Round voting button logo

State-Endorsed Digital Identity Program Amendments

Passed on 3/25/26

Overview

Senate Bill 275 establishes a comprehensive state-endorsed digital identity program in Utah, creating a voluntary system that allows residents to obtain and use secure digital credentials as an alternative to traditional physical identification documents. The legislation aims to modernize identity verification processes while establishing robust privacy protections and individual rights through a Digital Identity Bill of Rights. The program seeks to balance technological innovation with civil liberties by ensuring that digital identities remain optional, secure, and under individual control. The bill creates a framework for issuing, managing, and verifying digital identities while prohibiting government coercion or surveillance beyond what is authorized by existing law. This initiative positions Utah as a leader in digital identity infrastructure while maintaining strong protections against potential misuse or overreach.

Core Provisions

The legislation creates the State-Endorsed Digital Identity Program within the Department of Government Operations, establishing a comprehensive regulatory framework for digital identity credentials. The program is managed by a program manager appointed by the executive director and approved by the governor. The bill enacts a Digital Identity Bill of Rights that guarantees individuals the right to manage and control their digital identity, choose between physical and digital forms of identification, and be free from state-compelled use of digital credentials. Individuals are protected from surveillance, profiling, tracking, or persistent monitoring of their digital identity assertions except as authorized by existing law, and they cannot be required to surrender their secure electronic devices to present digital identity. The legislation mandates that state-endorsed digital identities must be tamper-resistant, support both online and offline presentation, maintain secure logs of presentations, and enable selective disclosure of identity attributes. Governmental entities are prohibited from providing material benefits for using digital identities over physical ones or withholding services from individuals who choose physical identification. The bill establishes technical requirements for digital wallet providers, verifiers, and relying parties, requiring them to incorporate state-of-the-art safeguards for protecting individual identity and to process only the minimum identity attributes reasonably necessary for specified purposes. Health care providers must accept state-endorsed digital identities within two years from the date the first credential is issued. The legislation takes effect on May 6, 2026, with the department required to begin accepting applications as soon as feasible thereafter.

Key Points

  • Creation of State-Endorsed Digital Identity Program within Department of Government Operations [§63A-20-202]
  • Establishment of Digital Identity Bill of Rights guaranteeing individual control, choice, and freedom from compelled use [§63A-20-101]
  • Technical requirements for digital identities including tamper-resistance, offline capability, secure logging, and selective disclosure
  • Prohibition on governmental entities providing preferential treatment for digital identity use or penalizing physical identity use
  • Mandatory acceptance by health care providers within two years of first issuance
  • Identity proofing standards and processes to ensure credential reliability [§63A-20-304]
  • Application and eligibility requirements including Utah residency and successful identity proofing [§63A-20-302]
  • Effective date of May 6, 2026

Legal References

  • Utah Code Annotated §63A-20-101 (Digital Identity Bill of Rights)
  • Utah Code Annotated §63A-20-201 (Definitions)
  • Utah Code Annotated §63A-20-202 (State-Endorsed Digital Identity Program)
  • Utah Code Annotated §63A-20-301 through §63A-20-305 (Requirements for Digital Identities)
  • Utah Code Annotated §63A-20-401 (Governmental Entity Requirements)
  • Utah Code Annotated §63A-20-501 through §63A-20-601 (Digital Wallet and Verifier Requirements)
  • Title 63G, Chapter 3, Utah Administrative Rulemaking Act
  • Title 13, Chapter 44, Protection of Personal Information Act
  • Title 13, Chapter 61, Utah Consumer Privacy Act

