Legal Requirements for Electronic Signatures: A Developer's Checklist

This is the reference doc. Bookmark it, come back to it, check your implementation against it.

If you're building e-signature functionality into your application, your system needs to satisfy specific legal requirements for those signatures to be enforceable. Not "nice to haves." Requirements.

Here's exactly what you need.

The 4 Core Requirements for a Legally Valid E-Signature

Under US law (ESIGN Act and UETA), every electronic signature must meet four criteria:

1. Intent to sign

• The signer took a deliberate action to sign

• The action was unambiguous (button click, drawn signature, typed name)

• The UI made clear they were signing, not just acknowledging

2. Consent to electronic process

• All parties agreed to conduct business electronically

• For B2B: can be implied from context

• For B2C: requires explicit disclosure of rights (paper option, withdrawal process, hardware/software requirements)

3. Association with the record

• The signature is linked to the specific document version

• You can prove which document was signed

• Any changes after signing are detectable

4. Record retention

• The signed document can be reproduced accurately

• All parties can access their copy

• Records remain available for the legally required period

If your implementation covers all four, you're compliant with US federal law for most business transactions.

What Your Audit Trail Needs to Capture

This is the section to screenshot. For every signature event, record:

Signer identification

• Email address (verified before signing)

• IP address at time of signature

• Timestamp with timezone (ISO 8601 format)

• User agent string

• Device/browser fingerprint (optional but useful)

• Authentication method used (email link, SMS code, SSO, etc.)

Document integrity

• Document hash at signing time (SHA-256)

• Document version identifier

• File size and page count

• Tamper detection mechanism

Consent capture

• Timestamp of consent to electronic transactions

• Record of what was disclosed (terms, rights, withdrawal process)

• Explicit opt-in action (not pre-checked boxes)

Signature event

• Exact timestamp of signature action

• Type of signature (click, draw, type, upload)

• Signature image or data (if applicable)

• Screen coordinates or interaction data (optional)

Chain of custody

• Document creation timestamp

• Each view event with timestamp and viewer

• Each signature event in order

• Download and forwarding events

• Completion timestamp

Store audit logs immutably. Append-only databases, cryptographic chaining, or write-once storage. If someone can edit the audit trail, it's not an audit trail.

Document Types That Still Require Wet Signatures

E-signatures don't work for everything. These categories are excluded from ESIGN and UETA:

Always excluded (all US states):

• Wills, codicils, testamentary trusts

• Court orders and official court documents

• Adoption papers

• Divorce decrees

Often excluded (check your state):

• Powers of attorney

• Real estate deeds (varies significantly by state)

• Healthcare proxies

• Do-not-resuscitate orders

Excluded from ESIGN specifically:

• Utility cancellation notices

• Insurance cancellation notices

• Product recall notices

• Notices of default or foreclosure

• Documents required for transporting hazardous materials

If your application handles any of these document types, consult with legal counsel before enabling electronic signatures. State laws vary, and getting this wrong creates real liability.

Cross-Border Signatures: Which Rules Apply?

When signers are in different jurisdictions, follow the stricter standard.

US only: ESIGN/UETA requirements (the four criteria above)

EU involved: Add eIDAS requirements

• For basic validity: Simple Electronic Signature (SES) works

• For stronger assurance: target Advanced Electronic Signature (AdES) criteria

• Signature uniquely linked to signer

• Signer identifiable from the signature

• Signature created with data under signer's sole control

• Document tamper-evident after signing

Practical rule: If you build to AdES standards, you automatically satisfy US requirements and most international frameworks. The extra effort is minimal and the coverage is broader.

Data residency matters: EU users may require EU data storage for GDPR compliance. Know where your documents and audit logs are hosted.

Common Mistakes That Invalidate E-Signatures

These are the bugs that get signatures thrown out in court:

Missing consent capture

The user signed, but you never recorded that they agreed to electronic transactions.

Fix: Add explicit consent step before first signature. Store the timestamp and what was disclosed.

No audit trail

You have the signed PDF but no record of who signed, when, or how.

Fix: Log everything listed in the audit trail section above. Make logs immutable.

Broken record retention

Documents were stored, but links expired or files got deleted.

Fix: Implement retention policies aligned with document type. Contracts typically need 7+ years. Never auto-delete without explicit policy.

Unclear signer identity

Anyone with the link could have signed. No verification that the named signer was the actual person.

Fix: Require email verification at minimum. Add SMS codes, SSO, or knowledge-based authentication for higher-stakes documents.

Editable documents after signing

The signed document can be modified without detection.

Fix: Hash documents at signing time. Store the hash in your audit log. Verify hash on retrieval.

Pre-checked consent boxes

Consent was "captured" but the user never actively opted in.

Fix: Require affirmative action. Unchecked boxes that the user must check, or explicit "I agree" buttons.

Missing timestamp or wrong timezone

You recorded "signed at 3:00 PM" but not which timezone.

Fix: Use ISO 8601 format with timezone offset, or store everything in UTC with the signer's timezone noted seperately.

How Firma.dev Handles Compliance for You

Building all of this from scratch takes time. Firma.dev handles the compliance infrastructure so you can focus on your application.

Built-in audit trails: Every signature event generates an immutable record with signer identity, timestamps, IP addresses, document hashes, and consent capture. Logs can't be modified or deleted.

Tamper-evident documents: Signed documents include cryptographic verification. Any modification after signing is detectable.

EU data residency: All data stored in EU data centers by default. Simplifies GDPR compliance for cross-border transactions.

Consent capture: Electronic consent flows built into the signing process. Records what was disclosed and when the signer agreed.

Record retention: Documents stored securely with access controls. No auto-deletion. Retrievable via API or dashboard.

Full technical details in the security documentation and API docs.

Get started with Firma.dev for free, no credit card required.