Utah 2025 Regular Session

Utah Senate Bill SB0260 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1		-	~~Enrolled Copy~~ S.B. 260
	1	+	02-11 10:20 S.B. 260
2	2		1
3	3		Individual Digital Identity Amendments
4	4		2025 GENERAL SESSION
5	5		STATE OF UTAH
6	6		Chief Sponsor: Kirk A. Cullimore
7		-	House Sponsor: ~~Paul A. Cutler~~
	7	+	House Sponsor:
8	8		2
9	9
10	10		3
11	11		LONG TITLE
12	12		4
13	13		General Description:
14	14		5
15	15		This bill enacts provisions related to a state-endorsed digital identity.
16	16		6
17	17		Highlighted Provisions:
18	18		7
19	19		This bill:
20	20		8
21	21		▸ defines terms;
22	22		9
23	23		▸ establishes guiding principles for the implementation of a state-endorsed digital identity;
24	24		10
25	25		▸ outlines state policy regarding state-endorsed digital identity;
26	26		11
27	27		▸ creates requirements for a state-endorsed digital identity program; and
28	28		12
29	29		▸ requires the Department of Government Operations to study and make recommendations
30	30		13
31	31		regarding the implementation of a state-endorsed digital identity.
32	32		14
33	33		Money Appropriated in this Bill:
34	34		15
35	35		None
36	36		16
37	37		Other Special Clauses:
38	38		17
39	39		None
40	40		18
41	41		Utah Code Sections Affected:
42	42		19
43	43		ENACTS:
44	44		20
45	45		63A-16-1201, Utah Code Annotated 1953
46	46		21
47	47		63A-16-1202, Utah Code Annotated 1953
48	48		22
49	49		63A-16-1203, Utah Code Annotated 1953
50	50		23
51	51
52	52		24
53	53		Be it enacted by the Legislature of the state of Utah:
54	54		25
55	55		Section 1. Section 63A-16-1201 is enacted to read:
56	56		26
57	57
58	58		Part 12. State-endorsed Digital Identity
59	59		27
60		-	63A-16-1201 . Definitions. ~~S.B. 260 Enrolled Copy~~
	60	+	63A-16-1201 . Definitions.
61	61		28
62	62		As used in this part:
63	63		29
64	64		(1) "Biometric data" means the same as that term is defined in Section 13-61-101.
65	65		30
66	66		(2) "Chief privacy officer" means the chief privacy officer appointed in accordance with
	67	+	S.B. 260 S.B. 260 02-11 10:20
67	68		31
68	69		Section 63A-19-302.
69	70		32
70	71		(3) "Digital identity" means an electronic record that an individual may use to assert the
71	72		33
72	73		individual's identity.
73	74		34
74	75		(4) "Governmental entity" means the same as that term is described in Section 63G-2-103.
75	76		35
76	77		(5)(a) "Guardian" means an individual or entity authorized to act on behalf of an
77	78		36
78	79		individual.
79	80		37
80	81		(b) "Guardian" includes:
81	82		38
82	83		(i) a representative designated by an individual;
83	84		39
84	85		(ii) the parent or legal guardian of an unemancipated minor; or
85	86		40
86	87		(iii) the legal guardian of a legally incapacitated individual.
87	88		41
88	89		(6)(a) "Identity" means any attribute used to identify or distinguish a specific individual.
89	90		42
90	91		(b) "Identity" includes an individual's:
91	92		43
92	93		(i) personal data;
93	94		44
94	95		(ii) biometric data;
95	96		45
96	97		(iii) physical and non-physical characteristics;
97	98		46
98	99		(iv) image or likeness;
99	100		47
100	101		(v) signature; and
101	102		48
102	103		(vi) any other unique physical or digital identifier related to the individual.
103	104		49
104	105		(7) "Individual" means the same as that term is described in Section 63G-2-103.
105	106		50
106	107		(8)(a) "Mobile communication device" means any wireless communication device with
107	108		51
108	109		Internet capability capable of displaying or providing a state-endorsed digital identity.
109	110		52
110	111		(b) "Mobile communication device" includes a:
111	112		53
112	113		(i) cellular telephone; or
113	114		54
114	115		(ii) wireless tablet.
115	116		55
116	117		(9) "Office" means the Office of Data Privacy created in Section 63A-19-301.
117	118		56
118	119		(10) "Person" means the same as that term is defined in Section 63G-2-103.
119	120		57
120	121		(11) "Personal data" means the same as that term is defined in Section 63A-19-101.
