Digital Identity Policy Momentum

Read the first installment in our series on The Future of Digital Identity in America here.

Technology alone doesn’t change societies; policy does. Every leap forward in digital infrastructure (whether electrification, the internet, or mobile payments) has been accelerated or slowed by policy. The same is true for verifiable digital identity. The question today isn’t whether the technology works; it does. The question is whether policy frameworks will make it accessible, trusted, and interoperable across industries and borders.

Momentum is building quickly. State legislatures, federal agencies, and international bodies are beginning to treat verifiable digital identity not as a niche experiment, but as critical public infrastructure. In this post, we’ll explore how policy is shaping digital identity, from U.S. state laws to European regulations, and why governments care now more than ever.

States Leading the Way: Laboratories of Democracy

In the U.S., states have become the proving ground for verifiable digital identity. Seventeen states, including California, New York, and Georgia, already issue mobile driver’s licenses (mDLs) that are accepted at more than 250 TSA checkpoints. By 2026, that number is expected to double, with projections of 143 million mDL holders by 2030, according to ABI Research forecasts.

Seventeen states now issue mobile driver’s licenses accepted at more than 250 TSA checkpoints - digital ID is already real, growing faster than many expected.

California’s DMV Wallet offers one of the most comprehensive examples. In less than two years, over two million Californians have provisioned mobile driver’s licenses, which can be used at TSA checkpoints, in convenience stores for age-restricted purchases, and even online to access government services—real, everyday transactions that people recognize. In addition to the digital licenses, more than thirty million vehicle titles have been digitized using blockchain, making it easier for people to transfer ownership, register cars, or prove title history without mountains of paperwork. Businesses can verify credentials directly, residents can present them online or in person, and the system is designed to work across states and industries. In other words, this program demonstrates proof that digital identity can scale to millions of people and millions of records while solving real problems.

California’s DMV Wallet has issued over two million mDLs and has digitized over 42 million vehicle titles using blockchain - demonstrating trustworthiness at scale.

Utah took a different approach by legislating principles before widespread deployment. SB 260, passed in 2025, lays down a bill of rights for digital identity. Citizens cannot be forced to unlock their phones to present a digital ID. Verifiers cannot track or build profiles from ID use. Selective disclosure must be supported, allowing people to prove an attribute, like being over 21, without revealing unnecessary details. Digital IDs remain optional, and physical IDs must continue to be accepted. Utah’s framework shows how policy can proactively protect civil liberties while enabling innovation.

Utah’s SB 260 doesn’t just pilot identity tech - it builds in privacy and choice from day one, naming those values as rights.

Together, California and Utah illustrate a spectrum of policymaking. One demonstrates what’s possible with rapid deployment at scale - how quickly millions of people can adopt new credentials when the technology is made practical and widely available. The other shows how legislation can proactively embed privacy and choice into the foundations of digital identity, creating durable protections that guard against misuse as adoption grows. Both approaches are valuable: California proves the model can work in practice, while Utah ensures it works on terms that respect civil liberties. Taken together, they show that speed and safeguards are not opposing forces, but complementary strategies that, if aligned, can accelerate trust and adoption nationwide.

Federal Engagement: Trust, Security, and Compliance

Federal agencies are also stepping in, linking digital identity to national security and resilience. The Department of Homeland Security (DHS) is piloting verifiable digital credentials for immigration—a use case where both accuracy and accessibility are essential.

Meanwhile, the National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), has launched a hands-on mDL initiative. In collaboration with banks, state agencies, and technology vendors (including 1Password, Capital One, Microsoft, and SpruceID, among others), the project is building a reference architecture demonstrating how mobile driver’s licenses and verifiable credentials can be applied in real-world use cases: CIP/KYC onboarding, federated credential service providers, and healthcare/e-prescribing workflows. The NCCoE has already published draft CIP/KYC use-case criteria, wireframe flows, and a sample bank mDL information page to show how a financial institution might integrate and present mDLs to customers—bringing theory into usable models for regulation and deployment. 

Why the urgency? Centralized identity systems are prime targets for adversaries. Breach one large database, and millions of people’s information is compromised. Decentralized approaches change that risk equation by sharding and encrypting user data, reducing the value of any single “crown jewel” target.

Decentralized identity reshapes the risk equation—no single crown jewel database for adversaries to breach.

Policy is also catching up to compliance challenges in financial services. In July 2025, Congress passed the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act, which, among other provisions, directs the U.S. Treasury to treat stablecoin issuers as financial institutions under the Bank Secrecy Act (BSA). Section 9 of the Act requires Treasury to solicit public comment on innovative methods to detect illicit finance in digital assets, including APIs, artificial intelligence, blockchain monitoring, and (critically) digital identity verification.

Treasury’s August 2025 Request for Comment (RFC) builds directly on this mandate. It seeks input on how portable, privacy-preserving digital identity credentials can support AML/CFT and sanctions compliance, reduce fraud, and lower compliance costs for financial institutions. Importantly, the RFC recognizes privacy as a design factor, asking specifically about risks from over-collection of personal data, the sensitivity of information reviewed, and how to implement safeguards alongside compliance.

This is a significant shift: digital identity is not only being framed as a user-rights issue or a convenience feature, but also as a national security and financial stability priority. By embedding identity into the GENIUS Act’s framework for stablecoins and BSA modernization, policymakers are effectively saying that modernized, cryptographically anchored identity is essential for the resilience of U.S. markets.

The European Example: eIDAS 2.0

While the U.S. pursues a patchwork of state pilots and federal engagement, Europe has opted for a coordinated regulatory approach. In May 2024, eIDAS 2.0 came into force, requiring every EU Member State to issue a European Digital Identity Wallet by 2026.

