may be discoverable"].) They also rely on cases such as U. S. v. Meregildo (S.D.N.Y. 2012) 883 F.Supp.2d 523, 526 ( Meregildo ) ( [rejecting *102Fourth Amendment claim and holding that a criminal defendant who restricted Facebook communications to "friends" had no legitimate expectation that a friend would not share that information with the government].) But none of these cases involving the propriety of compelling disclosure by social media users concerned or construed section 2702's prohibition on disclosure by providers .
Defendants criticize decisions such as Crispin, supra , 717 F.Supp.2d 965, and Ehling , supra , 961 F.Supp.2d 659, for analogizing social media communications to what they characterize as "nearly obsolete" electronic bulletin boards. They insist that focusing on such allegedly outdated sites prevented those courts from understanding that sharing is the essence of modern social media. Indeed, defendants and amici curiae on their behalf argue that, in the context of social media communications, there generally is no such thing as true privacy. Accordingly, they assert, even those social media communications configured by a user to be available to only specific friends or followers and that exhibit a "veneer of privacy" should nevertheless be treated as public. Defendants argue that such communications should not be protected by section 2702(a) -or that, alternatively, they should be deemed to fall within the lawful consent exception of section 2702(b)(3).
Providers and amicus curiae Google, LLC (Google), by contrast, assert that a registered user who configures a communication to be viewed by any number of friends or followers-but not by the public generally-evinces an intent not to consent to disclosure by a provider under 2702(b)(3), but instead to preserve some degree of privacy. They too **747rely on Meregildo, supra, 883 F.Supp.2d 523, 525, which observed that Facebook "postings using more secure privacy settings reflect the user's intent to preserve information as private." They also rely on Ehling, supra , 961 F.Supp.2d at page 668, which, as noted earlier, focused on whether a Facebook user "actively restrict[ed] the public from accessing information" and found that when a user configures a communication to be available on only a limited basis and "inaccessible to *1278the general public," such a post is " 'configured to be private' for purposes of the SCA." Under this authority, providers assert, a service provider remains prohibited from disclosing such communications. For reasons that follow, we agree with providers and Google on this point.
To begin with, we reject defendants' unsupported and rather startling assertion that social media communications and related technology fall categorically outside section 2702(a)'s general prohibition against disclosure by providers to "any person or entity."32 Nor can we accept defendants' interpretation of section 2702(b)(3)'s lawful consent exception, *103which would sweep far more broadly than was envisioned by Congress. The legislative history suggests that Congress intended to exclude from the scope of the lawful consent exception communications configured by the user to be accessible to only specified recipients. There is no indication in the legislative history of any intent to do otherwise in the case of communications sent by a user to a large number of recipients who, even in 1986 when the Act was adopted, could have shared such communications with others who were not intended by the original poster to be recipients.
In this respect, providers argue, defendants' view "would effectively eliminate expectations of privacy in all communications" and hence "would undermine the privacy rights of all users, including those of criminal suspects and defendants. If the SCA excluded electronic communications that are *1279made to ['large'] groups of people, then it would necessarily place no restriction on private party or law enforcement access to such communications. And if people had no reasonable expectation of privacy in communications sent through and maintained by the intermediary, simply because those communications could be later shared by their recipients, that would remove all Fourth Amendment protections for communications as well." (Italics in original.) Providers assert there is no indication that Congress contemplated such a result.33 **748As observed ante , part II.C., the House Judiciary Committee suggested, in its discussion of access rules, an understanding that a user's configuration would "establish an objective standard" to determine privacy protection. When subsequently addressing the disclosure rules-and the lawful consent exception to those rules-the House committee stressed that a user's consent to disclosure could be implied in view of, among other things, providers' available published policies. (House Rep., supra , at p. 66.) Providers' posted policies and answers to frequently asked questions (FAQs), described below, are readily available, and they appear to shed light on the issues presented in this litigation. Although we will highlight and quote some of these available policies and FAQs, we emphasize that in doing so we do not preclude any party from advancing any additional point or argument-including the legal significance that should or should not be accorded such policies and FAQs.
