Christmas came on Friday, June 22 this year—that is, if you’re a privacy and surveillance law nerd.

After deliberating the decision for months, the Supreme Court handed down its opinion in Carpenter v. United States, a case in which the court was asked to answer the question: is it OK for police to obtain 127-days worth of someone’s cell-site location information (CSLI) without a warrant?

In a 5-4 decision, the court found that the answer was “no.” This is clearly a landmark step toward stronger privacy protections, and the opinion builds on two other related cases that the court unanimously decided in 2012 (Jones v. United States) and 2014 (Riley v. California).

A majority of the justices clearly articulated something that many of us intuit: that “tracking a person’s past movements... are detailed, encyclopedic, and effortlessly compiled.” In other words, long-term location data is “unique” when compared against other types of record that police have been previously able to obtain, such as bank records or short-term call logs.

After all, allowing law enforcement officers a warrantless tool of this magnitude gives them something of a superpower. Until Friday, police could easily acquire a set of data that would achieve what no team of officers previously could without expending significant human and financial resources.

With the court clearly imposing a warrant standard, police just have to do a little more legwork ahead of time, but getting a warrant is not difficult. Federal magistrate judges nationwide sign off on them literally every day: it is one of their key functions. The police’s job just got a bit tougher but certainly not anywhere close to impossible.

Now, while the Supreme Court plays a critical role in helping all of us (police and civilians alike) understand what the law is, it is equally important to remember that privacy advocates big and small cannot afford to wait.

The wheels of justice famously move slowly, and cases often takes several years to reach the Supreme Court, if they ever do. (Carpenter is in the extreme minority: the court rejects the overwhelming majority of cases submitted to it.)

With Carpenter, the facts of the case took place in 2010 and 2011. As Tim Carpenter’s prosecution unfolded, he was eventually convicted at trial, lost on appeal, and finally got to the Supreme Court, which heard oral arguments in October 2017.

As conservative jurists often remind us, it is not for courts to make the law, but rather to interpret the law. Justice Samuel Alito, in his dissent in Carpenter, wrote: “If the American people now think that the [Stored Communications] Act is inadequate or needs updating, they can turn to their elected representatives to adopt more protective provisions.”

OK, then. Game on.

As I argue in my new book, Habeas Data, it is incumbent upon all people everywhere who care about such issues to agitate toward more such legislative improvements. In an increasingly-partisan and divided Congress, our federal legislators do not seem particularly motivated to debate legislation that would rein in some of the government’s everyday domestic criminal-law surveillance powers.

Put another way: how much better has surveillance technology (or even the smartphone in your pocket) improved since Tim Carpenter perpetrated his armed robbery several years ago? With increasingly inexpensive police drones and the advent of companies that are literally called “Persistent Surveillance Systems,” this problem will only get worse.

There are suggestions that judges should take a critical view of the advancement of this area of technology.

“A person does not surrender all Fourth Amendment protection by venturing into the public sphere,” a majority of the Supreme Court concluded in Carpenter.

But such legislative reform efforts are starting to take hold in some cities and states across our nation. Unfortunately, these actions, for now, are the exception rather than the rule. More typically, law enforcement is able to acquire surveillance technology—ranging from phone-location records to stingrays to drones and beyond—with little, if any, informed consent of its legislators.

As I reported just last month for Ars, Oakland is now one of a handful of California entities (including Berkeley, Davis, and Santa Clara County) that mandates a formal annual report that details “how the surveillance technology was used,” among other requirements. (Such legislation has been advocated by the American Civil Liberties Union of Northern California, among other groups.)

In the wake of Oakland’s 2013 efforts to approve federal grant money to construct a “Domain Awareness Center,” the city has now also created a “Privacy Advisory Commission,” or PAC. This body, composed of volunteer commissioners from each city council district, acts as a privacy check on the city when any municipal entity (typically the police department) wants to acquire a technology that may impact individual privacy.

The new law requires that the PAC be notified if the city is spending money or seeking outside grant money to be spent on any hardware or software that could potentially impact privacy. Notably, Oakland’s law specifically includes provisions that forbid non-disclosure agreements and protect whistleblowers.

I am unaware of any other city in America that has duplicated the Oakland model, but I hope this changes soon.