An American adult dies with an average of more than 150 online accounts, and fewer than 10 percent of those accounts are covered by any estate planning document. The financial and sentimental value tied up in those accounts — email archives, family photos in cloud storage, cryptocurrency wallets, online business revenue, subscription accounts, domain names — is often substantial, and the legal framework for accessing it after death was almost nonexistent until 2015. The Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA), adopted in some form by 47 states, gives executors and trustees a legal pathway to access digital assets, but only if the deceased left the right instructions in the right places. The technical reality is even harder: a hardware cryptocurrency wallet without its seed phrase is permanently inaccessible regardless of legal authority, and a password manager without its master password is a locked vault. Digital estate planning sits at the intersection of law, technology, and human behavior, and getting it wrong can cost a family hundreds of thousands of dollars in lost cryptocurrency, years of email archives, or a thriving online business that collapses in the months after the owner's death.
What counts as a digital asset
RUFADAA defines "digital asset" broadly to mean "an electronic record in which an individual has a right or interest" — a definition that sweeps in everything from a Gmail account to a Bitcoin wallet to a $50,000-per-year online business. The practical categories most estates need to address are: (1) communication accounts, including email, voice mail, and messaging apps; (2) social media accounts, including Facebook, Instagram, LinkedIn, X, and TikTok; (3) financial accounts accessed primarily online, including online banking, brokerage accounts, PayPal, Venmo, and Cash App; (4) cryptocurrency wallets, both custodial (Coinbase, Kraken) and self-custody (Ledger, Trezor); (5) cloud storage and photo archives, including iCloud, Google Photos, Dropbox, and OneDrive; (6) online businesses, including Amazon Seller accounts, Shopify stores, Etsy shops, and subscription-content platforms; (7) digital intellectual property, including domain names, copyrighted works in digital form, and software source code; (8) subscription accounts, including Netflix, Spotify, newspaper and magazine subscriptions, and app store accounts; and (9) loyalty and rewards programs, including airline miles, hotel points, and credit card rewards.
The economic value of these assets can be substantial. A modest cryptocurrency portfolio worth $50,000 in 2018 might be worth $400,000 today; a domain name registered for $12 in 2005 might sell for $25,000; an Amazon Seller account generating $200,000 in annual revenue has enterprise value; an airline mileage balance of 500,000 miles has a redemption value of $7,500 to $15,000. The sentimental value is harder to quantify but often more important: the only copy of family photos going back twenty years may live in iCloud, and Apple's Terms of Service explicitly state that the account is non-transferable on death — meaning the legal right to access the account lapses, and the photos become inaccessible unless the family has the Apple ID password or a court order obtained through RUFADAA's procedures. The starting point of any digital estate plan is an inventory: a list of every account, the username, the platform, and the approximate value (financial or sentimental). Without that inventory, the executor is searching blind.
RUFADAA: the legal framework
The original Uniform Fiduciary Access to Digital Assets Act was promulgated in 2014 but was revised almost immediately because the original version gave executors overly broad access to email and social media accounts, raising privacy concerns. The Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA), promulgated in 2015, introduced the two-category distinction that defines the modern framework: "catalogue of electronic communications" (the sender, recipient, and date of emails and messages — accessible to fiduciaries by default) versus "content of electronic communications" (the actual text of emails and messages — accessible only if the user affirmatively authorized disclosure). RUFADAA has been enacted in 47 states plus the District of Columbia and the U.S. Virgin Islands as of 2025, with only Massachusetts, Oklahoma, and Pennsylvania yet to enact — though even in those states, the common law and the federal Stored Communications Act (18 U.S.C. § 2701) provide similar, if less clear, protections.
RUFADAA covers four types of fiduciary: the executor or personal representative of a deceased user's estate; the trustee of a trust; the agent under a power of attorney; and the guardian of a conservatorship. Each fiduciary has authority over digital assets to the extent authorized by the user, but the scope of authority differs. The executor's authority begins at death and extends to all digital assets of the estate. The trustee's authority is limited to digital assets held by the trust. The agent under a power of attorney has authority only during the principal's lifetime, and only to the extent the power of attorney explicitly grants authority over digital assets — a generic grant of "all financial authority" is insufficient under RUFADAA in most states. The guardian's authority is limited by the court's order. Custodians (Google, Apple, Facebook, and the rest) are granted statutory immunity for complying with fiduciary requests in good faith, which is the legal foundation that makes compliance practical.