The policies and FAQs warn registered users that a communication configured as public will generally become, in the words of the House Report, supra , at page 62, "readily accessible to the general public,"
*104and available to any person via the internet, whether that person is registered with the social media provider, or not.34 This widespread availability of public posts on the *1280internet is the result of providers' business model, which allows and facilitates crawling and indexing by search engines (and in some instances, use of a so-called firehose stream) that generate search results lists displaying a link to the user's current social media page, a title and a snippet of text.35 In other words, when, for example, a Facebook user configures a post as public, that communication becomes both (a) available to all two billion registered Facebook users, and (b) again in the words of the House Report, "readily accessible to the general public" via crawling by search engines. The result is that, as counsel for providers conceded at oral argument, a public communication is available to "everyone in the world"-even to those who are not registered Facebook users, but who have open access to the internet.
Providers' FAQs warn that even communications configured as restricted still might be shared by an authorized recipient with anyone else.36 At the *1281same time, nothing of **749which we are aware in any of providers' policies or answers to FAQs suggests that users would have any reason to expect that, having configured a communication to be available not to the public but *105instead to a restricted group of friends or followers, the user nevertheless has made a public communication-and hence has impliedly consented to disclosure by a service provider, just as if the configuration had been public.
For all of these reasons we reject defendants' proposed broad interpretation of the lawful consent exception. We hold that implied consent to disclosure by a provider is not established merely because a communication was configured by the user to be accessible to a "large group" of friends or followers.37
*1282C. Providers' Argument That Section 2702 Affords a Provider Discretion to Decline to Comply with a Valid State Subpoena
Providers contend that to the extent section 2702(b)(3)'s lawful consent exception *106applies to any of the communications at issue here, that provision simply authorizes them to comply with the subpoenas, but does not by itself compel them to comply with the subpoenas. They further assert that section 2702(b) affords providers who are authorized to disclose, the "discretion" to refuse to do **750so-even in the face of an otherwise proper subpoena lawfully issued under state law. We agree with the first proposition, but not with the second.
As observed earlier, section 2702(a) sets out a general prohibition against disclosure of communications by a service provider; and section 2702(b) lists exceptions under which a provider "may" disclose such communications-including, in subsection (3), communications regarding which a user has lawfully consented to disclosure. As the parties have conceded, such consent is applicable when a user posts a communication configured to be public. Plainly, section 2702(b) merely permits a provider to disclose, and it does not by itself impose a duty or obligation to disclose. Yet providers maintain that by use of the word "may," the section also operates to "ensure that providers would retain the discretion to choose whether to disclose content based on a user's consent"-even in the face of a lawful subpoena. In support, they rely on language in an order by a federal magistrate judge, In re Facebook, Inc. (N.D. Cal. 2012) 923 F.Supp.2d 1204, 1206, stating that although "consent may permit production by a provider, it may not require such a production." (Italics in original, boldface omitted.) Providers also rely on that order's footnote 7, which cited United States v. Rodgers (1983) 461 U.S. 677, 706, 103 S.Ct. 2132, 76 L.Ed.2d 236 for the general proposition that "[t]he word 'may,' when used in a statute, usually implies some degree of discretion."
As explained below, a California Court of Appeal decision, Negro v. Superior Court (2014) 230 Cal.App.4th 879, 179 Cal.Rptr.3d 215 ( Negro ), has thoroughly considered and rejected providers' argument. In that litigation, the plaintiff sued multiple defendants concerning business transactions. Prior to trial, the plaintiff subpoenaed defendant Negro's e-mail service provider, Google, seeking e-mail communications between him, his codefendants, and others. Defendant Negro eventually expressly consented to disclosure by Google of e-mails between himself and specific persons and entities covering a defined range of dates. But despite its user's express consent, Google refused to comply with the civil subpoena. On review, the Court of Appeal considered and applied section 2702(b)(3)'s lawful consent exception, ultimately finding that the defendant had given his express and enforceable *1283written consent to service provider Google's disclosure of his e-mails. ( Negro, at pp. 893-899, 179 Cal.Rptr.3d 215.) Having found the lawful consent exception satisfied, the appellate court further concluded that the subpoena was itself enforceable and that Google was required to comply with it. In the process, the court carefully considered and rejected the contention that providers raise now-that the statute empowers providers to defy subpoenas seeking communications that are exempted from section 2702's prohibition on disclosure under the section's lawful consent exception. ( Id ., at pp. 899-904, 179 Cal.Rptr.3d 215.) Because we find the Negro court's reasoning persuasive, we quote that decision's analysis at some length.
