One possible obstacle to the transfer of online accounts concerns privacy laws. If an account owner dies, a personal representative or successor trustee may not be able to simply call up the service provider and obtain a password to the decedent’s account. The service provider may have a privacy policy that prohibits turning over account information or content to a third party without a user’s consent. As a result, the service provider may refuse to allow the personal representative access. In that case, counsel may need to make use of one of the procedures I describe in the previous section. Although the service provider arguably has an obligation to surrender property of the decedent, the service provider may want a court order authorizing turn over of the account in order to protect itself from a claim of a privacy violation. Even if the decedent did not assert a privacy claim, government regulators might. Therefore, requiring a court order would seem to be a prudent course for a service provider.
In addition, planners should consider the effect of cybercrime laws, like the Computer Fraud and Abuse Act, California’s cybercrime and identity theft laws. They should also account for service providers’ terms of service. A service provider could take the position that a personal representative’s use of a decedent’s password to access an account after death is a violation of its terms of service. The service provider might also say that using the decedent’s account violates cybercrime laws. On the other hand, the personal representative could contend that he or she steps in the shoes of the decedent for purposes of authority to access the account. Moreover, the personal representative may have documents signed by the decedent authorizing access to online accounts.
There seems to be a gray area regarding the legality of post-death access to accounts. Nonetheless, the Nicholson article mentioned above in Section III suggests to service providers
that they should make plans for death and disability by allowing users to name a contingent authorized user who has the authority to access the account. In the absence of clear procedures for contingent authorized users to an account, where online services warn of criminal liability for unauthorized access to accounts, it may be prudent for a personal
representative to avoid simply accessing the account following the decedent’s death using the decedent’s password. In such cases, it may be best to obtain the court’s instructions permitting the access.