Here’s an unusual question I was recently asked:

“Do privacy rights end when you die?”

It’s shocking to consider how consequential that question is, especially with the rise of AI.

Although we might assume our privacy rights continue, or that privacy concerns end when our lives do, in fact the data trail we leave behind can continue to grow, circulate, and be analyzed long after we’re gone. 

Sadly, our families are left to discover this the hard way. A grieving child might attempt to close a parent’s social media account, but finds out the platform’s terms of service allow the company to retain years of private messages and photos for up to six months after deletion. 

Events in the health tech world underscore the stakes. When 23andMe filed for bankruptcy in March of 2025, customers were panicked that their genetic data would be effectively auctioned off to the highest bidder. Later, when the company announced it had been acquired, it became clear that customers’ data — and, by implication, the genetic information of their entire family tree — would end up in the hands of an entirely new company. If those concerns are unsettling for the living, imagine how little recourse exists once the data subject is gone.

Legislators have historically focused privacy regulations on protecting the living (privacy law stemming from inter vivos harms such as surveillance). Unfortunately, the privacy rights of the deceased remain largely unprotected. This gap only figures to widen in coming years — as AI personas, agents, and content grow — and estate planners cannot ignore it.

Protecting a client’s digital privacy after death is now table stakes in modern estate planning, not an added service reserved for the likes of the tech-savvy. Clients live their lives online and expect that digital life to be protected. Without a deliberate plan, their data becomes vulnerable — to exposure, to theft, to loss, to a mess far stickier than they ever anticipated.

Estate planners have a duty to stay ahead of these realities by bringing digital asset governance and posthumous privacy protection into every standard planning conversation with each client.

The Legal Landscape: Privacy Rights Don’t Survive Death

Across the United States, major privacy statutes limit their protections to living individuals, or are silent as to protections for deceased persons. For example, while the California Consumer Privacy Act (CCPA) is still evolving, it’s written around the premise of protecting living persons. Other state privacy frameworks take a similar approach. Once a person passes away, their statutory privacy rights presumably expire with them.

Europe offers few solutions. While the GDPR is expansive in many respects, it expressly excludes deceased individuals. EU member states are left to take a country-by-country approach to posthumous privacy rights. The result is similar to the United States: the region lacks robust protections (particularly comprehensive laws suited to AI).

The result is a vacuum. If privacy laws do not affirmatively and comprehensively protect the deceased, their digital footprint becomes far more vulnerable. Data belonging to deceased individuals may remain in circulation across systems ranging from marketing databases to cloud storage environments for years. In the absence of explicit instructions, a motivated family member, or a proxy submitting myriad death certificates and requests for deletion (if such an avenue is even available), companies can retain or repurpose data as they wish, indefinitely.

This leaves families and fiduciaries with uncertainty, and leaves service providers with confusion, at best, and wide discretion, at worst. In the absence of stronger legislation, the only reliable way to preserve posthumous privacy is through proactive planning before death.

Digital Assets at Risk After Death

Take a quick, casual survey with your inner circle and ask them what becomes of their unattended accounts when they die. Odds are, most of them will say they simply sit dormant. In fact, that’s when they’re arguably at an even greater risk of becoming exposed. Cybercriminals frequently target dormant accounts because they know what we don’t: fraud is harder to detect when the account owner is no longer monitoring activity. As a result, your encrypted email account gets hijacked, your financial profiles are used to open new lines of credit. What was once unfathomable becomes a quick afternoon of work for a half-decent hacker. 

Then there’s the growing risk of impersonation through AI, entirely a beast of its own. With enough training data, an attacker could spin up convincing messages that appear to originate from the deceased. For families grieving a loss, the emotional and financial consequences of such an attack can be devastating.

Data brokers and dark web marketplaces also traffic in information tied to deceased individuals. This includes Social Security numbers, medical records, and even old passwords. Since most families do not delete these accounts quickly — or ever — this information remains in circulation.

Meanwhile, large tech companies often retain more rights than users realize. Common terms of service allow platforms to keep content, metadata, and behavioral information permanently or for extended periods. Some platforms “memorialize” accounts by default. Others — such as X — retain the ability to absorb account data into long-term training sets or internal research. Where product roadmaps are set by most requested or revenue-generating features, account deletion improvements for use cases involving deceased individuals are unlikely to be prioritized absent regulatory requirement.

Without automation, easy self-serve tooling, or instructions, the fate of a person’s digital identity is determined, at best, by corporate policy, and at worst, by prowling cybercriminals.

Key Digital Privacy Risks Estate Planners Should Know

Estate planners already deal with the distribution of property. Digital privacy introduces similar questions about control and ownership: if an asset is unaccounted for, what ultimately happens to it might be something the client never intended.

Take cloud storage, for example. Many people keep scans of passports, tax documents, or estate records in online cloud storage vaults. But if these vaults don’t have proper access controls, those sensitive files may be exposed, or especially in the case of estates — lost.

There’s also the issue of functional access. Heirs or fiduciaries may need critical information that they’re legally entitled to, but because they’re locked out of certain accounts, they may not be able to obtain it. On the flip side, they may gain access to information the decedent never wanted revealed, such as private messages or browsing history.

Health and genetic information deserves special attention. Companies storing digital health records, DNA profiles, and so on, may license or share anonymized datasets. If ownership changes, future generations may face risks related to discrimination or misuse. In a world where Amazon purchases One Medical, estate planners should ensure clients are aware of how broad those permissions may be.

Proactive Strategies to Protect Client Privacy After Death

So where does proper protection begin? Always, with a thorough inventory. Clients should list all accounts, devices, subscriptions, storage sites, and digital tools. Estate planners can help them create a heat map, determining which items contain sensitive data and which require ongoing management after death.

Next, establish access controls with clear roles. Not every fiduciary needs access to every account. Using a software service that allows segmenting permissions reduces the risk of accidental disclosures or misuse.

Encrypted digital vaults are increasingly popular. These vaults can store credentials and sensitive documents with settings that allow designated fiduciaries to gain access at a specific time or under specific conditions.

A digital property memorandum can serve as a practical companion to a will or trust. This document outlines the client’s instructions for their online presence, including deletion preferences, memorialization settings, and ownership transfers. Regular updates are essential since digital footprints shift constantly.

Estate planners can also leverage specialized platforms that support posthumous account management. These tools help clients set preferences for what should happen to their data and can automate certain tasks for loved ones.

The Estate Planner’s Role: A Privacy Advocate in Disguise

Privacy lawyering and estate planning are both, nature, proactive professions. At their respective cores, they’re about anticipating risks, preparing for the future, and protecting the people and legacies clients care about most. By taking an interdisciplinary approach to client service today, estate planners need to dig even deeper and take a more proactive approach to privacy protection than ever before. The list of things that can potentially go awry after someone dies is a whole lot longer than it used to be.

Clients’ lives become increasingly digital with each new account they open, and the data they generate during their lifetimes will outlast them unless it’s intentionally and thoughtfully managed. 

Estate planners can play a crucial role in filling this gap by treating digital privacy as a core part of legacy planning. Estate planners already guide clients through some of life’s most sensitive decisions: expanding that scope of guidance to include digital privacy is a natural and needed next step.