As an initial matter, the court in Negro, supra, 230 Cal.App.4th 879, 179 Cal.Rptr.3d 215, rejected the claim that the SCA confers "a blanket exemption or immunity *107on service providers against compulsory civil discovery process." ( Id ., at p. 899, 179 Cal.Rptr.3d 215.) The court acknowledged that the SCA does not, on its face, contain any exception for or mention of civil (or for that matter criminal) discovery subpoenas. But the court explained that the Act's failure to expressly include such subpoenas does not "suggest that it rendered" the normal state law "discovery process impotent in all circumstances." ( Ibid . )38 **751Turning to the same argument reprised by providers here, the court in Negro addressed Google's assertion "that the language of the Act makes the consent exception 'permissive' and the provider's disclosure under it 'voluntary' ... so that 'Google may not be compelled by an order issued in a civil proceeding to disclose content, even with the user's consent.' " ( Negro, supra, 230 Cal.App.4th at p. 900, 179 Cal.Rptr.3d 215.) The appellate court observed that Google relied on section 2702(b)'s "use of the word 'may' to frame the exception for disclosure based on a user's consent," and on the passage quoted above from the federal magistrate's order in In re Facebook, Inc., supra, 923 F.Supp.2d at page 1206. ( Negro, at p. 900, 179 Cal.Rptr.3d 215.) The court determined that the magistrate's reasoning "places much more weight on a very small word than it is designed to bear. It is certainly true that 'may' generally conveys permission, and that when used in contradistinction to 'shall' it implies a discretionary power or privilege, as distinguished from a mandatory duty. [Citations.]" ( Id ., at p. 901, 179 Cal.Rptr.3d 215.) But, the court reasoned, "The subdivision where 'may' appears is framed not as a grant of discretionary power or as the imposition of a *1284mandatory duty but as a special exception to a general prohibition. In such a context all 'may' means is that the actor is excused from the duty, liability, or disability otherwise imposed by the prohibition. Stating that the actor 'may' engage in the otherwise proscribed conduct is a natural way-indeed the most natural way-to express such an exception." ( Id., at p. 902, 179 Cal.Rptr.3d 215, italics in original.)
The appellate court in Negro continued: "Another federal magistrate judge has observed that 'there should be a clear expression of congressional intent before relevant information essential to the fair resolution of a lawsuit will be deemed absolutely and categorically exempt from discovery and not subject to the powers of the court under [rules governing disclosure]." [Citation.] Congress's use of the word 'may' to frame an exception to the Act's general prohibition on disclosure is not such a 'clear expression of ... intent' as will justify a reading of the Act that categorically immunizes service providers against compulsory civil process where the disclosure sought is excepted on other grounds from the protections afforded by the Act." ( Negro, supra, 230 Cal.App.4th at p. 902, 179 Cal.Rptr.3d 215.)
*108Finally, the appellate court concluded: "In sum, we find no sound basis for the proposition that the Act empowers service providers to defy civil subpoenas seeking discovery of materials that are excepted from the Act's prohibitions on disclosure. Insofar as the Act permits a given disclosure, it permits a court to compel that disclosure under state law." ( Negro, supra, 230 Cal.App.4th at p. 904, 179 Cal.Rptr.3d 215.) Accordingly, the court held that in light of the fact that the user/defendant had consented to disclosure by the service provider, "the Act does not prevent enforcement of a subpoena seeking materials in conformity with the consent given." ( Ibid . )
Providers do not directly address the logic or substance of the Negro court's analysis quoted above. Instead, they assert, first, that the appellate court's decision is distinguishable because the underlying lawful consent in that case was express, whereas the present case concerns implied consent. This attempt to avoid Negro 's analysis ignores the legislative history described ante , part II.C., disclosing that Congress specifically contemplated that implied lawful consent would satisfy the lawful consent exception. It also is in tension with providers' own concession that implied lawful consent is effective with regard to communications configured by a registered user to be public. (See ante , pt. III.A.)
Alternatively, providers suggest that the SCA should be interpreted to bar the enforcement of any state subpoena that directs service providers to divulge public communications that the Act permits but does not require them to disclose. They assert that Negro 's contrary analysis and conclusion must be *1285wrong because "it would permit a state subpoena to compel disclosure of content where the SCA itself does not. Such an expansion would weaken the protections of the SCA and impermissibly broaden federal law. It would thereby conflict with the SCA's comprehensive scheme of regulating the circumstances **752under which the disclosure of content is permissible or required."