The three-tier priority system
RUFADAA's most important innovation is the three-tier priority system for determining what a fiduciary may access and under what authority. The system, codified at § 4 of the uniform act, prioritizes (1) the user's online tool directions, (2) the user's estate planning documents (will, trust, power of attorney), and (3) the custodian's terms of service — in that order. The online tool is the highest-priority direction: if the user activated Google's Inactive Account Manager and designated a contact to receive account data after 3 months of inactivity, that designation controls over any contrary direction in the user's will. The will is the second-priority direction: if no online tool was activated, the will's direction to the executor to access digital assets controls. The terms of service are the third-priority default: if the user activated no online tool and the will is silent, the custodian's terms of service control, and most terms of service prohibit access by anyone other than the account holder.
| Tier | Source of direction | Examples | Legal priority |
|---|---|---|---|
| 1 | Online tool | Google Inactive Account Manager, Facebook Legacy Contact, Apple Legacy Contact, Microsoft Next of Kin process | Highest — overrides will and TOS |
| 2 | Estate planning documents | Will, trust, power of attorney with explicit digital asset grant | Middle — controls if no online tool |
| 3 | Custodian terms of service | Apple iCloud TOS (non-transferable), Gmail TOS, Instagram TOS | Lowest — default if user left no direction |
The major custodians have built online tools that work reasonably well, and they should be the first step in any digital estate plan. Google's Inactive Account Manager lets the user designate up to 10 contacts to receive account data (email, photos, Drive files, YouTube videos) after a specified period of inactivity (3, 6, 12, or 18 months) — the user can also direct Google to delete the account after the data is shared. Facebook's Legacy Contact lets the user designate a friend to manage the memorialized profile (pin a post, respond to friend requests, download a copy of the shared content — but not read private messages). Apple's Legacy Contact, introduced in iOS 15.2 in December 2021, lets the user designate up to five contacts who can request access to the Apple ID data after death by providing the legacy contact's Apple ID, the access key generated at designation, and a death certificate. Microsoft's Next of Kin process provides a similar but more limited mechanism for Outlook and OneDrive. Activating all of these takes an afternoon and resolves the legal access question for the largest custodians.
Cryptocurrency: the seed-phrase problem
Cryptocurrency is the asset class most likely to be lost entirely at death, because the legal framework is irrelevant without the technical means of access. A self-custody wallet — a Ledger hardware wallet, a Trezor hardware wallet, or a software wallet like Electrum or MetaMask — is controlled by a private key, which is in turn derived from a 12-word or 24-word seed phrase (also called a recovery phrase or mnemonic). The seed phrase is the master key: anyone who has it can access and transfer the cryptocurrency, regardless of legal ownership. Anyone who lacks it cannot, regardless of legal authority — and a court order compelling a hardware wallet manufacturer to unlock a wallet would be ineffective, because the manufacturer does not have the seed phrase and could not produce it if subpoenaed.
The seed phrase cannot be stored in a will, because a will becomes a public record during probate. A seed phrase written into a will and filed with the probate court would be visible to anyone who requested the file — and any of those people could drain the wallet before the executor even knew the will had been filed. The same problem applies to trust documents recorded with the county, and to power of attorney forms filed with financial institutions. The seed phrase must be stored separately from any document that becomes a public record. The most common solution is a letter of instruction (described below) kept in a secure location — typically a safe deposit box, a fireproof home safe, or with the estate planning attorney under a separate confidentiality agreement — that directs the executor to the seed phrase's location without reproducing the phrase itself. The seed phrase itself should be written on paper or engraved on metal (companies like Cryptosteel and Billfodl sell metal backup devices), stored in two parts in two locations to prevent a single point of failure.
