Members of the tech industry and estate lawyers are pushing Congress to tweak an email privacy law to ensure that digital accounts don’t die when their users do.
With pressure building on Congress to update the 1986 Electronic Communications Privacy Communications Act (ECPA), some are asking lawmakers to explicitly allow people to control who can access their online accounts after they die or become incapacitated.
“Yesterday’s filing cabinet is now a laptop,” said Suzanne Walsh, an estate attorney at Connecticut-based Cummings & Lockwood.
Walsh and other estate attorneys from across the country have created a model state bill that would allow the person responsible for a deceased’s estate to also access the person’s digital accounts.
States are now working to pass new laws and update old laws using the model bill from Walsh’s group.
Allowing that kind of access to the person charged with carrying out a person’s will dovetails with centuries of estate law and expectations about what happens to a person’s belongings after death, the lawyers argue.
But tech companies and trade groups are pushing back on the state laws, warning that they conflict with the ECPA, which prohibits companies from releasing private communications without the user’s “lawful consent.”
In a letter to Gov. Jack Markell of Delaware — a state that is currently considering a bill on access to accounts — tech companies and groups warned about the discrepancy between federal and state privacy law.
The Delaware proposal “disregards” the privacy protections in the ECPA “and sets the privacy standards for Delaware residents lower than most of the country — requiring online service providers to disclose communications without lawful consent,” Google, Yahoo, AOL and others wrote.
The solution, some say, could be found in Congress’s update to the privacy bill.
While most of the focus on the ECPA is centered around requiring law enforcement officials to obtain a warrant before accessing emails that have been stored for more than six months — a change that has the support of more than half of the House — tech groups and lawyers are hoping Congress will also tackle the issue of what happens to accounts after a user dies.
An update to the law that allows the person carrying out a user’s will to grant that user’s lawful consent “would be fabulous,” Walsh said.
Walsh called that kind of update a “little tweak” that reflects the intent of the original 1986 bill as adapted to 21st century communications.
The issue of valuable digital assets “just wasn’t in the scope” when Congress wrote the privacy law, she said. “It was just an omission.”
James Lamm — an estate attorney at Minnesota-based law firm Gray, Plant and Mooty and another leading voice on the issue — said he and other estate attorneys plan to take the issue to Congress in the coming months.
“If this is a stumbling block for companies, let’s try to get that clarified,” he said.
Lamm added that clarification would be a “simple” addition of “literally one or two sentences.”
But the law, he continued, tends to be a politically charged issue.
'Any tweak to that is going to be very difficult,” he said.
Carl Szabo, policy counsel at NetChoice, said tech companies would be reassured by an ECPA update clarifying that the companies wouldn’t be violating the federal law if they release a deceased user’s information to the person carrying out that user’s will.
“That would address the legal concerns we have,” he said.
Szabo’s group includes Google, Facebook, AOL and Yahoo. It was also a signatory on the Delaware letter.
He also encouraged lawmakers to give the tech industry more time to work out solutions to the questions about what happens after a user dies.
Szabo also pointed to tech companies’ efforts to give users choices regarding what happens to their accounts after they die.
“We are creating tools to give users choice,” he said, citing features offered by Facebook and Google.
Through its “Memorialize” feature, Facebook lets family and friends of a person who has verifiably passed away to request an account be frozen.
With Google, users can automatically give trusted contacts portions of their data if their account has been inactive for a specified period of time. Users can also request that all or parts of their data across Google’s services be automatically deleted.
Szabo pushed back on legislative proposals, especially at the state level, that could force a company to choose between obeying the law and going against a user’s privacy preferences.