In this respect providers implicitly rely on the fact that section 2703 lists circumstances in which a provider is compelled to disclose to governmental entities-and yet, as the Negro court observed, the Act, although preempting state discovery laws that would compel a provider to violate the federal statute, "does not mention" civil (or criminal) subpoenas issued by nongovernmental entities in that section or indeed at all. ( Negro, supra, 230 Cal.App.4th at p. 900, 179 Cal.Rptr.3d 215 ; see ante , fn. 38.) Consistently with Negro 's analysis, we believe that if Congress intended to preclude a state from enforcing a nongovernmental entity's civil or criminal subpoena that is lawful under state law (and as to which the federal statute does not preclude disclosure), such a prohibition would have been made clear in the Act. We find no intent by Congress to preempt state law in this setting.39
D. Additional Issues Raised in the Supplemental Briefs, Some of Which Should Be Explored and Resolved on Remand to the Trial Court
Having addressed the legal issues that can be decided on the present record, we turn to other matters raised in providers' briefs that cannot be resolved at this stage-and some of which must await exploration on remand.
*1091. Providers' assertion that most of the communications at issue are private and hence the lawful consent exception will not assist defendants
As observed earlier, the subpoenas in this case broadly seek "any and all public and private content." Providers in their supplemental briefs assert variously that "much" or "most" (or all except a "small subset") of the communications sought by the subpoenas were configured by the users to be private or restricted, not public, and hence the lawful consent exception generally will not assist defendants in this case. Because the parties did not acknowledge the relevance and applicability of the lawful consent exception in the trial court, no reliable record was made concerning either registered *1286user's configuration of the social media communications at issue here.40 Moreover, as noted earlier, it is not apparent that the trial court had sufficient information to fully assess defendants' need for discovery when it denied providers' motions to quash and allowed defendants discovery on a novel constitutional theory. **7532. Providers' assertion that lawful consent to disclosure is revoked by a user's reconfiguration of a communication from public to restricted or by a user's deletion of a public communication
As noted, providers concede that they may, pursuant to the lawful consent exception set forth in 2702(b)(3), disclose a post configured by the user to be public. They maintain, however, that the fact a user may have initially configured a post for public distribution should not necessarily resolve the question of the applicability of the lawful consent exception. Specifically, providers observe that a communication originally configured to be public subsequently can be reconfigured by the user to *110be restricted, can be deleted by the user, or the user can close the account.41 They argue that when such a *1287change occurs before a provider is served with a subpoena, the reconfiguration or deletion should be understood as a revocation of lawful consent for purposes of section 2702(b)(3) -with the result that the provider would be prohibited by section 2702(a) from complying with a subpoena regarding any such communication.42
Defendants, by contrast, insist that once a registered social media user configures a communication as public and posts it, triggering section 2702(b)(3)'s lawful consent exception and presumptively allowing disclosure by a provider, the user cannot subsequently revoke that implied consent to disclosure, even if the user promptly reconfigures any post as restricted or deletes the post or closes the account. In support, defendants assert that "any reasonable user knows once you make information publicly available on social media it will be '... broadly and instantly disseminate[d]' ... 'to a wide range of users, customers, and services, including search engines, developers, and publishers ...' just as Twitter advises in its terms of service."43 Defendants assert that after a public communication has been made so widely available, "[r]evoking consent is as possible as un-ringing a bell."
*1288The parties have cited no decision explicitly addressing whether reconfiguration, deletion or account closure operates to revoke consent for purposes of section 2702(b)(3), nor have we found any such *111case. It appears that providers' revocation claim poses a question of first impression. **754Providers may be understood to invoke Congress's intent to protect users' privacy (as described ante , pt. II.A.), and to suggest that their proposed interpretation-under which a provider would be required to honor a user's reconfiguration or deletion so long as it was undertaken by the time a subpoena is issued-would afford greater protection to that privacy interest.44 Defendants, on the other hand, question whether a social media user's reconfiguration or deletion of a public post can in reality effectuate a revocation of consent to disclosure45 -and whether Congress intended to *1289ensure revocability of consent in this context. Because the record does not indicate whether, in fact, any public communication sought by defendants was subsequently reconfigured or deleted before the relevant underlying subpoena was issued, we express no opinion on the revocation of consent issue-and leave it to be explored, if necessary, by the trial court on remand. *1123. Technical difficulties that providers may face in determining the applicable privacy configuration and retrieving deleted communications -and protecting providers from excessive burdens
Providers assert that in light of a registered user's ability to reconfigure communications, "providers may not easily be able to determine the intended audience of a communication at any given point in time" and "it may be difficult for a provider to accurately identify" whether a given communication when posted was public or restricted. Likewise, speaking on providers' behalf, amicus curiae Google avers: "Providers do not routinely maintain records of past privacy settings for each post or message. Lacking such records, it would be impossible to determine the privacy configuration that applied when a communication was posted or sent." (Italics added.) Providers also assert that "if a user changes the privacy setting for a communication, a service may not be able to accurately **755determine prior privacy settings." In addition, providers assert it would be difficult for them to retrieve deleted communications. As noted by the trial court, however, a subpoena recipient has a general obligation to undertake reasonable efforts to locate responsive materials. Again, any technical difficulties a given provider may face in determining the relevant history of a particular communication, or retrieving any deleted communication, are matters to be explored at the anticipated hearing on remand.