Hardware wallets add an additional layer: the wallet itself requires a PIN to unlock, and the seed phrase is needed only to recover the wallet if the device is lost or damaged. The executor needs both the physical device (with PIN) and the seed phrase (for recovery) — having either alone is insufficient. The PIN itself should be in the letter of instruction, separate from the seed phrase, so that two people or two locations are needed to access the wallet. Custodial cryptocurrency accounts (Coinbase, Kraken, Gemini) are simpler: the executor can present the death certificate and letters testamentary to the custodian, which will liquidate or transfer the assets as directed — but the executor must know the account exists, which requires an inventory. A family that does not know about a Coinbase account cannot claim it, and Coinbase will not proactively notify next of kin. The on-chain nature of cryptocurrency means dormant accounts can sit indefinitely, and there is no statute of limitations on the executor's right to claim the asset — but only if the executor knows it exists.
Password managers and emergency access
A password manager — 1Password, Bitwarden, Dashlane, LastPass, or KeePass — is the single most effective tool for digital estate planning, because it consolidates credentials for every online account into a single encrypted vault that can be transferred to a designated emergency contact. 1Password's Emergency Kit is a printed document containing the account email, secret key, and a space for the master password; the kit is given to a designated trusted person, who can use it to access the vault only when needed. Bitwarden offers "emergency access" — a designated contact can request access to the vault, and if the account holder does not decline the request within a specified waiting period (typically 7 days), access is automatically granted. LastPass has a similar emergency access feature. KeePass, being a local-only password manager, requires the database file and the master password to be transferred manually.
The master password to the password manager is the single most important credential in any digital estate plan, and it cannot be stored in the password manager itself. The master password should be in the letter of instruction, stored separately from the password manager's database file, so that no single document or location gives access to the entire vault. The executor or trusted family member needs the master password, the location of the password manager's database (for KeePass) or the URL of the cloud-hosted password manager (for 1Password, Bitwarden, Dashlane, LastPass), and the secret key (for 1Password) or two-factor authentication recovery codes (for any password manager with 2FA enabled). Two-factor authentication is itself a major obstacle: the executor needs the 2FA device (typically a smartphone) and the SIM or Apple ID credentials to receive text-message 2FA codes, or the recovery codes printed at the time 2FA was enabled. The recovery codes should be stored with the letter of instruction, and the executor should be informed of the smartphone's location and passcode.
The letter of instruction
The letter of instruction is the central document of digital estate planning, and it is deliberately not part of the will. The will becomes a public record at probate; the letter of instruction does not. The letter should contain: (1) a complete inventory of digital assets, with usernames, platform names, and approximate values; (2) the location of the password manager database and the master password; (3) the location of cryptocurrency seed phrases and hardware wallets, with PINs; (4) two-factor authentication recovery codes; (5) the location and passcode of the primary smartphone; (6) the location of physical backups (external hard drives, USB drives); (7) the names and contact information of designated legacy contacts and online-tool designees; and (8) instructions for specific assets (e.g., "delete my browsing history," "continue my Substack for six months then archive," "transfer my Etsy shop to my daughter").
The letter should be stored in a secure but accessible location, with a clear instruction to the executor on how to find it. Common locations include a fireproof home safe (with the combination in the will or with the estate planning attorney), a safe deposit box (with the executor as co-signer or with a clear instruction in the will authorizing access), or with the estate planning attorney under a separate confidentiality agreement. The letter should be reviewed and updated at least annually, because online accounts change frequently and credentials change even more frequently. A letter last updated in 2019 is likely useless in 2025: the accounts listed may no longer exist, the passwords will have changed, and the platforms themselves may have been acquired or shut down. A subscription to a digital estate planning service (Everplans, Trust & Will's digital vault, or Password Boss's heir access) can automate the update process, but the manual letter of instruction remains the gold standard because it works regardless of whether the service is still in business.
Case studies
A 58-year-old technology executive died suddenly of a heart attack in 2023, leaving a portfolio of approximately $400,000 in Bitcoin stored on a Ledger hardware wallet. He had discussed the wallet with his wife but had never shared the seed phrase or the wallet's PIN. The wife found the Ledger device in his home office but could not unlock it without the PIN, and the seed phrase was not in any of his papers. She contacted Ledger, which confirmed that it could not recover the seed phrase — the company's architecture is such that no employee has access to any customer's seed phrase, by design. She hired a forensic data recovery firm, which was unable to crack the PIN (the Ledger wipes itself after a configurable number of failed attempts, set to 16 in this case). The Bitcoin has been sitting on the blockchain since the date of death, accessible to anyone with the seed phrase and inaccessible to everyone without it — including the executor, the widow, and the courts. Had the executive included the seed phrase location in a letter of instruction — even just "the seed phrase is engraved on a metal plate in the bottom drawer of my office desk, behind the photo albums" — the family would have inherited the $400,000 intact. Instead, the asset is effectively permanently lost.