121	122		58
122	123		(12) "Physical identity" means a physical record that an individual may use to prove the
123	124		59
124	125		individual's identity issued by:
125	126		60
126	127		(a) a governmental entity;
127	128		61
128	129		(b) the equivalent of a governmental entity in another state;
129		-	- 2 - Enrolled Copy S.B. 260
130	130		62
131	131		(c) the federal government; or
132	132		63
133	133		(d) another country.
134	134		64
135	135		(13) "State-endorsed digital identity" means an individual's digital identity that:
	136	+	- 2 - 02-11 10:20 S.B. 260
136	137		65
137	138		(a) is controlled by the individual; and
138	139		66
139	140		(b) has been officially recognized by the state.
140	141		67
141	142		(14) "State-endorsed digital identity program" means a state initiative which is designed to
142	143		68
143	144		develop methods, policies, and procedures to endorse an individual's digital identity.
144	145		69
145	146		(15) "System" means the technological infrastructure, processes, and procedures used to
146	147		70
147	148		create, store, manage, and validate a state-endorsed digital identity.
148	149		71
149	150		Section 2. Section 63A-16-1202 is enacted to read:
150	151		72
151	152		63A-16-1202 . State digital identity policy.
152	153		73
153	154		(1) It is the policy of Utah that:
154	155		74
155	156		(a) each individual has a unique identity;
156	157		75
157	158		(b) the state does not establish an individual's identity;
158	159		76
159	160		(c) the state may, in certain circumstances, recognize and endorse an individual's
160	161		77
161	162		identity;
162	163		78
163	164		(d) the state is obligated to respect an individual's privacy interest associated with the
164	165		79
165	166		individual's identity;
166	167		80
167	168		(e) the state is the only governmental entity that may endorse an individual's digital
168	169		81
169	170		identity for the purpose of establishing a state-endorsed digital identity;
170	171		82
171	172		(f) the state may only endorse an individual's digital identity if the state-endorsed digital
172	173		83
173	174		identity program is expressly authorized by the Legislature;
174	175		84
175	176		(g) an individual whose digital identity has been endorsed by the state is entitled to:
176	177		85
177	178		(i) choose:
178	179		86
179	180		(A) how the individual discloses the individual's state-endorsed digital identity;
180	181		87
181	182		(B) to whom the individual discloses the individual's state-endorsed digital
182	183		88
183	184		identity;
184	185		89
185	186		(C) which elements of the individual's state-endorsed digital identity to disclose;
186	187		90
187	188		(D) where the individual's state-endorsed digital identity is stored; and
188	189		91
189	190		(E) whether to use a state-endorsed digital identity or physical identity to prove
190	191		92
191	192		the individual's identity;
192	193		93
193	194		(ii) allow a governmental entity or a person to use information related to the
194	195		94
195	196		individual's use of the individual's state-endorsed digital identity for a purpose
196	197		95
197	198		other than the primary purpose for which the governmental entity or person
198		-	- 3 - S.B. 260 Enrolled Copy
199	199		96
200	200		collected the information; and
201	201		97
202	202		(iii) have a guardian obtain or use a state-endorsed digital identity on the individual's
203	203		98
204	204		behalf;
	205	+	- 3 - S.B. 260 02-11 10:20
205	206		99
206	207		(h) a governmental entity or person that accepts a state-endorsed digital identity shall:
207	208		100
208	209		(i) collect, use, and retain an individual's state-endorsed digital identity in a secure
209	210		101
210	211		manner; and
211	212		102
212	213		(ii) comply with the requirements of this part through technological means;
213	214		103
214	215		(i) a governmental entity may not:
215	216		104
216	217		(i) convey a material benefit upon an individual for using a state-endorsed digital
217	218		105
218	219		identity instead of a physical identity; or
219	220		106
220	221		(ii) withhold services or benefits from an individual if the individual uses a physical
221	222		107
222	223		identity or is otherwise unable to use a state-endorsed digital identity; and
223	224		108
224	225		(j) a governmental entity or a person may not require an individual to surrender the
225	226		109
226	227		individual's mobile communication device to verify the individual's identity.