Implementation

The Department of Government Operations bears primary responsibility for implementing and administering the state-endorsed digital identity program, with authority to make rules under the Utah Administrative Rulemaking Act to establish technological standards and best practices. A program manager appointed by the executive director and approved by the governor oversees day-to-day operations. The Data Privacy Ombudsperson provides oversight and receives complaints regarding program implementation. The Office of the Legislative Auditor General must conduct a comprehensive audit of the program beginning January 1, 2028, with completion required by October 31, 2028. The department must submit annual reports to the Legislative Audit Subcommittee starting January 1, 2027, covering program implementation metrics, adoption rates, security incidents, and public comments. The Attorney General has enforcement authority to bring civil actions for violations of the chapter, with courts empowered to award injunctive relief, declaratory relief, equitable relief, actual damages, costs, and reasonable attorney fees. The department must establish identity proofing processes that result in credentials providing appropriate levels of confidence in individual identity, and may validate verification provided by third-party identity proofing entities. Digital wallet providers, verifiers, and relying parties must comply with security and privacy standards, incorporating state-of-the-art safeguards and processing identity attributes securely while limiting data collection to the minimum necessary for specified purposes.

Key Points

  • Department of Government Operations administers program with rulemaking authority
  • Program manager appointed by executive director and approved by governor
  • Data Privacy Ombudsperson provides oversight and complaint resolution
  • Office of Legislative Auditor General conducts audit beginning January 1, 2028, completing by October 31, 2028
  • Annual reporting to Legislative Audit Subcommittee starting January 1, 2027
  • Attorney General enforcement authority with civil remedies including injunctive relief and damages
  • Department establishes identity proofing standards and may validate third-party verification
  • Compliance requirements for digital wallet providers, verifiers, and relying parties

Legal References

  • Utah Code Annotated §63A-20-701 through §63A-20-702 (Audit and Reporting)
  • Utah Code Annotated §63A-20-801 through §63A-20-802 (Complaints and Enforcement)
  • Utah Code Annotated §63A-20-901 (Rulemaking)
  • Utah Code Annotated §63A-19-501 (Ombudsperson provisions)
  • Title 63G, Chapter 3, Utah Administrative Rulemaking Act

Impact

The primary beneficiaries of this legislation are Utah residents who gain access to a secure, convenient, and privacy-protective digital identity option for interacting with government services, health care providers, and potentially private sector entities. Individuals benefit from enhanced control over their personal information through selective disclosure capabilities and protection from surveillance and tracking. Governmental entities and health care providers gain more efficient identity verification processes while maintaining obligations to accept traditional physical identification. Digital wallet providers and technology companies operating in Utah's digital identity ecosystem receive clear regulatory standards and market opportunities. The legislation imposes administrative costs on the Department of Government Operations for program development, implementation, and ongoing management, though specific funding amounts are not specified in the bill. Health care providers face compliance costs to integrate digital identity acceptance within the two-year implementation window. The audit requirement creates accountability mechanisms to assess program effectiveness, security incidents, and adoption rates. The voluntary nature of the program limits potential negative impacts on individuals who prefer traditional identification methods, as the bill explicitly prohibits penalties or service denial for choosing physical credentials. Expected outcomes include increased efficiency in identity verification, enhanced privacy protections, reduced identity fraud, and modernization of government services, though actual adoption rates and cost-benefit ratios will depend on implementation quality and public acceptance.

Key Points

  • Utah residents gain voluntary access to secure digital identity credentials with enhanced privacy controls
  • Governmental entities benefit from efficient identity verification while maintaining physical ID acceptance obligations
  • Health care providers must integrate digital identity acceptance within two years of first issuance
  • Digital wallet providers and technology companies receive clear regulatory framework and market opportunities
  • Administrative costs for Department of Government Operations (specific amounts not specified)
  • Compliance costs for health care providers and other accepting entities
  • No penalties or service denial for individuals choosing physical identification
  • Expected outcomes include increased efficiency, enhanced privacy, reduced fraud, and service modernization

