Listen to this post

Key point: The Utah legislature just passed a first-of-its-kind digital identity law that gives residents new rights over what personal information they share when verifying their identity. If your business chooses to participate as a verifier in Utah’s state-endorsed digital ID program—or builds the technology behind it—new consent, purpose-limitation, and loyalty obligations apply starting May 6, 2026.

Checking an ID Collects More Data Than You Think

Think about the many ways that businesses confirm a customer’s identity:

  • A bartender checks age before a sale.
  • A bank branch confirms a customer before opening an account.
  • A healthcare provider verifies a patient before releasing records.
  • A car rental counter checks a license before handing over keys.

In each of those situations, the business collects more personal information than it needs, because that is how physical IDs work.

Utah’s SB 275 is designed to change that dynamic.

Utah’s SB 275

Utah’s legislature passed SB 275 unanimously in both chambers. Based on Governor Cox’s prior support for digital identity legislation, including signing related bills in 2025, the bill is expected to be signed into law, with an effective date of May 6, 2026. The law creates a voluntary state-endorsed digital identity program. Adult residents who opt in can store a digital credential on their mobile device and present it to businesses instead of a physical ID.

Rather than handing over a full identity record, a Utah resident using a digital ID will only share the specific attribute a transaction requires (e.g., confirming an age without revealing a home address, verifying a legal name without disclosing a birthdate, proving residency without sharing anything else on the license).

Participation is voluntary on both sides. Residents cannot be forced to use a digital ID, and the government cannot withhold services from anyone who sticks with a physical one.

What the Law Requires of Businesses That Participate

SB 275 does not apply to every business that checks IDs in Utah. The obligations attach only to businesses that actively choose to participate in the program, such as digital wallet providers, identity verification vendors that update their platforms to process Utah digital ID attributes, and businesses that opt in to accept the state-endorsed digital credential.

So, if your business uses a third-party service provider for identity verification, now is the time to ask whether that vendor intends to participate.

For those that do participate, SB 275 creates direct obligations:

  • Obtain explicit user consent before processing any identity attribute.
  • Request only the minimum identity attributes necessary for the transaction.
  • Incorporate state-of-the-art safeguards and be tamper-resistant (i.e., technical protections such as cryptographic controls that prevent digital credentials from being forged or altered).
  • Comply with a duty of loyalty to individual digital wallet users ( i.e., cannot process identity data in ways that exploit users, conflict with their interests, or cause them harm).
  • Observe purpose limitations on retention, sharing, and sale of identity data collected through the system.

Oversight and Accountability

Two accountability mechanisms are built into the program:

  • Utah residents who experience problems with the system can complain to an ombudsman.
  • Beginning 2028, the Office of the Utah Legislative Auditor General will conduct a comprehensive audit to evaluate anti-surveillance compliance (i.e., ensuring the program is not used to track Utah residents) and overall program effectiveness.

The Bottom Line

Whether or not your organization conducts business with Utah residents, SB 275 is noteworthy. Some states have introduced legislation recognizing that identity verification programs must: 1) protect privacy and require consent, 2) require participating businesses to abide by duty of loyalty obligations, and/or 3) involve independent oversight. Assuming more states follow Utah’s lead in the years ahead, organizations that build these compliance mechanisms into their identity verification products now may see a competitive advantage in the future.