Utah Passes Nation’s Strongest Digital Identity Bill

Subscribe to the Free Future Newsletter
Free Future home

The Utah state legislature recently passed new enabling legislation for the state’s “State Endorsed Digital Identity” (SEDI), which, while lacking in some respects, includes many important privacy protections and represents the best effort we have yet seen in a state to square privacy protections with the looming dangers to civil liberties that flow from digital identities.

This past November I wrote about Utah’s laudable drive to build the state’s digital identity program with privacy protections. In 2021 we issued a report on digital identity, and in 2024 we issued guidance explaining a series of legislative protections that should be mandated before a state adopts any digital ID.

Utah’s new law has some very positive provisions that match many of our recommendations — but it also has some meaningful limitations.

A “duty of loyalty.”
In perhaps its most striking feature, the law includes a potentially powerful provision creating a “duty of loyalty” to individuals by the government ID issuer, wallet providers, and verifiers/relying parties. They are required to “refrain from practices or activities” related to digital ID that “conflict with the best interests of an individual” or “take advantage of,” “exploit,” “cause harm,” are to their “detriment,” or that “result in a disproportionate risk” to them.

Such a duty appears to stem directly from a proposal by Neil Richards and Woodrow Hartzog, in a 2021 law review article proposing “A Duty of Loyalty for Privacy Law,” as well as from related concepts advanced by a number of legal scholars including Jack Balkin, author of “Information Fiduciaries and the First Amendment” (2016).

Richards and Hartzog wrote that “a duty of loyalty framed in terms of the best interests of digital consumers is coherent and desirable and should become a basic element of US data privacy law.” They noted that adoption of a duty of loyalty would be “a revolution in data privacy law.”

Utah appears to have enacted just such a duty, albeit focused on digital identity rather than privacy writ large. Assuming it is actually enforced, Utah’s duty of loyalty should offer broad and thorough privacy protection for those using the state’s SEDI digital IDs, with the possible exception of the problem of excessive ID demands (see below).

Other provisions
The SEDI legislation also contained a number of other good provisions that are mostly lacking in other states that have adopted digital driver’s licenses. The law:

• Bans “phone home” architectures. An ID created under the law “may not include a mechanism that allows [the government issuer] to monitor, surveil, or track the presentation” of an ID. As we have long discussed, this is a basic but crucial privacy requirement of any digital ID system, and was the subject of a sign-on campaign by the ACLU and allies within the digital identity community.
• Requires selective disclosure. It requires that the system allow people to reveal only some of their attributes, such as whether they are over 21, without disclosing other unnecessary or needlessly revealing data.
• Provides for an open wallet ecosystem. Importantly, the law contains provisions to ensure the system allows people to use the digital wallet of their choice. This creates space to prevent a handful of companies (like Apple, Google, and Samsung) from maintaining oligopolistic control over the wallet ecosystem. Even if most people use those companies’ wallets, these provisions provide an escape valve for anyone who doesn’t like those wallets, wants different functionality, or wants more privacy-protective wallets if the privacy protections we call for are not enacted or are eroded.
• Provides for purpose specification, minimization, and consent. The law requires that verifiers provide “conspicuous notice” of “the purpose for which the identity attributes are processed [read],”and that verifiers “process only the minimum identity attributes reasonably necessary to achieve” that “specified purpose.” It also bans verifiers from reading someone’s ID attributes without consent. These are necessary but not sufficient for strong privacy protection as they fall prey to some of the widely recognized problems with “notice and choice” privacy regimes (see below).
• Repeals the state’s ISO-based mDL program. Even as it builds SEDI, Utah already has a parallel digital driver’s license program under the flawed ISO standard being adopted by many other states. That raised the question of whether SEDI would just be a side-project while the state's mDL program became the real deal that everybody actually used, rendering the SEDI relatively meaningless. Apparently that won't be the case, however, as the law includes a provision terminating the state's mDL program
• Includes statutory protections against “un-personing.” One of our concerns with digital ID systems is that even as digital IDs increasingly become a de facto requirement to do anything online, they may also be abusively canceled for some people for political purposes, without adequate process, or in error, with much graver consequences than before. As we have discussed, there have already been indications of that happening. Any digital ID system needs technical designs that make digital IDs no easier to take away from people than their physical IDs. Utah does not adopt such a design, though the law does statutorily ban IDs from being revoked except in a narrow set of circumstances (such as fraudulent issuance).
• Limits phone access. The law says that “a verifier may not require a holder to surrender the holder's secure electronic device in the course of a presentation.” This is an important line to draw, though it fails to ban police from requesting “voluntary” access to people’s phones, as we have called for. Such access has been a problem, with many officers using such “permission" to clone people’s phones.

The bill also creates an ombudsman to handle complaints, and creates a “digital identity bill of rights” that, like the duty of loyalty, contains broad language — for example, an individual right to “management and control” of their ID — that, if it is applied properly, could protect people from many of the negative effects of a digital ID.

Despite these strengths, the measure also has shortcomings.

Insufficient protections against omnipresent ID demands from the private sector
Digital IDs present serious threats to civil liberties from government, but most of the novel data collection that these IDs will likely facilitate in the absence of protections would be from the private sector. The primary exception is the potential for centralized “phone home” monitoring of ID use by DMVs or other government issuers — and of course the government currently has many avenues by which to access private-sector data.

There are times when the law requires people to prove their identity to private-sector companies (such as in banking) or to prove an attribute (such as that they are over 21 to purchase age-restricted goods). But in our age of surveillance capitalism, for-profit entities have enormous incentives to collect as much information about customers and prospective customers as they can. And they have incentives to definitively identify people so their information and transactions can be connected to other data that is out there about them, such as the unethical dossiers assembled by data brokers.