227	228		110
228	229		(2) The state may not endorse an individual's digital identity unless:
229	230		111
230	231		(a) the state has verified an individual's identity before endorsement;
231	232		112
232	233		(b) the state-endorsed digital identity:
233	234		113
234	235		(i) incorporates state-of-the-art safeguards for protecting the individual's identity;
235	236		114
236	237		(ii) includes methods to establish authenticity;
237	238		115
238	239		(iii) is easy for an individual to adopt and use; and
239	240		116
240	241		(iv) is compatible with a wide variety of technological systems without sacrificing
241	242		117
242	243		privacy or security;
243	244		118
244	245		(c) the state provides clear information to an individual regarding how the individual
245	246		119
246	247		may:
247	248		120
248	249		(i) maintain and control the individual's state-endorsed digital identity;
249	250		121
250	251		(ii) use the individual's state-endorsed digital identity;
251	252		122
252	253		(iii) limit access to:
253	254		123
254	255		(A) the individual's state-endorsed digital identity; and
255	256		124
256	257		(B) any elements of the individual's identity disclosed by the state-endorsed digital
257	258		125
258	259		identity; and
259	260		126
260	261		(iv) obtain a new state-endorsed digital identity if the individual's state-endorsed
261	262		127
262	263		digital identity is compromised;
263	264		128
264	265		(d) the state ensures that when an individual uses a state-endorsed digital identity:
265	266		129
266	267		(i) any record of the individual's use:
267		-	- 4 - Enrolled Copy S.B. 260
268	268		130
269	269		(A) is only used for the primary purpose for which the individual disclosed the
270	270		131
271	271		state-endorsed digital identity; and
272	272		132
273	273		(B) is not disclosed, shared, or compared by the governmental entity or person
	274	+	- 4 - 02-11 10:20 S.B. 260
274	275		133
275	276		receiving the state-endorsed digital identity; and
276	277		134
277	278		(ii) the use is free from surveillance, visibility, tracking, or monitoring by any other
278	279		135
279	280		governmental entity or person; and
280	281		136
281	282		(e) the state-endorsed digital identity enables an individual to:
282	283		137
283	284		(i) selectively disclose elements of the individual's identity; and
284	285		138
285	286		(ii) verify that the individual's age satisfies an age requirement without revealing the
286	287		139
287	288		individual's age or date of birth.
288	289		140
289	290		(3) The state may only revoke or withdraw the state's endorsement of an individual's
290	291		141
291	292		state-endorsed digital identity if:
292	293		142
293	294		(a) the state-endorsed digital identity has been compromised;
294	295		143
295	296		(b) the state's endorsement was:
296	297		144
297	298		(i) issued in error; or
298	299		145
299	300		(ii) based on fraudulent information; or
300	301		146
301	302		(c) the individual requests that the state revoke or withdraw the endorsement of the
302	303		147
303	304		individual's state-endorsed digital identity.
304	305		148
305	306		Section 3. Section 63A-16-1203 is enacted to read:
306	307		149
307	308		63A-16-1203 . Department duties.
308	309		150
309	310		(1) The department shall:
310	311		151
311	312		(a) explore ways in which the state may implement a state-endorsed digital identity
312	313		152
313	314		program consistent with the state policy expressed in Section 63A-16-1202;
314	315		153
315	316		(b) study and identify best practices regarding the use of a digital identity;
316	317		154
317	318		(c) propose policies, procedures, standards, and technology that should be incorporated
318	319		155
319	320		in the state-endorsed digital identity program;
320	321		156
321	322		(d) examine how the state-endorsed digital identity program may be implemented in the
322	323		157
323	324		most cost-effective manner possible using state resources that are already available;
324	325		158
325	326		and
326	327		159
327	328		(e) evaluate and make recommendations regarding any changes to existing statutes,
328	329		160
329	330		rules, or policies that may be necessary to facilitate the creation of a state-endorsed
330	331		161
331	332		digital identity program.
332	333		162
333	334		(2) In performing the duties described in Subsection (1), the department shall consult with:
334	335		163
335	336		(a) the chief information officer;
336		-	- 5 - S.B. 260 Enrolled Copy
337	337		164
338	338		(b) the chief privacy officer;
339	339		165
340	340		(c) the Utah League of Cities and Towns;
341	341		166
342	342		(d) the Utah Association of Counties; and
	343	+	- 5 - S.B. 260 02-11 10:20
343	344		167
344	345		(e) individuals who have relevant expertise, including representatives from:
345	346		168
346	347		(i) governmental entities;
347	348		169
348	349		(ii) other states; and
349	350		170
350	351		(iii) the private sector.
351	352		171
352	353		(3) The department shall report to the Public Utilities, Energy, and Technology Interim
353	354		172
354	355		Committee regarding the duties described in Subsection (1) and recommendations for
355	356		173
356	357		the implementation of a state-endorsed digital identity program on or before October 31
357	358		174
358	359		of each year.
359	360		175
360	361		Section 4. Effective Date.
361	362		176
362	363		This bill takes effect on May 7, 2025.
363	364		- 6 -