Source Ledger - RUFADAA and the Stored Communications Act
Two federal and uniform-state laws together govern whether a family can legally access a deceased or incapacitated person’s digital accounts. The Stored Communications Act of 1986 prohibits service providers from disclosing the contents of electronic communications without authorization. The Revised Uniform Fiduciary Access to Digital Assets Act, adopted by Arizona in 2016, provides the legal framework through which a fiduciary (executor, successor trustee, agent under POA) can obtain that authorization.
The two laws operate in tension. The Stored Communications Act sets the prohibition. RUFADAA provides the exception. Without RUFADAA-compliant documentation, the Stored Communications Act applies as a near-total bar on disclosure, and tech companies refuse access even to immediate family members holding death certificates.
This is the legal reason why a grieving family member cannot get into a deceased parent’s iCloud account by calling Apple, even with proof of death and knowledge of the password. The technology companies are not being unhelpful. They are following federal law that imposes criminal liability for unauthorized disclosure.
Where the laws came from
The Stored Communications Act was enacted as Title II of the Electronic Communications Privacy Act of 1986 (ECPA), signed into law by President Ronald Reagan on October 21, 1986. The act is codified at 18 USC 2701 through 2713.
The statute was written in response to the early commercial use of electronic mail and stored electronic records, which the existing wiretap statute (Title III of the Omnibus Crime Control Act of 1968) did not adequately address. The 1986 law was forward-looking for its time, but the time was very early. The internet as a consumer service did not exist. Email was used by academic and government users almost exclusively. The “cloud” was not a concept. The drafters of the SCA had no way to anticipate the digital footprint a typical American would accumulate by the 2020s.
The statute’s core prohibition is at 18 USC 2702: a provider of electronic communication service to the public, or remote computing service to the public, “shall not knowingly divulge to any person or entity the contents of a communication” while in storage by that service. The prohibition includes both content (the actual messages, photos, documents) and, in some cases, metadata (information about communications).
Violation of the SCA can carry both civil penalties and criminal liability for the service provider. This explains why technology companies are aggressive about denying access. They are not making a privacy choice; they are protecting themselves from federal prosecution.
The Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA) was drafted by the Uniform Law Commission and approved in July 2015. It revised an earlier draft (UFADAA, 2014) that had been rejected by most state legislatures after objections from the technology industry. The revised version, which incorporated industry concerns about user privacy and service provider liability, has been adopted by 47 states and the District of Columbia.
Arizona adopted RUFADAA effective May 11, 2016, codified at Arizona Revised Statutes Title 14, Chapter 13. The Arizona version is substantially identical to the uniform act.
How they operate together
RUFADAA establishes a three-tier priority system for determining whether a fiduciary can access a deceased or incapacitated user’s digital assets.
Tier 1: Online Tool. If the user, during their lifetime, used a service provider’s online tool to designate what should happen to the account after death or incapacity (Facebook’s Legacy Contact, Google’s Inactive Account Manager, Apple’s Legacy Contact, similar tools at other services), that designation controls. The online tool overrides anything in the user’s will or estate plan.
Tier 2: Estate Planning Documents. If the user did not use an online tool, the user’s will, trust, Power of Attorney, or other estate planning document controls (provided those documents expressly grant access to digital assets). A general statement in a will leaving “all my property” to a spouse is not sufficient; RUFADAA requires specific language addressing digital assets and the level of access granted.
Tier 3: Terms of Service. If the user did not use an online tool and did not have estate planning documents specifically addressing digital assets, the service provider’s Terms of Service Agreement controls. Most TOS agreements deny disclosure entirely, treat the account as terminated at death, and reserve the right to delete content.
This three-tier system means that without affirmative planning (either through an online tool or through specific language in estate planning documents), the family defaults to whatever the service provider’s TOS says, which is almost always restrictive.
Even with a properly drafted Digital Asset Authorization, RUFADAA distinguishes between “content” access (the actual messages, photos, files) and “non-content” access (account existence, dates of communications, metadata). Service providers are required to provide non-content access more readily; content access requires additional documentation and may still be denied for messages where the user is the sender (third parties to those communications have their own SCA protections).