One of the biggest threats from digital IDs systems is that they will open the floodgates to incessant identification demands from all directions. If not stopped, these systems could make it so easy for web sites and other companies to ask for their customers to share their IDs, such that everyone will soon be faced with demands to do so at every turn.

Some of the broad language in the Utah law could be read to protect individuals against this threat (such as the bill of rights provision that people are entitled to “control” and “limit access to” their IDs, and the ban on verifiers reading IDs without consent). But overall, the law doesn’t explicitly protect people against unnecessary ID requests. For example, the law requires that verifiers specify a purpose for requesting IDs, but doesn’t impose any limitations on such purposes. Without that, everybody’s going to be getting notifications like:

We process your identity attributes for the purpose of allowing our services to operate, maintain, improve, personalize, secure, market, monetize, and otherwise support our business and offerings, including for research, analytics, product development, advertising, communications, and compliance.

And presto, other protections, such as a requirement that data only be collected that is “necessary for a specified purpose” become an empty gesture. The consent requirement likewise fails to protect people against the real-world power that many companies currently hold over our lives. People will be told, essentially, “Click here to consent (and if you don't consent we won't provide you with any services).” Given the market power that sometimes monopolistic big tech and other companies hold, “notice and choice” requirements likewise threaten to become an empty gesture.

Weak private sector physical license protections
Similarly, the law contains protections for people who want to stick with their physical license and not use a digital one — but when it comes to the private sector, it lacks any protection against companies who violate that principle by offering degraded or intolerable services to those who refuse to present the digital versions of their IDs.

Lack of specifics to fill out the “Duty of Loyalty”
Some of these problems could be solvable through the law’s potentially strong Duty of Loyalty provisions which apply to both private and public sector actors. But the duty only applies to activities “related to the processing of an individual’s identity attributes” — it’s not clear whether it actually constrains when such processing may occur in the first place (ie, curbing incessant demands for digital proof of identity). And the provision relies on terms that are abstract and sometimes difficult to prove (“harm”, for example, has long been notoriously difficult to prove to the satisfaction of many courts in privacy cases). So it’s not clear how enforceable the terms are and how much interpretive wiggle room they would give bad actors.

As Richards and Hartzog argue, broadly worded protections can be adaptable and long-lasting, such as the Constitution’s ban on “unreasonable searches and seizures” and the law authorizing the Federal Trade Commission to act against “deceptive and unfair trade practices.” And broad laws are less susceptible than detailed dictates to being gamed or hacked and more adaptable to technology change. But broad laws can also depend on deep social buy-in among judges — and behind them, society — on the values and vision those laws are intended to uphold. Broad laws can also create due process and other constitutional problems.

Ideally Utah’s Duty of Loyalty would be accompanied by more specific provisions, such as explicit and strong limits on when verifiers may ask for ID and how data obtained from an ID presentation is stored and shared (“processed” in the language of the statute). Such provisions are contained in many state laws constraining the reading of bar codes on people’s physical licenses and the handling of data when such swiping is permitted to take place. New Hampshire law, for example, says that “no person shall scan, record, retain, or store, in any electronic form or format, personal information obtained from any license” unless authorized by the state. New Jersey’s law limits scanning and data dissemination to an enumerated list of permitted uses and regulates data sharing — and has explicitly expanded those protections to digital driver’s licenses.

Private right of action missing
The Duty of Loyalty and other provisions would be much more powerful with a private right of action (a right of individuals to sue over violations they have experienced), which would give teeth to the provisions that apply to the private sector. Without such a right, consistent and strong enforcement of civil laws is left up to state attorneys general, who are often under-staffed, under-prepared, or politically unmotivated to vigorously enforce people’s rights — especially when they’re as broad and novel as those in the Duty of Loyalty.

Sale of data
To sell or share personal data they capture under this law, digital wallet providers need only express authorization — a standard that can be met with a quick consent flow that doesn’t require the person truly understand what they’re agreeing to. Included in the data for sale could be information that reveals your location with 100% certainty. Given that location data can start from DMVs and online ads, and end up purchased by foreign governments and those looking to stalk and harm people, this a risky loophole to leave open.

A log that holds your entire history by default
The bill requires digital wallets to include a “secure log” that collects where IDs have been and what information was provided to a verifier. While this is not a bad idea in theory, in practice such a log gives anyone who accesses your phone (or the log on the cloud, if that’s where it’s stored) an undeniable history of everywhere you’ve been scanned since you got the ID; whether that’s the doctor’s office, a divorce attorney’s office, or your church. While the right exists to delete this log, thirty years of personal technology has shown us that most users stick with default settings. We are now recommending a limited default retention setting of a few days or weeks that is ideally customizable by only the wallet holder; this would create more protection from abusive partners, law enforcement, and bad actors.

Further improvements may be in Utah’s pipeline
Without protections against private exploitation of a digital driver’s license system, any digital ID system will just be creating the rails for sweeping invasions of individual privacy by companies. It would be as if the government is creating a powerful new privacy-invading tool — an x-ray vision device that can clearly see and hear through the walls of people’s homes, perhaps — and then offering to make it available only to companies, free of charge. Americans of all political ideologies shouldn’t want the government’s role to be creating infrastructures that give the private sector a smooth path to track people.

Word in Utah is that the new law — which actually fleshes out an initial SEDI statute passed in 2025 — will be followed up by further measures as Utah’s digital ID vision continues to be implemented. Any subsequent measures may further strengthen the law. If so, that could make SEDI the first digital ID system we have seen that might actually be acceptable from a privacy and civil liberties perspective.

Technical and policy support for this piece provided by ACLU Technologist & Fellow Varun Gadh.