Providers similarly urge that they should be protected from excessive burdens. As observed ante , part II.A., Congress articulated its main purposes in enacting the SCA: affording privacy protections to users while accommodating the legitimate needs of law enforcement. It also articulated a tertiary goal: to avoid discouraging the use and development of new technologies. Providers' briefs characterize this additional purpose as one of "enhanc[ing] the use of communications services and protect[ing] providers from being embroiled as a nonparty in litigation." Amicus curiae on providers' behalf, Google, characterizes this additional purpose even more specifically as "protecting providers from an otherwise limitless burden of responding to requests to disclose their users' communications." Providers rely on dictum in *1290O'Grady, supra , 139 Cal.App.4th 1423, 44 Cal.Rptr.3d 72, in which the court voiced concern about the prospect of such subpoenas to providers in routine civil cases. ( Id. , at pp. 1445-1447, 44 Cal.Rptr.3d 72.)46
In light of the statutory scheme, it appears that Congress sought to limit burdens placed on service providers by various means-most obviously, by establishing broad prohibitions and specific exceptions regarding access and disclosure under sections 2701 and 2702, along with rules and procedures pursuant to which the government may compel disclosure under section 2703. With regard to burdens related to disclosure in particular, Congress significantly limited the potential onus on providers by establishing a scheme under which a provider is effectively prohibited from complying with a subpoena issued by a nongovernmental *113entity-except in specified circumstances. But when any one of the exceptions does apply, there is no indication that Congress intended that providers would be categorically relieved from the burden of compliance with an otherwise lawful civil or criminal subpoena. Hence, as the court held in Negro , supra , 230 Cal.App.4th 879, 179 Cal.Rptr.3d 215, a provider may properly be subject to the burden of compliance with a subpoena, even with respect to communications configured by the registered user to be private , when a user expressly consents to disclosure by his or her service provider. Likewise, a provider may properly be subject to the burden of compliance with a subpoena when a user implicitly consents to disclosure by configuring a social media communication as public .
Of course, any third party or entity-including a social media provider-may defend against a criminal subpoena by establishing that, for example, the proponents can obtain the same information by other means, or that the burden on the third party is not justified under the circumstances. ( City of Alhambra v. Superior Court (1988) 205 Cal.App.3d 1118, 1134, 252 Cal.Rptr. 789 ; cf. Kling v. Superior Court (2010) 50 Cal.4th 1068, 1074-1075, 1078, 116 Cal.Rptr.3d 217, 239 P.3d 670.) Indeed, the Act itself specifically contemplates that providers may raise such issues in the context of compelled disclosure to a governmental entity under section 2703(d) (a court "may quash or modify such order, if the information or records requested are unusually voluminous in nature or compliance with such order otherwise would cause an undue burden on such provider"), and the same principles would apply in the present setting.
As noted, providers advanced similar arguments regarding the burden of compliance with the subpoenas in the earlier trial court proceeding. (Ante , *1291part I.E.) In response, the **756trial court ruled that absent additional factual information demonstrating impossibility or the extent of burdens, it could not engage in any such balancing of production versus burden. Providers' current claim of undue burden can properly be addressed by the trial court on remand.47 *114IV. CONCLUSION AND DISPOSITION
We vacate the Court of Appeal's decision and direct that court to remand the matter to the trial court for proceedings consistent with this opinion.
WE CONCUR:
CHIN, J.
CORRIGAN, J.
LIU, J.
CUÉLLAR, J.
KRUGER, J.
YEGAN, J.*