(1) A relying party shall:
- (a) incorporate state-of-the-art safeguards for protecting an individual's identity in the verification process;
- (b) comply with the requirements of this part through technological means where possible;
- (c) process an individual's identity attributes in a secure manner;
- (d) process only the minimum identity attributes reasonably necessary to achieve a specified purpose; and
- (e) accept a presentation of a state-endorsed digital identity by a digital guardian.
(2) A relying party may only process an individual's identity attributes from a state digital identity if:
- (a) authorized by the holder;
- (b) the processing is necessary for a specified purpose;
(c) the holder has received conspicuous notice of:
- (i) what identity attributes are collected;
- (ii) how the identity attributes are used;
- (iii) the purpose for which the identity attributes are processed; and
- (iv) how long the identity attributes are retained; and
- (d) the holder consents to the processing of the identity attributes.
- (3) A relying party may not require a holder to surrender the holder's secure electronic device in the course of a presentation.
- (4) A relying party may accept a state-endorsed digital identity as proof of an individual's identity or identity attributes unless a different method of proof is required by law.
- (5) Nothing in this section relieves a relying party from complying with the requirements of Title 13, Chapter 44, Protection of Personal Information Act, or Title 13, Chapter 61, Utah Consumer Privacy Act.
Enacted by Chapter 436, 2026 General Session