Utah's SB 275 Turns Digital Identity Principles Into Law

One year ago, Utah did something no other state had done: it declared in statute that identity belongs to the individual, not the state. SB 260 established the principles. Now, SB 275 builds the program.

Passed unanimously by both chambers of the Utah legislature and signed into law by Governor Cox with an effective date of May 6, 2026, SB 275 creates the State-Endorsed Digital Identity (SEDI) Program within the Department of Government Operations. It codifies a digital identity bill of rights, sets binding technical and privacy requirements for every participant in the ecosystem, from the state itself to digital wallet providers, verifiers, and relying parties, and establishes real enforcement mechanisms backed by the attorney general.

At SpruceID, our mission is to let users control their identity and data across all their digital interactions, so we've been proud to support Utah's leadership in building privacy-preserving, user-controlled digital identity. SB 275 continues that trajectory on constitutionally-based principles.

From Framework to Enforcement

SB 260, which we wrote about last year, directed the Department of Government Operations to study how a state-endorsed digital identity could be implemented in a manner consistent with strict privacy and user-control principles. SB 275 is the result of that work. It takes the guiding principles of SB 260: individual sovereignty of identity, anti-surveillance protections, selective disclosure, and the right to choose physical credentials, and translates them into an operational legal framework with teeth.

Whereas SB 260 focused on definitions, SB 275 establishes enforcement through processes involving Utah's data privacy ombudsperson, and authorizes the attorney general to bring civil actions for violations, including injunctive relief, damages, and restitution. This can strengthen the requirements for identity proofing, wallet security, data minimization, and processing restrictions that apply to every entity that touches a resident's digital identity.

A Digital Identity Bill of Rights

At the heart of SB 275 is a set of rights for every Utahn, whether or not they choose to use the digital version:

The right to a physical ID: No one can be compelled to use a form of digital identity, and no government entity can withhold services or confer material benefits based on whether someone uses a digital or physical credential.

The right to selective disclosure: Holders can share only the attributes a transaction requires, and can prove they meet an age threshold without revealing their birth date or exact age.

The right to be free from surveillance: The law prohibits the state from building monitoring, tracking, or profiling mechanisms into the digital identity system. It also ensures that usage is not inappropriately linked across different verifiers.

The right to transparency: The standards and technical specifications underlying the system must be publicly accessible and unencumbered from licensing fees or patent restrictions.

The right to control: Holders choose their secure digital wallet, control what attributes are disclosed, and can migrate their credential to a different compliant wallet at any time.

Don't Be Evil → Can't Be Evil

SB 275 codifies technical controls into law, reflecting an uncommonly deep collaboration between policymakers and technologists. The best programs need policy and technology to work together. The result is a law that doesn't just prohibit bad behavior; it requires architecture that makes bad behavior technically difficult.

The law requires "state-of-the-art safeguards," including:

• Compromise detection to identify when something has gone wrong
• Recovery mechanisms to address what happens after it does, a critical gap in many digital identity programs
• Cross-context correlation protections targeting the ability of bad actors or overzealous data collectors to link a person's identity presentations across different contexts
• Open standards that are publicly available and free from licensing and patent restrictions

Identity proofing must reflect verification at a point in time, without continuous monitoring or tracking after issuance. This is an important architectural choice: a state-endorsed digital identity is an endorsed artifact, not an active signal. The state confirms your identity once, and the credential stands on its own without requiring ongoing check-ins that could become vectors for surveillance.

The law goes further. It explicitly prohibits any mechanism that allows the department to monitor, surveil, or track presentations of a state-endorsed digital identity to another entity. Implementations where a verifier contacts a central server in a way that reveals which credential is being checked would face challenges under this provision, because the mechanism itself creates a surveillance vector regardless of intent. 

Importantly, the law's focus is on the capability for surveillance, not on credential status checking as such. Revocation and validity mechanisms designed so the issuer never learns who is presenting or when should be able to coexist with the law's requirements, though whether any particular implementation satisfies the statute's standard will need to be tested in practice. Getting this right matters: live revocation is essential for security, and the ecosystem will need to demonstrate that privacy-preserving approaches can meet both the technical need and the legal bar. This is a meaningful line in the sand: the architecture must make surveillance technically difficult, not just policy-prohibited.

Identity proofing requirements align well with frameworks like NIST 800-63A, requiring proofing to establish that the applicant is a real individual, is who they claim to be, and meets eligibility requirements. These are standard assurance-level objectives that map naturally to existing federal guidance.

Accountability Across the Ecosystem

Technical architecture sets the floor. SB 275 layers enforceable obligations on top of it.

