Proof of Delivery Legal Requirements by Industry (2026 US Guide)

The general baseline (every US delivery)

Most US deliveries fall under the Uniform Commercial Code (UCC), which is adopted in some form by every state. Article 2 (sale of goods) and Article 7 (documents of title) cover most of what proof of delivery means in commerce. The basic things you want to be able to prove for any commercial delivery:

• What was delivered (the goods)
• Where it was delivered (the address)
• When it was delivered (timestamp)
• Who received it (signature, name, photo, or attestation)
• Who delivered it (driver identity)

Modern digital POD platforms capture all five automatically — signature, photo, GPS coordinates, timestamp, and driver ID — in a format that holds up in a chargeback dispute or small-claims case.

Are electronic signatures actually valid?

Yes — federally, since 2000. Two laws govern this:

• ESIGN Act (15 U.S.C. § 7001 et seq.): federal law making electronic signatures and records as legally enforceable as wet ink, in interstate and foreign commerce.
• UETA (Uniform Electronic Transactions Act): state-level analogue, adopted in 49 states (New York is the lone holdout but has its own equivalent statute).

For ESIGN/UETA to apply to your POD, you generally need:

1. Intent to sign (a finger swipe with the recipient's name typed counts)
2. Consent to do business electronically (implied for routine commercial deliveries)
3. Association of the signature with the record (the signature must be tied to the specific delivery, not floating)
4. Record retention in a format that can be retrieved later

All four of these are standard in any modern POD product worth its salt.

Pharmacy is the most regulated category by far. You are dealing with three overlapping legal frameworks: federal DEA rules for controlled substances, HIPAA for patient data, and state pharmacy boards for everything else.

Controlled substances (DEA)

• Schedule II-V controlled substances require recipient signature at the point of delivery, captured by the dispensing pharmacy
• Records must be retained for at least 2 years federally; many states require 5+
• Records must be readily retrievable for DEA inspection — paper logs or compliant electronic systems
• You cannot leave controlled substances at the door. Period.

HIPAA implications

• Photo POD that shows medication labels can constitute Protected Health Information (PHI)
• If your delivery driver is an employee or business associate of a covered entity, HIPAA rules apply to the data your POD system stores
• You need a Business Associate Agreement (BAA) with any third-party POD platform that touches PHI

State pharmacy boards

Many states (e.g., California, Texas, Florida) have additional requirements like temperature logs for refrigerated meds, ID verification for certain Schedule III medications, and no-substitute-recipient rules. Check with your state pharmacy board.

For most retail food, POD requirements are light. Where things get serious is for temperature-controlled and FSMA-covered products.

• FSMA (Food Safety Modernization Act): the FDA's "Sanitary Transportation of Human and Animal Food" rule (21 CFR Part 1, Subpart O) requires carriers and shippers to keep temperature and handling records for at least 12 months.
• Cold chain: for refrigerated or frozen items, you generally need timestamped temperature logs at pickup, in-transit (for longer hauls), and at delivery. Your POD should attach these to the delivery record.
• Restaurant supply / B2B food: standard UCC rules apply. Signature + timestamp + photo of received goods is usually enough.
• Consumer grocery: photo POD has become the de facto standard. No specific federal rule mandates signature.

Alcohol is the messiest category in the country because the federal government largely defers to states (the 21st Amendment), and states then often defer to counties. There are 50+ different rule sets.

Common requirements you will see:

• Age verification at delivery (21+) — usually via ID scan or visual check; some states require both
• Signature of the recipient — required in most states
• No leaving at the door — universal across states
• No delivery to visibly intoxicated persons — required by most state ABC commissions
• Driver training/certification — required in states like California (RBS), Utah, and Pennsylvania
• Records retention: commonly 2-3 years for alcohol delivery records, longer if you hold a wholesale license

Your POD system should support ID scan + recipient signature + photo, and stamp it with GPS coordinates so you can prove you delivered to a real address (not a dorm parking lot).

For B2B delivery — auto parts to a dealership, supplies to a clinic, court filings to a law firm — UCC Article 7 governs. The standard is straightforward:

• Signed and dated bill of lading or delivery receipt
• Recipient name and title (if business)
• Description of goods received
• Notation of any damage or shortage

High-value freight may also fall under the Carmack Amendment (49 U.S.C. § 14706), which governs interstate motor carrier liability. POD becomes the primary evidence in any cargo claim.

