Data protection is not the most exciting topic in legacy planning, but it might be the most important one to get right. If you are storing sensitive personal information — wills, financial records, medical directives, login credentials — then the platform holding that data has serious legal obligations. And as a user, you have rights that are worth understanding.
The two regulatory frameworks that matter most in this space are the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), along with its more recent amendment, the California Privacy Rights Act (CPRA). While these are jurisdictional regulations, their influence is global. Any platform that serves users in the EU or California must comply, and in practice, most reputable platforms apply these standards universally. For Australian users, the Privacy Act 1988 and the Australian Privacy Principles (APPs) provide a local baseline, but the GDPR in particular sets a higher bar that forward-thinking platforms choose to meet.
So what does this mean for your digital legacy? Under GDPR, you have the right to know exactly what data a platform holds about you, the right to have that data corrected, and the right to have it deleted entirely (the “right to be forgotten”). You also have the right to data portability — meaning you can export your information in a standard format and take it elsewhere. CCPA and CPRA provide similar protections for California residents, including the right to opt out of the sale of personal information and the right to non-discrimination for exercising your privacy rights.
For a legacy platform like Memoralise, these regulations are not obstacles; they are foundational principles. Every piece of data stored in the vault is encrypted, access-controlled, and subject to a clear retention policy. Audit logs track every access event. Data processing agreements are in place with every third-party provider. And crucially, the conditional release engine is designed so that data is only ever shared in accordance with the rules you set — not at the discretion of the platform. When you choose a digital legacy provider, ask them how they handle GDPR and CCPA compliance. If they cannot give you a clear, specific answer, that tells you everything you need to know.