Privacy policy practitioners in the digital age have their hands full as society becomes more aware of personal privacy rights and what information can and cannot be shared.
Until now, most of the public had not thought about the intersection of technology, privacy and death, despite technology continually pushing legislative and regulatory boundaries. The control of user data has been principally dictated by a content provider's terms of use or terms of service agreement. However, the challenge of postmortem privacy faces chief privacy officers and policy practitioners across every industry and sector. Consumer awareness and marketplace demands have already begun to break through the media surface, seen most recently in Apple's announcement of their Digital Legacy Program available in their fall iOS 15 release.
Planning for the death of an account holder is difficult as there isn't an identifiable date to fixate. Yet, the issues of data ownership and privacy after death is real. Those involved with policy creation face a custodial dilemma when dealing with their clients' accounts upon incapacity and death. Who is responsible for protecting a user's data privacy and the dissemination of asset data after death? What rights does a user have over their digital assets when they can no longer act or when they are no longer with us?
Over the last several decades, we have seen an expanded definition of privacy as expectations change with each generation asking, what is privacy and why is it important? We can assume that "privacy is essential to who we are as human beings," but the differences are relative to the individual and institution. Although definitions evolve and almost every organization invests in policies for the living, very little attention is paid to policies surrounding an account holder's death.
The IAPP outlines that "privacy is now a necessity of doing business," and every organization that interacts with clients online will need to deal with digital assets upon incapacity and death if they haven't been doing so already. The number of deceased persons on Facebook is part of the public narrative and social media alerted us that one's wishes upon death matter to not only the deceased but also to the grieving family and beneficiaries.
Organizational policies are determined by lawyers, security, privacy and compliance officers as well as operations and finance executives. Whether privacy policies are born from marketplace demand, the need for competitive necessity, or regulatory or legislative compliance, they are the underpinnings defining data use, disclosure and security. Organizations with an online presence or those that handle an individual's data or digital assets must have privacy policies for handling the data of incapacitated or deceased account holders. What actions do content providers and data holders need to take?
When did estate planning of digital assets become an issue for chief policy officers?
Digital asset estate planning has been a frequently overlooked topic, but now everyone needs to pay attention to planning for this asset class, especially with the pandemic accelerating this requirement through the rise of global internet use by forcing more personal and business communications to a digital or virtual setting. The deathcare and estate industries have only just begun to address the category of digital property by enhancing existing business processes and client management platforms. This environment gets further complicated with jurisdictionally different laws and regulations. These issues emerged long before the pandemic but have accelerated as countries navigate public health rules and the continued digitization and commoditization of our data.
Privacy practitioners should take note of an individual's digital assets as an emerging asset class. A general definition of digital assets boils down to identifying them "as an electronic record that individuals have a right or interest." It usually does not include an underlying asset or liability, unless that asset or liability is itself an electronic record. Common examples of digital assets include social media accounts, digital photos and videos, domains, websites, and electronic communications, such as email and instant messages; although, the category is much broader, including cryptocurrencies, digital collectibles and nonfungible tokens.
Global postmortem privacy — How pervasive is the issue?
Although the estate industry has yet to see an overwhelming number of cases regarding postmortem access to digital assets, the actual cases tried in the court of law and in the court of public opinion reveal alarming outcomes. The amount of money, time and effort required by families and beneficiaries when struggling with service providers to gain access to a deceased person's accounts or digital assets is troubling.
Very few global tech companies have pre-planning options for their users, but Facebook and Google do. If used, they allow for access, retention or transfer of specified data and information. As many of the global tech giants are based in the United States, many of these organizations point to U.S. privacy laws or the U.S. model legislation for states called the Revised Uniform Fiduciary Access to Digital Assets Act. Likely unbeknownst to many consumers and still new to estate planners is that the default rule under RUFADAA requires the user to provide an explicit directive in estate planning documents, in instruments like a power of attorney, will or trust, or in an online tool through a service provider, which incorporates options for the disclosure or non-disclosure and deletion of the digital asset at the time of a user's death or incapacity. If no such directive is provided, absent a court order — which can be an expensive and time-consuming process to obtain — the service provider's TOSA controls the outcome. It should be noted that digital assets of an employer used by an employee in the regular course of the employer's business are not typically accessible by a fiduciary under RUFADAA.
Global postmortem privacy landscape
In many countries, there are multiple jurisdictional-specific laws that apply to accessing, storing and managing digital assets. Often these laws are silent or inconsistent as to what happens upon the incapacity or death of the account holder. In addition to inconsistent laws and TOSA provisions, one of the major challenges in planning for digital assets is maintaining the information's privacy, which is not guaranteed. Privacy matters considerably more for digital assets, especially electronic communications, than other traditional property interests given the virtual and data-driven nature of this asset class and their nature to exist into perpetuity.
There isn't an easy method to navigate this complex environment. Every digital asset has unique characteristics that must be considered during estate planning, coupled with the fact that every individual has different wishes and preferences about how they want their digital assets to be handled and what they consider secure. From a legal perspective, these issues make unpacking digital assets in estate planning complicated and the results varied, on top of the technical implications and other traditional estate planning considerations, such as valuation and tax matters.
Where do executives and chief privacy officers begin?
Privacy and compliance officers should learn about their client's individually held digital assets (and those owned by small businesses), their estate and business planning policies, and how succession planning will affect organizational policies.
- Review your organization's TOSA to determine if it addresses incapacity or death of the account holder.
- Review policies on sharing passwords, account holder impersonation and security protocols.
- Create an internal process for approval/denial requests for responding to incapacity or death of the account holder questions and information requests. Make the policies publicly available.
- Review your jurisdiction's privacy and fiduciary access to digital content laws to determine if incapacity or death of the account holder is addressed.
- Develop and implement a plan for customer service, security and operations teams, increasing their awareness of digital assets, probate and estate laws, and newly enacted legislation.
Postmortem privacy is an emerging area for privacy and compliance officers as tech constantly evolves. Regulations governing consumer rights, privacy and estate planning for digital assets also must evolve with industry standards determined by concerned stakeholders ensuring proposed protocols are balanced in addressing remaining gaps.
Photo by Dayne Topkin on Unsplash