A 72-year-old widow died in 2024 with an estate of approximately $850,000 in financial assets and a house. Her will, drafted in 2015, was silent on digital assets, and she had not activated any online tools. Her executor — her adult son — knew she banked at Wells Fargo and held a brokerage account at Schwab, but he did not know that she also held approximately $90,000 in a high-yield savings account at Marcus by Goldman Sachs, $40,000 in a Vanguard IRA, or $25,000 in a Treasury Direct account. The statements for all three came by email, and the executor had no access to her Gmail account. Google's Inactive Account Manager had not been activated, and Google's terms of service prohibited disclosure to anyone other than the account holder. The executor retained counsel to seek a court order under RUFADAA, which the court granted — but only after a 90-day process and approximately $4,500 in legal fees, during which the Marcus account continued to earn interest but the Treasury Direct account missed a $7,000 bond maturity that required action within 60 days. The executor ultimately recovered the assets, but the delay and the legal fees would have been avoided entirely had the widow executed a RUFADAA-compliant authorization in her will and provided a letter of instruction with her email password.
A 45-year-old entrepreneur died in 2024, leaving a Shopify-based e-commerce business generating $480,000 in annual revenue and approximately $130,000 in annual profit. The business was operated entirely from the entrepreneur's email, Shopify, Amazon Seller, and Facebook Ads accounts, all of which were protected by two-factor authentication to his smartphone. The entrepreneur had no operating agreement, no succession plan, and no letter of instruction. His wife, named as executor, could not access any of the business accounts: Shopify's terms of service prohibited transfer without the account holder's consent, Amazon Seller required a 30-day verification process that could not be completed without the original email, and Facebook Ads suspended the campaigns after a missed payment and required identity verification that the wife could not pass. Within 90 days of the death, the business had lost its search rankings, its suppliers had revoked the credit terms, and the customer list (held only in the Shopify account) was inaccessible. By the time the executor obtained court orders under RUFADAA, six months had passed, and the business's enterprise value — estimated at $400,000 to $500,000 at the date of death — had collapsed to near zero. A simple succession plan — designating a co-administrator on the Shopify account, sharing the email password with a key employee, and executing a buy-sell agreement with a pre-named successor — would have preserved the business and the family's primary income source.
Common mistakes
- Putting seed phrases or passwords in the will — The will becomes a public record at probate. A seed phrase or password written into the will is visible to anyone who requests the probate file, and the cryptocurrency or accounts will be drained before the executor can act. Store credentials in a letter of instruction separate from the will, and reference the letter's location in the will without reproducing the credentials themselves.
- Not designating legacy contacts — Google Inactive Account Manager, Facebook Legacy Contact, and Apple Legacy Contact take 15 minutes each to set up and override the custodian's terms of service. Failing to activate them leaves the executor with the RUFADAA court-order process, which can take 60 to 90 days and cost $3,000 to $7,500 in legal fees per custodian.
- No inventory of accounts — An executor cannot claim a Coinbase account or a Treasury Direct account if the executor does not know it exists. The inventory should list every account with username and approximate value, and should be updated annually. A subscription to a credential monitoring service (Have I Been Pwned, Firefox Monitor) can help identify accounts the user has forgotten about.
- Generic power of attorney without digital asset grant — RUFADAA in most states requires that a power of attorney explicitly grant authority over digital assets; a generic grant of "all financial authority" is insufficient. The power of attorney should include a specific provision authorizing the agent to access, manage, and direct the disposition of digital assets, including email, social media, financial accounts, and cryptocurrency.
- Two-factor authentication without a recovery plan — 2FA is essential for security, but the executor must be able to receive 2FA codes or use backup codes. The smartphone used for 2FA should be located and unlocked within hours of death (before the carrier deactivates the SIM or the device's biometric login times out), and the recovery codes should be stored with the letter of instruction.
