ESIGN Act Compliance Checklist for Businesses in 2026

The ESIGN Act has been federal law since 2000. Twenty-six years later, a surprising number of businesses still aren't sure whether their e-signature process actually meets its requirements, or they assume that using any e-signature tool automatically makes them compliant.

It doesn't work that way. The law sets out specific conditions that your process needs to satisfy, and whether those conditions are met depends on how your platform is configured and what it captures during the signing event.

Here's what the ESIGN Act and UETA actually require, in plain terms, with a checklist you can use to audit your current setup.

The Core Requirements

Consumer Consent

Before anyone signs electronically, they have to affirmatively agree to conduct the transaction using electronic records and signatures. That means showing them an ESIGN disclosure and requiring a positive action, clicking "I agree" counts, passively scrolling past a notice does not.

The disclosure also needs to explain two specific things: that they have the right to request paper copies, and how they can withdraw consent if they change their mind.

Check these off:

• ESIGN disclosure presented before the first signing action
• Signer takes an affirmative action to consent (not just implied)
• Right to paper copies disclosed
• Process for withdrawing consent is documented somewhere

Intent to Sign

The signing action itself needs to make clear that the signer understands they're executing a legal signature. Drawing a signature, typing a name, or clicking a clearly labeled "Sign" button all satisfy this requirement, but only if the interface makes it obvious that's what they're doing.

If a signer can click through a signing flow without realizing they've legally signed something, that's a problem.

Check these off:

• Signing step is clearly labeled as a signature action
• Signer sees the document before completing the signature
• Confirmation shown after signing is complete

Association with the Record

The signature has to be tied to the specific document being signed. A generic "I agree" button that isn't linked to a particular document doesn't work. The signed PDF should either embed the signature data directly or be cryptographically linked to it so there's no question which version of the document was agreed to.

Check these off:

• Signature embedded in or cryptographically linked to the signed document
• A SHA-256 hash or equivalent fingerprint recorded at time of signing
• Signed document is distinguishable from the pre-signing version

Record Retention

You need to be able to reproduce the signed document accurately, in full, at any future point. "Stored on our file server" doesn't cut it if that server isn't redundant and backed up. Cloud storage with versioning does.

Check these off:

• Signed documents stored in durable, redundant storage
• Documents retrievable by authorized parties at any time
• Signed PDF downloadable by both sender and all signers after completion

Audit Trail

The ESIGN Act doesn't explicitly require an audit trail, but in any dispute about whether a signature is valid, the audit trail is your evidence. Without it, you're relying on people's word. With it, you have timestamped records of every event in the signing flow.

At minimum, your audit trail should capture:

• Who signed (email address and name)
• When they signed (timestamp with timezone)
• Where they signed from (IP address)
• What device and browser they used
• That consent was given, with its own timestamp

Check these off:

• All signing events timestamped
• IP address and user agent captured per signer
• Consent recorded as a discrete event in the log
• Audit log cannot be modified or deleted after signing

What ESIGN Covers, and What It Doesn't

The law covers most business transactions. But there's a short list of document types that are explicitly excluded and still require wet signatures:

Not covered (wet signature still required):

• Wills and testamentary trusts
• Adoption and divorce proceedings
• Court orders and official court documents
• Notices related to utility disconnection
• Product recall notices involving health or safety hazards
• Certain documents governed by specific UCC sections

Covered (electronic signatures are legally valid):

• Business contracts and service agreements
• NDAs and confidentiality agreements
• Employment offer letters and agreements
• Residential and commercial leases
• Insurance policies and financial agreements
• Purchase orders and vendor contracts

If your documents fall in the covered category, which they almost certainly do for day-to-day business use, electronic signatures are fully enforceable.

Pre-Send Checklist

Before you send any document for signature, run through this:

• Document type isn't on the ESIGN exclusion list
• ESIGN disclosure will be shown to signers before they interact with the document
• All fields are placed and assigned to the right signer
• Signer email addresses are correct (a typo means the wrong person signs)
• Audit trail will be captured automatically
• Signed document will be stored and accessible after completion

How SigPen Handles This Automatically

Every signing session created through SigPen includes:

• ESIGN consent disclosure presented before the signer touches the document
• Full audit trail captured automatically, timestamp, IP, user agent, consent event
• Signatures embedded directly in the PDF with a SHA-256 document hash
• Certificate of completion available for download after signing
• Documents stored on AWS S3 with redundancy

You don't configure any of this separately. It's the default behavior for every document sent through the platform.

---

Further reading: What Makes an Electronic Signature Legally Binding? and How to Send a Document for Signature.

This post is general information about ESIGN Act requirements, not legal advice. For guidance specific to your industry or jurisdiction, consult an attorney.