The regulation mandates acceptance across public services and major private sectors like banks, telecoms, and large online platforms. Privacy is baked into the requirements: wallets must be voluntary and free for citizens, support selective disclosure, and avoid central databases. Offline QR options are also mandated, ensuring usability even without connectivity.

Europe is treating digital identity as a right: free, voluntary, private, and accepted across borders.

Why does this matter? For citizens, it means one-click onboarding across borders. For businesses, it means lower compliance costs and reduced fraud. For the EU, it’s a step toward digital sovereignty, reducing dependency on foreign platforms and asserting leadership in global standards.

Identity as Infrastructure

Look closely, and a pattern emerges: policymakers are treating identity as infrastructure. Like roads, grids, or communications networks, identity is a shared resource that underpins everything else. Without it, markets stumble, governments waste resources, and citizens lose trust. With it, economies run smoother, fraud drops, and individuals gain autonomy.

Identity is infrastructure—like roads or grids, it underpins every modern economy and democracy.

This framing (identity as infrastructure) helps explain why governments care now. Fraud losses are staggering, trust in institutions is fragile, and AI is amplifying risks at unprecedented speed. Policy is not just reacting to technology; it’s shaping the conditions for decentralized identity to succeed.

Risks of Policy Done Wrong

Of course, not all policy is good policy. Poorly designed frameworks could centralize power, entrench surveillance, or create vendor lock-in. Imagine if a single state-issued wallet were mandatory for all services, or if verifiers were allowed to log every credential presentation. The result would be digital identity as a tool of control, not freedom.

That’s why principles matter. Utah’s SB 260 is instructive: user consent, no tracking, no profiling, open standards, and continued availability of physical IDs. These are not just policy features; they are guardrails to keep digital identity aligned with democratic values.

Privacy as Policy: Guardrails Before Growth

Alongside momentum in statehouses and federal pilots, civil liberties organizations have raised a critical warning: digital identity cannot scale without strong privacy guardrails. Groups like the ACLU, EFF, and EPIC have cautioned that mobile driver’s licenses (mDLs) and other digital ID systems risk entrenching surveillance if designed poorly.

The ACLU’s Digital ID State Legislative Recommendations outline twelve essential protections: from banning “phone-home” tracking and requiring selective disclosure, to preserving the right to paper credentials and ensuring a private right of action for violations. EFF warns that without these safeguards, digital IDs could “normalize ID checks” and make identity presentation more frequent in American life .

The message is clear: technology alone isn’t enough. Policy must enshrine privacy-preserving features as requirements, not optional features. Utah’s SB 260 points in this direction by mandating selective disclosure and prohibiting tracking. But the broader U.S. landscape will need consistent frameworks if decentralized identity is to earn public trust.

We'll explore these principles in greater depth in a later post in this series, where we examine how civil liberties critiques shape the design of decentralized identity and why policy and technology must work together to prevent surveillance creep.

SpruceID’s Perspective

At SpruceID, we sit at the intersection of policy and technology. We’ve helped launch California’s DMV Wallet, partnered on Utah’s statewide verifiable digital credentialing framework, and collaborated with DHS on verifiable digital immigration credentials. We also contribute to global standards bodies, such as the W3C and the OpenID Foundation, ensuring interoperability across jurisdictions.

Our perspective is simple: decentralized identity must remain interoperable, privacy-preserving, and aligned with democratic principles. Policy can either accelerate this vision or derail it. The frameworks being shaped today will determine whether decentralized identity becomes a tool for empowerment or for surveillance.

Why Governments Care Now

The urgency comes down to four forces converging at once:

• Fraud costs are exploding. In 2024, Americans reported record losses - $16.6 billion to internet crime (FBI IC3) and $12.5 billion to consumer fraud (FTC). On the institutional side, the average U.S. data breach cost hit $10.22 million in 2025, the highest ever recorded (IBM).
• AI is raising the stakes. Synthetic identity fraud alone accounted for $35 billion in losses in 2023 (Federal Reserve). FinCEN has warned that criminals are now using generative AI to create deepfake videos, synthetic documents, and realistic audio to bypass identity checks and exploit financial systems at scale.
• Global trade requires interoperability. Cross-border commerce depends on reliable, shared frameworks for verifying identity. Without them, compliance costs balloon and innovation slows.
• Citizens expect both privacy and convenience. People want frictionless, consumer-grade experiences from digital services, but they will not tolerate surveillance or being forced into a single system.

Policymakers increasingly see decentralized identity as a way to respond to all four at once. By reducing fraud, strengthening democratic resilience, supporting global trade, and protecting privacy, decentralized identity offers governments both defensive and offensive advantages.

The Policy Frontier

We are standing at the frontier of decentralized identity. States are pioneering real deployments. Federal agencies are tying identity to national security and compliance. The EU is mandating wallets as infrastructure. Around the world, policymakers are realizing that identity is not just a product, it’s the scaffolding for digital trust.

The decisions made in statehouses, federal agencies, and international bodies over the next few years will shape how identity works for decades. Done right, verifiable digital identity can become the invisible infrastructure of freedom, convenience, and security. Done wrong, it risks becoming another layer of surveillance and control.

That’s why SpruceID is working to align policy with technology, ensuring that verifiable digital identity is built on open standards, privacy-first principles, and user control. Governments care now because the stakes have never been higher. And the time to act is now.

This article is part of SpruceID’s series on the future of digital identity in America.

Subscribe to be notified when we publish the next installment.