Does privacy end at death? With Halloween just around the corner, today is as good a time as any to ponder postmortem privacy.

In most contexts, we think of privacy interests as situated in the individual person. It is, after all, my own data privacy that I manage. I exert control and autonomy over information about me. Unless I have a legal guardian, only I can request access, deletion, or other data subject rights. But what about when I’m gone? Do my next of kin inherit my data — and my data rights? In a world where my whole life is digitized, including my most intimate secrets, what happens to my autonomy and dignity if my rights vanish at death?

At common law in the U.S., privacy has certainly been viewed through this lens of individuality. Rights to stop the spread of information from unwanted intrusions generally cease after death. Most cases dealing with the publication of gruesome car crash photos, for example, have been found in favor of publication, not privacy. But there may be a trend toward acknowledging family rights to keep such intimate details private. A high-profile case in California this year found in favor of Kobe Bryant’s family, who had claimed that the circulation of photos of human remains from the helicopter crash that killed Bryant violated their privacy. Though Bryant’s privacy rights ceased, some relational privacy interest in this sensitive and intimate matter remained among his family.

Similarly, the Freedom of Information Act has proven to be a nuanced tool when it comes to preserving the dignity of deceased persons. Time and time again, FOIA requests for public access to autopsy photos and other intimate details that could impact families have been denied. To understand why, it’s worth reviewing a case in which The New York Times sought the release of the final audio recordings from the Challenger spacecraft.

A widely used exemption to FOIA covers "personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." NASA released full transcripts of the final moments of the Challenger astronaut’s lives but fought the release of audio recordings as too intimate, and too potentially harmful to their families.

As the D.C. District Court reasoned, “how the astronauts said what they did, the very sound of the astronauts' words, does constitute a privacy interest. This is the ‘intimate detail’ that the Challenger families seek to protect from disclosure.” The court went on to describe one potential harm from this disclosure as the “disruption of their peace of mind every time a portion of the tape is played within their hearing.”

Less gruesome, but equally intimate, data is likely spread across most individuals’ digital footprints. With this in mind, major platforms have realized that, regardless of regional laws, there is always a balancing of interests at stake in navigating both the lasting privacy of the deceased and their loved ones’ interests in remembering and commemorating. In general, this has meant privileging the choices individuals make about their postmortem data — when they can be enticed to make those end-of-life plans — before allowing family to dictate the outcome. In fact, model legislation that takes a similar balancing approach, the Fiduciary Access to Digital Assets Act, has now been passed by most states.

Like so much in privacy, this flexibility seems apt. It allows us to take some secrets to our grave while empowering our family to cherish our legacy. Perhaps there is a broader lesson here too: our likeness, our intimate nature, is something that we only lay first claim to. When we are gone, some vestige of our private nature comes first to those who knew us best before it can spread to the public.

Here's what else I’m thinking about:

  • The latest FTC data security case has takeaways for privacy professionals. As I wrote in The Privacy Advisor, the U.S. Federal Trade Commission enforcement action against Drizly demonstrates how the agency plans to give teeth to its new emphasis on data minimization. The FTC reached a settlement with Drizly, an online alcohol marketplace, and its CEO, alleging the company knew about its data security shortcomings and failed to take action to protect personal data from a data breach affecting 2.5 million users. This is the first time we have seen the details of a granular data minimization program spelled out by the agency. It also signals an expanded emphasis on executive liability.
  • XR privacy at a glance. A new infographic from the Future of Privacy Forum helps to break down extended reality technologies, such as virtual and augmented reality, in a way that highlights the layers of privacy risks they can entail.
  • A global group of civil society organizations launched a Movement for a Better Internet, a “digital hub” to help ensure future internet evolution is “guided by public interest values,” including privacy.

Upcoming happenings

Please send feedback, updates and postmortem data requests to cobun@iapp.org.