The law introduces a duty of loyalty that applies to every participant in the ecosystem: the department, digital wallet providers, verifiers, relying parties, and digital guardians. All must refrain from processing identity attributes in ways that:

• Conflict with the best interests of an individual
• Take advantage of or otherwise exploit an individual
• Result in a disproportionate risk to an individual
• Are to an individual's detriment
• Cause harm to an individual

Wallet providers face specific transparency requirements:

• Must maintain secure logs recording what identity attributes were shared and with whom
• Logs are accessible, exportable, and deletable only by the holder
• Processing is restricted to the primary purpose of the presentation
• Any other use requires express holder authorization

Enforcement has real mechanisms:

• Violations can be brought to Utah's data privacy ombudsperson
• The attorney general is authorized to bring civil actions, with remedies including injunctive relief, declaratory relief, equitable relief, including restitution and disgorgement, actual damages, costs, and reasonable attorney fees
• A one-time audit by the Office of the Legislative Auditor General begins January 1, 2028, with the audit report due by October 31, 2028, evaluating compliance, anti-surveillance effectiveness, and the program's long-term placement within state government
• The department must report annually to the Economic Development and Workforce Services Interim Committee on adoption metrics, security incidents, vendor ecosystem status, public comments, and recommended statutory changes

This is the kind of built-in accountability that separates serious programs from aspirational ones. The 2028 audit, in particular, will be an important checkpoint for the entire digital identity community.

A few open questions are worth flagging:

• Breadth of the duty of loyalty: The duty of loyalty is broadly written, and its boundaries will evolve as the ecosystem matures. Does a social media platform that accepts digital IDs expose itself to liability if its service is argued to cause harm to users? These tensions will likely be tested through enforcement actions and, potentially, through the courts.
• Scope across identity verification methods: The duty of loyalty and processing restrictions apply to participants in the SEDI ecosystem: the department, digital wallet providers, verifiers, and relying parties. But identity verification does not happen exclusively through state-endorsed credentials. Anti-fraud tools that aggregate device signals, network behavior, and proprietary databases to assess identity may or may not fall within the law's definitions. If the duty of loyalty ends up applying only to SEDI credential acceptance and not to these alternative identity signals, it could create a perverse incentive: a relying party might avoid accepting SEDI credentials to sidestep the obligations, and instead rely on a proprietary signal broker or picture-based identity verification that carries no corresponding duty of loyalty, even if that approach is worse for security, anti-fraud, and user privacy. The strength of the framework depends in part on whether the legal obligations create a level playing field or inadvertently penalize the more privacy-respecting option.
• Wallet log protections: Wallet logs are a meaningful transparency tool, but they also represent a concentrated record of a person's identity transactions. Without clear guardrails, there is a risk that third parties, including advertisers, could seek access. The ecosystem should remain vigilant about how these protections hold up in practice.

SB 275 Driving Adoption

SB 275 does not leave adoption to chance:

• Government entities that implement new systems accepting digital identity after the effective date must accept a state-endorsed digital identity within three months of the first credential being issued
• Health care providers receiving at least $10 million annually in public funding have two years to accept the credential if they already have systems that accept digital identity

Setting state-level requirements for verifiers is important. Without these mandates, even the best-designed system risks becoming a credential that no one accepts. Utah's approach creates a clear adoption path while allowing reasonable accommodations for entities that face genuine technical feasibility challenges.

The department is also directed to coordinate with specific agencies to develop use cases and implementation standards, including:

• Department of Alcoholic Beverage Services
• Driver License Division
• Department of Health and Human Services
• State Board of Education
• State and local law enforcement

Priority areas include age verification for alcohol purchases, student enrollment, law enforcement encounters, and financial institution identity verification.

What SB 275 Means for the National Landscape

Utah's approach has drawn notable support from across the political spectrum. The ACLU, which has been broadly critical of digital identity programs nationwide, published a piece titled There's Only One State That is Asking the Right Questions About Digital Identity, noting that Utah's program "outlines strong privacy protections for digital ID of the kind that we have been advocating for."

That kind of cross-ideological endorsement is rare, and it reflects something important about Utah's model: when you center the individual and enforce privacy through technology and law together, the result is a framework that people across political lines can support.

SB 275 also carries implications for other states. As verifiable digital credentials expand through mobile driver's license programs and beyond, the question of how to protect residents from surveillance, data misuse, and forced adoption becomes more urgent. Utah has provided a legislative template that takes these concerns seriously and backs them with enforceable rights.

For SpruceID, this legislation affirms the direction we have been building toward: privacy-preserving digital identity infrastructure grounded in open standards, user control, and interoperability. We are proud to support Utah's vision and look forward to helping bring this program to life.

About SpruceID: SpruceID builds digital trust infrastructure for government. We help states and cities modernize identity, security, and service delivery — from digital wallets and SSO to fraud prevention and workflow optimization. Our standards-based technology and public-sector expertise ensure every project advances a more secure, interoperable, and citizen-centric digital future.