Special cases

• Legal documents (subpoenas, complaints): service-of-process rules vary by state — your courier needs an affidavit of service, not just a POD photo
• Medical samples: chain-of-custody documentation, often with multiple signatures
• Cash / negotiable instruments: often require armored-car protocols beyond POD

For consumer ecommerce, the law itself imposes light POD requirements — but the card networks impose heavy ones. Visa and Mastercard chargeback rules (reason codes 13.1, 4855, etc. for "merchandise not received") put the burden of proof on the merchant.

To win a not-received chargeback you generally need:

• Carrier name and tracking number
• Delivery confirmation with timestamp
• Address of delivery matching billing or shipping address on file
• For high-ticket items ($750+ on Visa): signature confirmation

Photo POD with GPS coordinates is now considered industry standard for "contactless" consumer delivery and is generally sufficient evidence in chargeback disputes — but signature is still safer for items over $750.

Record retention at a glance

The pragmatic move: keep all POD records for at least 7 years. Storage is cheap, and you do not want to be hunting through old backups when a regulator asks.

What counts as "defensible" POD in a dispute

Whether you are responding to a regulatory inquiry, a chargeback, or a small-claims suit, the question is the same: can you produce a record that a reasonable person — judge, regulator, card-issuer — would accept as proof?

The strongest POD records have these properties:

• Tamper-evident. Records are stored in a system where modification leaves an audit trail. A signature image saved on a driver's phone is weak. The same image stored in a system with audit logs is strong.
• Time-stamped server-side. Trusting a phone's clock is a problem. Server-side timestamps are not.
• Geo-coordinated. A signature collected at GPS coordinates that match the customer's address is far stronger than a signature collected three blocks away.
• Linked to driver identity. Knowing who collected the POD matters if a fraud question comes up.
• Retrievable. If you cannot produce the record in 24 hours, in many jurisdictions it does not effectively exist.

State-by-state quirks worth knowing

We will not go through all 50, but a few states have rules that catch operators off guard:

• California: CCPA/CPRA layers privacy rules on top of POD records that contain consumer data. Customer-facing tracking page must respect opt-out signals.
• New York: uses an Electronic Signatures and Records Act (ESRA) instead of UETA. Functionally similar, occasionally different.
• Texas: for alcohol delivery, your driver must complete TABC seller-server training. Records of training must be retained.
• Florida: particularly strict on pharmacy delivery — controlled substance POD must include the recipient's government ID number on Schedule II in some county jurisdictions.
• Pennsylvania: alcohol is sold through PLCB; private courier rules are tighter than most states.
• Illinois: BIPA imposes biometric privacy rules — if your POD signature flow uses any biometric verification, you have to disclose and consent.

None of this should scare you off operating across states — it should encourage you to use a POD platform that lets you configure these per-customer or per-route, instead of forcing a one-size-fits-all workflow.

Common compliance mistakes

From conversations with operators across the country, these are the mistakes that come up over and over:

• Storing POD only on driver phones. Phones get lost, factory-reset, replaced. Records must live on a server.
• Allowing "signed by driver" for high-value deliveries. Some operators let drivers sign their own name when the customer is not home. This invalidates the POD if it is ever challenged.
• No retention policy at all. "We have records" is not the same as "we have records for the legally required period."
• Ignoring HIPAA when the customer is a covered entity. If you deliver for a hospital or pharmacy, HIPAA reaches you whether or not you think of yourself as "in healthcare."
• Photo POD that does not capture context. A photo of a single package on the floor in front of an unmarked door is worth less than a photo of the package in front of a numbered door, with the address visible.
• Not testing retrieval. Some operators discover during an actual audit that their archived POD is in a format their current software cannot open.

Practical checklist

• Capture signature OR photo (or both) on every commercial delivery

• Include GPS coordinates and a server-side timestamp on every POD record

• Store driver ID alongside each POD (which driver completed it)

• Retain records for at least 7 years in a retrievable format

• For HIPAA: have a signed BAA with your POD vendor

• For controlled substances: confirm your workflow is DEA-compliant before going live

• For alcohol: train drivers on age verification and refusal scenarios

• For ecommerce $750+: capture signature, not just photo

• Test record retrieval at least once a year (mock audit)

When to call your lawyer

We will say it again: this article is not legal advice. Talk to an attorney before you start delivering controlled substances, alcohol, HIPAA-covered shipments, high-value freight, or anything regulated by your state pharmacy/ABC/health board. The cost of one consult is far less than the cost of a regulatory action — and the rules change. For broader context on POD operations, see our proof of delivery guide, the driver tracking guide, and 10 fleet management tips.