(1) A state-endorsed digital identity shall:
- (a) incorporate state-of-the-art safeguards for protecting an individual's identity, including compromise detection, recovery mechanisms, and cross-context correlation protections;
- (b) include methods to establish authenticity and integrity;
- (c) be compatible with a wide variety of technological systems while maintaining strong privacy and security;
- (d) support online and offline presentation;
(e) enable a holder to:
- (i) selectively disclose an individual's identity attributes; or
- (ii) demonstrate that the individual meets a specified minimum age without disclosing the individual's age or birth date;
- (f) allow a holder to choose a digital wallet that conforms with the requirements established by the department; and
- (g) be easy for a holder to adopt and use.
(2) The department shall:
- (a) validate verification of an individual's identity provided by an identity proofing entity;
- (b) comply with the requirements of this chapter through technological means where possible;
- (c) ensure any technical infrastructure used to control the issuance or revocation of a state-endorsed digital identity is maintained within a state-controlled data center located within the state;
- (d) ensure that a state-controlled data center located within the state shall use best practices in collection, processing, storage, and disclosure of all individual identity and identity attributes;
(e) select open technological standards for the creation, issuance, use, and acceptance of a state-endorsed digital identity that are:
- (i) publicly available; and
(ii) free from:
- (A) licensing fees; and
- (B) patent restrictions;
(f) verify and endorse a specific set of identity attributes including an individual's:
- (i) name;
- (ii) birth date;
- (iii) image; and
- (iv) Utah residence address; and
(g) create a process for:
(i) a holder to:
- (A) obtain, maintain, and control an individual's state-endorsed digital identity;
- (B) use an individual's state-endorsed digital identity;
- (C) limit access to an individual's state-endorsed digital identity and identity attributes;
- (D) obtain a new state-endorsed digital identity if the individual's state-endorsed digital identity is compromised; and
- (E) migrate a state-endorsed digital identity to another digital wallet compliant with this chapter;
- (ii) a holder to request that an individual's identity attributes be amended or corrected; and
- (iii) appointment of a digital guardian to obtain or use a state-endorsed digital identity on an individual's behalf.
- (3) A state-endorsed digital identity may not include a mechanism that allows the department to monitor, surveil, or track the presentation of a state-endorsed digital identity to another entity.
(4) Information provided by an individual to the state to obtain a state-endorsed digital identity may only be:
- (a) used for the purpose of issuing and managing a state-endorsed digital identity;
- (b) used as authorized by the individual;
- (c) retained as long as necessary to issue and manage a state-endorsed digital identity;
- (d) maintained within a state-controlled data center located within the state; or
(e) disclosed to:
- (i) the subject of the record or the subject's digital guardian; or
- (ii) a person with a warrant or court order.
(5) The department may only revoke an individual's state-endorsed digital identity if:
- (a) the state-endorsed digital identity has been compromised;
(b) the department's endorsement was:
- (i) issued in error; or
- (ii) based on fraudulent information; or
- (c) the holder requests that the department revoke the individual's state-endorsed digital identity.
- (6) The department shall report a data breach regarding individual identity or identity attributes in accordance with Section 63A-19-405.
Enacted by Chapter 436, 2026 General Session