Service providers may also require:
A copy of the death certificate
A copy of the relevant court order (Letters Testamentary, Letters of Administration, or court order finding incapacity)
A copy of the relevant estate planning documents
Confirmation of the user’s identity through account information
Compliance timelines vary by provider. Some platforms respond within 30 days; others take months. Some have no consistent process at all.
Why the structure creates difficulty
The legal architecture is designed to balance privacy against family access, but the practical result favors privacy aggressively. Several specific factors compound the difficulty.
The first is that most people have not used the available online tools. Facebook’s Legacy Contact, Google’s Inactive Account Manager, and Apple’s Legacy Contact are all opt-in features that most users never configure. The Tier 1 mechanism that would resolve the question cleanly is unused for the vast majority of accounts.
The second is that most estate planning documents predate RUFADAA or were drafted without specific digital asset language. A will or trust from before 2016 almost certainly lacks the language RUFADAA requires for Tier 2 to apply. Updating these documents is straightforward but requires action that most families do not take until after a death has occurred.
The third is the irreversible nature of certain digital losses. Cryptocurrency held in a wallet whose private keys die with the user is gone permanently; no court order can recover it. Photos stored only in a deceased person’s account may be retained by the service provider during the legal dispute, but they may also be deleted under account inactivity policies before access is granted. Email correspondence and personal writing held in a single online account may be similarly lost.
The fourth is that even successful RUFADAA invocations rarely deliver full content access. Service providers often comply by closing the account or providing limited metadata rather than turning over the actual contents. The family ends up with confirmation that an account existed but no access to what was in it.
Formal definition
The Stored Communications Act (18 USC 2701-2713) is a federal statute, enacted as Title II of the Electronic Communications Privacy Act of 1986, that prohibits service providers of electronic communication and remote computing services from disclosing the contents of stored communications without authorization. The Revised Uniform Fiduciary Access to Digital Assets Act, adopted by Arizona at ARS Title 14, Chapter 13, effective May 11, 2016, provides a three-tier framework (online tool, estate planning documents, terms of service) by which a fiduciary may obtain authorization to access a user’s digital assets after death or during incapacity.
COMMON MISUSE OR MISCONCEPTION
Treated as a privacy issue between the family and the tech company. The legal restriction comes from federal statute, not from corporate privacy policy. Service providers face criminal liability for unauthorized disclosure under the SCA. Their refusal to disclose is compliance with federal law, not a customer service decision.
Assumed to be defeated by knowing the password. Knowing a password does not authorize use. Logging into a deceased or incapacitated person’s account without RUFADAA-compliant authorization is technically a violation of both the SCA and the service provider’s Terms of Service, regardless of whether the action would have been welcomed by the account holder when alive.
Confused with general estate inheritance. RUFADAA does not give the family ownership of the deceased’s digital assets. It gives a designated fiduciary the legal authority to access them. The distinction matters: a will leaving “all property” to a spouse is sufficient to inherit physical property and financial accounts, but is generally not sufficient under RUFADAA to grant access to digital accounts. Specific language is required.
Assumed to apply only after death. RUFADAA applies to both death and incapacity. A Power of Attorney with proper digital asset language can grant a living agent the right to access accounts during the principal’s incapacity, not only after death.
Treated as eliminating the need for password records. RUFADAA grants legal authority; it does not provide technical access. A fiduciary with full RUFADAA authorization still needs the passwords, two-factor authentication codes, or recovery information to actually log in. The legal pathway and the technical pathway are separate; both are needed.
Where this comes up in the series
Understanding Your Digital Asset Authorization, addresses both laws directly and explains how a RUFADAA-compliant Digital Asset Authorization document grants legal access. The post is the primary linkage point for this Source Ledger entry.
Understanding Your Financial Power of Attorney, addresses the parallel structure for digital access during incapacity, since a Financial POA with proper digital asset language is one of the documents through which RUFADAA Tier 2 authorization can be granted.