Legal Framework

The legislation operates within Utah's existing constitutional and statutory framework, creating new Title 63A, Chapter 20 of the Utah Code Annotated to govern state-endorsed digital identities. The bill draws authority from the state's general police powers and its responsibility to provide identification documents to residents, similar to existing driver's license and identification card programs. The Digital Identity Bill of Rights establishes constitutional-level protections against government overreach, including freedom from compelled use and protection from surveillance beyond what is authorized by existing law, which aligns with Fourth Amendment privacy protections and due process guarantees. The legislation integrates with existing Utah privacy statutes, including the Protection of Personal Information Act and the Utah Consumer Privacy Act, creating a comprehensive privacy framework for digital identity data. The bill grants the department rulemaking authority under the Utah Administrative Rulemaking Act, ensuring that implementing regulations follow established administrative procedures including public notice and comment. The Attorney General's enforcement authority provides judicial review mechanisms through civil actions, with courts empowered to grant equitable and legal remedies. The legislation does not explicitly preempt local government authority but establishes statewide standards that effectively create uniform requirements for governmental entities. The bill's provisions regarding health care provider acceptance may interact with federal health care privacy regulations under HIPAA, though the legislation does not address potential conflicts. The voluntary nature of the program and explicit prohibitions on compelled use strengthen the legislation's constitutional footing by avoiding potential substantive due process challenges.

Legal References

  • Utah Code Annotated Title 63A, Chapter 20 (newly created)
  • Title 13, Chapter 44, Protection of Personal Information Act
  • Title 13, Chapter 61, Utah Consumer Privacy Act
  • Title 63G, Chapter 3, Utah Administrative Rulemaking Act
  • Utah Code Annotated §53-3-235 (lawful presence requirements)
  • U.S. Constitution, Fourth Amendment (privacy protections)
  • U.S. Constitution, Fourteenth Amendment (due process)
  • Health Insurance Portability and Accountability Act (HIPAA) - potential interaction

Critical Issues

Several constitutional and practical concerns arise from this legislation despite its protective framework. The collection and storage of biometric and identity data by the state creates inherent privacy risks, even with strong safeguards, as data breaches or unauthorized access could expose sensitive personal information of thousands of residents. The requirement that health care providers accept digital identities within two years may create unfunded mandates and impose significant compliance costs on smaller providers who lack technological infrastructure. While the bill prohibits state surveillance beyond what is authorized by existing law, this exception creates potential loopholes if other statutes permit broad monitoring or data collection. The selective disclosure mechanism, while privacy-protective in theory, may prove technically complex to implement and could create interoperability challenges with existing identity verification systems. The legislation does not specify funding sources or amounts, raising questions about program sustainability and whether implementation costs will strain state resources or require future appropriations. The voluntary nature of the program may limit adoption rates, potentially creating a two-tiered system where digital identity users receive de facto preferential treatment despite statutory prohibitions, as digital verification may prove faster or more convenient than physical document processing. The audit timeline beginning in 2028 may be too late to identify and correct significant implementation problems, particularly security vulnerabilities that could be exploited in the interim. The bill's interaction with federal REAL ID requirements and other federal identification standards remains unclear, potentially creating compliance complications for residents who need federally-compliant identification. Opposition arguments likely focus on government overreach concerns, data security risks, implementation costs, and the potential for mission creep where voluntary programs become effectively mandatory through social or economic pressure. The enforcement mechanism relying on Attorney General action may prove inadequate if violations are widespread or if political considerations affect enforcement priorities.

Key Points

  • Privacy risks from centralized collection and storage of biometric and identity data despite protective safeguards
  • Unfunded mandate concerns for health care providers required to accept digital identities within two years
  • Potential surveillance loopholes through 'authorized by existing law' exception
  • Technical complexity of selective disclosure implementation and interoperability challenges
  • Unspecified funding sources raising sustainability and resource allocation concerns
  • Risk of de facto two-tiered system despite prohibitions on preferential treatment
  • Delayed audit timeline (2028) may miss critical early implementation problems
  • Unclear interaction with federal REAL ID and other federal identification requirements
  • Enforcement limitations relying solely on Attorney General discretion
  • Potential for voluntary program to become effectively mandatory through social or economic pressure

Sponsors

0
2
RR
Democratic CaucusRepublican Caucus

Roll Call Votes

26 Yea

RRRRRRRRIRRDRRDDRRRRRRRDRR

0 Nay

3 Absent

DDR

Calendar

Feb 11

2:00 PM

Senate Government Operations and Political Subdivisions Hearing

Feb 27

4:00 PM

House Economic Development and Workforce Services Hearing