In an article earlier this year we noted that at a large number of states had introduced legislation to address an emerging issue that is unique to our Information Age: how will our digital assets be accessed and used (or kept private and destroyed, depending on our wishes) after we die, and by whom? Who can access your online accounts where you store photos, music, financial information, frequent flyer miles or social media material once you pass on? The answer, at least for now, is found in the Revised Uniform Fiduciary Access to Digital Assets Act (“Revised UFADAA”), which was introduced in 31 state legislatures this year and ultimately passed into law in 19 states, including Arizona and Colorado. In fact, of the seven Western states to introduce the law, Utah is the only state that failed to enact it this year.
Now that the law is in place in many states, the question becomes: What does it actually do?
The new law is an attempt to bridge the interests of two parties. First, digital content and website service providers (“Custodians”) want to ensure that assets under their control are not accessed improperly by anyone other than the authorized account holder (“User”). There are many website service agreements that limit who can access User accounts and what content may be redistributed. These precautions intend to protect the Custodian from potential violations of the Computer Fraud and Abuse Act. Before the Revised UFADAA, Custodians were understandably wary in granting third party access to a User’s digital content – such requests ranging from digitally stored personal photographs to recent online bank statements – and a typical response could be a flat-out denial of such requested access.
On the other hand, persons acting on behalf of a User (a “Fiduciary”) may need to access information held by Custodians to fulfill duties owed to or by the User. A Custodian’s denial of access would be understandably frustrating to the Fiduciary when the Fiduciary is legitimately trying to settle matters for the User.
The Custodian’s Rights and Obligations Under the New Law
With the Revised UFADAA, “Custodians and its officers, employees and agents are immune from liability for an act or omission done in good faith” and in compliance of the law. Simply put, a Custodian can honor a Fiduciary’s request for access to a User’s digital content if some due diligence is first observed.
A “Fiduciary” is defined as “an original, additional, or successor personal representative, conservator, agent, or trustee”. Accordingly, a Fiduciary may act for a User during the User’s life (as an agent under a power of attorney, a conservator, or as a trustee under a valid trust) or once the User has died (as a personal representative of the User’s estate or as a trustee under a continuing trust). The Fiduciary can make a request of a Custodian for access to the User’s digital content, such requests having to meet specific standards. These standards typically deal with the Fiduciary providing clear evidence that they are empowered to act on the User’s behalf. Upon receipt of a Fiduciary’s request, a Custodian has 60 days to respond.
A Custodian’s response to a Fiduciary’s request can depend on whether the Custodian provided an online tool with which the User could appoint and modify the appointment of an authorized individual (“Designated Recipient”) to access any of the User’s digital content. For instance, Facebook permits Users to appoint a Designated Recipient known as a “Legacy Contact”. (Facebook > Privacy Shortcuts > See More Settings > Security > Legacy Contact). This Legacy Contact has the authority to access a User’s Facebook profile once Facebook is properly notified of the User’s death. This Legacy Contact would have priority over a User’s duly appointed Fiduciary, regardless of when such Fiduciary was chosen or appointed. If, however, a User does not use an online tool, or if the Custodian simply did not offer an online tool, a Fiduciary has the right to access the digital content.
However, a big exception must be noted here. Despite a User’s express use of an online tool or the proper appointment of a Fiduciary, a Custodian has no obligation to provide access to digital content if a User has expressly notified the Custodian that the User’s content is to be erased or destroyed upon the User’s death. In other words, if a User expressly tells the Custodian that he or she wants certain digital content destroyed or deleted, then that direction by the User overrides any direction to the contrary in a will, trust, power of attorney, or other record. Again, using Facebook as an example, a User may elect to have their account permanently deleted at their death; the User merely needs to check a box. This election is located directly beneath the option to choose the Legacy Contact.
Provided that a User has not elected to have their digital content deleted and that a Custodian has an obligation to provide a Fiduciary or a Designated Recipient access to a User’s digital content, a Custodian may disclose the information by either:
- Granting the Fiduciary or Designated Recipient full access to the User’s account;
- Granting the Fiduciary or Designated Recipient partial access to the User’s account sufficient to perform the tasks with which the Fiduciary or Designated Recipient has been charged; or
- Simply provide the Fiduciary or Designated Recipient a copy of the digital content available to the User as of the date of the User’s death.
A Custodian is under no obligation to provide a Fiduciary or Designated Recipient a digital asset previously deleted by the User. Further, the Custodian may assess a reasonable administration charge for the cost of disclosing the requested digital content.
It should be noted that a Custodian, even an out-of-state Custodian, is expected to comply with a state’s Revised UFADAA statute if a User died in a state having enacted such law. Further, if the new law is considered to apply retroactively, then it may apply to any Fiduciary duly appointed before, on, or after the effective date of the statute.
The Fiduciary’s Rights and Obligations
Despite granting Fiduciaries access to a User’s digital content, the Revised UFADAA also sets forth some limitations on Fiduciaries. Generally, the new law does not grant the Fiduciary any new or expanded rights over a User’s digital content. In fact, and as noted above, a User can override a Fiduciary’s ability to access digital content by requesting that the Custodian delete such content at the User’s death. Further, a Fiduciary cannot do whatever it pleases with the User’s digital content. A Fiduciary has duties of care, loyalty, and confidentiality and may only exercise its powers to perform the tasks the Fiduciary has been appointed to do by the User. If a Fiduciary acts within this limited scope of authority then they are considered an authorized user of the User’s digital content for the purpose of applicable computer-fraud and unauthorized-computer-access laws.
In the past, Fiduciaries may have been uncertain about what to do when a Custodian denied their request for access to a User’s digital content or simply ignored the request for longer than 60 days. Under the Revised UFADAA, however, a Fiduciary now has the ability to seek a court order directing the Custodian to release the requested information. Provided that the Fiduciary has shown satisfactory evidence of their appointment, and provided that the Custodian cannot claim that the User elected to limit or deny Fiduciary access to the digital content, a court can grant an order compelling a Custodian to grant that access.
The Information Age continues to present new twists to a legal system that is often outpaced by the advancement of technology. The Revised UFADAA seeks to fill the legal void about how Fiduciaries can properly gain access to digital content while also providing Custodians with protection from liability for providing such access. How effective the law is in bridging the interests of Custodians and Fiduciaries will be determined as time goes by. As always, stay tuned for further developments.