- Assuming the custodian will notify next of kin — No major online custodian (Google, Apple, Facebook, Amazon, Coinbase, Schwab) proactively notifies next of kin of an account holder's death. The executor must affirmatively notify each custodian, present the death certificate and letters testamentary, and request access — and the executor cannot do this for accounts the executor does not know about.
- Forgetting digital intellectual property — Domain names, copyrighted works in digital form, software source code, and trademarks registered online are all digital assets with real value. A domain name registered for $12 may be worth $25,000; a software codebase may be the primary asset of a consulting business. The estate plan should explicitly address these assets, and the executor should be given authority to renew, sell, or transfer them.
When to consult a professional
A modest estate with a few online accounts, no cryptocurrency, and no online business can be planned with a self-help letter of instruction and activation of the major custodians' online tools, all of which are free. But several situations warrant professional help. Cryptocurrency holdings above $50,000 should prompt a consultation with an estate planning attorney who has experience with digital assets, because the storage and access plan must be carefully designed to balance security against accessibility. Online businesses — Shopify stores, Amazon Seller accounts, SaaS businesses, content platforms — require a succession plan that designates a successor operator, grants access to critical accounts, and addresses the legal transfer of the business entity. Estate plans involving trusts should be reviewed to ensure that the trust explicitly grants the trustee authority over digital assets, and that the trust's funding includes any digital assets intended to be trust property.
The cost of a digital estate planning consultation ranges from $500 to $2,500 depending on complexity, against which the cost of getting it wrong can be substantial. The loss of a single cryptocurrency wallet can run into six or seven figures. The collapse of an online business after the owner's death can cost hundreds of thousands in enterprise value. The legal fees to obtain a RUFADAA court order for an email account can exceed $5,000, and the process can take 60 to 90 days during which time-sensitive financial transactions may be missed. For a broader review of the estate plan in which digital assets sit, see our estate planning checklist by age and our guide to revocable vs irrevocable trusts, and for the inventory step that should accompany any digital estate plan, see our avoiding probate strategies.
Frequently asked questions
No. A will becomes a public record at probate, and anyone can request a copy from the probate court. Passwords, seed phrases, and PINs written into the will would be visible to anyone who requested the file — including people who could use the credentials to drain your accounts before the executor even knew the will had been filed. The will should reference a separate letter of instruction that contains the credentials, and the letter of instruction should be stored in a secure but accessible location. The will can give the executor authority over digital assets under RUFADAA, but the actual credentials belong in the letter.
If you have not activated Google's Inactive Account Manager and your will does not specifically grant your executor authority over digital assets, your Gmail account will eventually be deleted after approximately 24 months of inactivity (Google's current policy). The emails themselves are not transferable under Google's terms of service, and your executor would need a court order under RUFADAA to obtain access. If you activate Inactive Account Manager, you can designate up to 10 contacts to receive account data (email, photos, Drive files, YouTube videos) after a specified period of inactivity, and you can direct Google to delete the account after the data is shared. Activation takes about 15 minutes and is free.
Only if they have the seed phrase (for a self-custody wallet) or can prove to the custodian that they are your lawful heirs (for a custodial account like Coinbase). For a self-custody wallet, the seed phrase is the master key — without it, the Bitcoin is permanently inaccessible, regardless of legal authority. A court cannot order the wallet manufacturer to unlock the device, because the manufacturer does not have the seed phrase. Store the seed phrase in a secure but accessible location (not in the will), and tell your executor where to find it. For a custodial account, the executor presents the death certificate and letters testamentary to the custodian, which will liquidate or transfer the assets as directed — but only if the executor knows the account exists.
Not necessarily separate, but the power of attorney must explicitly grant authority over digital assets. RUFADAA in most states requires an explicit grant — a generic grant of "all financial authority" is insufficient. The power of attorney should include a specific provision authorizing the agent to access, manage, and direct the disposition of digital assets, including email, social media, financial accounts, and cryptocurrency. Many modern power of attorney forms include this language by default, but older forms (pre-2015 in most states) typically do not, and an update is warranted if the form is more than ten years old.
For more, see our estate planning checklist by age and our guide to revocable vs irrevocable trusts, or our avoiding probate strategies for the broader estate plan in which digital assets sit.
Last reviewed June 22, 2026. This article is informational and does not constitute legal, tax, or financial advice. Consult a qualified professional for guidance specific to your situation.