On March 13, 2026, Utah lawmakers unanimously approved SB 275, creating a new State Endorsed Digital Identity (SEDI) program.

The law allows Utah to support a voluntary digital ID option that people can choose to use to prove things like their age or identity, without sharing more personal information than necessary.

SEDI is a voluntary digital identity that Utah endorses, but it does not replace or “create” someone’s identity.

Instead, it allows people to share only the specific information needed for a transaction — for example, confirming they are “21 or older” without revealing their full date of birth.

The program is designed to prevent tracking or profiling of digital ID use and is built around user consent, limited data use, strong security, and a legal duty for participating organizations to act in the user’s best interest.

This update applies to Utah businesses of any size that voluntarily opt into the SEDI program, including wallet providers, identity verification vendors, and employers that choose to accept SEDI credentials, and takes effect on May 6, 2026.

What Employers Need to Do

• Decide Whether to Participate: SB 275 is voluntary for businesses; duties attach only if you build/operate SEDI tech or accept SEDI credentials.

• Design for Consent and Minimization: Capture explicit, affirmative consent and request only the minimum attribute required (e.g., “21+” without date of birth – DOB). Avoid secondary uses without new consent.

• Implement “State-of-the-Art” Security: Engineer tamper resistance, cryptographic verification, compromise detection, recovery, and anti-correlation controls; keep presentation activity from being tracked.

• Honor the Duty of Loyalty: Do not process identity attributes in ways that exploit users, conflict with their interests, or cause harm. Train product, legal, and frontline teams on this standard.

• Update Contracts and Notices: Add SEDI-specific purpose limitation, retention, and no sale/sharing clauses with vendors; revise privacy notices to reflect selective disclosure and consent flows.

• Stand up a Complaint Path: Be prepared to receive, triage, and document SEDI complaints that may be routed to the data privacy ombudsperson; track remediation.

• Vendor Diligence: Ask ID verification partners if/when they will support Utah SEDI and how they implement consent capture, attribute minimization, anti-correlation, and recovery; bake requirements into contracts.

Overview

• Program and Scope: Creates the State Endorsed Digital Identity (SEDI) program within the Utah government and sets rules for organizations that choose to participate, including wallet providers, verifiers, and businesses that accept SEDI credentials. Certain government and health care entities are expected to accept SEDI when technically feasible.

• Proof of Age Now Explicit: Utah law expressly recognizes SEDI as valid “proof of age” for alcohol and tobacco purchases, allowing age verification without disclosing a full date of birth. (26B‑7‑501(18)(a)(vi); 32B‑1‑102(98)(a)(vi)).

• Cross Agency Coordination: New §63A 20 204 requires coordination with Alcoholic Beverage Services, Driver License Division, Health & Human Services, State Board of Education, and state/local law enforcement to develop mechanisms and named use cases (alcohol age checks, student enrollment, ID in lawful encounters, and financial institution Know Your Customer – KYC), with findings in the annual report.

• Eligibility Clarified: Emancipated minors (as well as 18+) may apply directly for SEDI.

• Government Acceptance Timing: For new systems that accept digital identity on or after May 6, 2026, a governmental entity must accept SEDI within three months of first issuance, subject to a tech feasibility plan.

• Legacy Sunset: §53 3 235 (electronic license certificate/ID card) is repealed Jan 1, 2027, avoiding parallel digital ID constructs and channeling adoption to SEDI.

• Core Participant Duties: Explicit consent; data minimization/selective disclosure; purpose limitation (no unrelated profiling); state-of-the-art security; duty of loyalty; and adherence to accepted identity proofing standards.

• Processing Restriction: Any record of a SEDI presentation may be processed only for the presentation’s primary purpose (or as required by law). Downstream use/retention/sharing/sale requires conspicuous notice and the holder’s express authorization (or a legal requirement).

Why This Matters

• Acceptable Proof of Age, Day One: SEDI is now expressly recognized as “proof of age,” enabling alcohol/tobacco retailers to verify age with privacy-preserving attribute checks (e.g., “21+” without DOB) as soon as the ecosystem is live.

• Coordinated Adoption Across Sectors: A new cross agency mandate drives practical use cases (alcohol, student enrollment, law enforcement identity checks, financial services) and requires the state to report progress—accelerating real-world integration.

• Lower Data Exposure at the Point of ID: Attribute only sharing plus duty of loyalty and purpose limitation rules reduce over collection, profiling, and breach surface in common ID checks (hospitality, retail, fintech, healthcare).

• One Coherent Framework: Sunsetting the prior “electronic license certificate/ID” avoids parallel systems and channels investment into SEDI—with state-of-the-art security, anti-surveillance guardrails, and clear complaint/audit oversight.

Key Risks for Employers

• Opt-in Without Readiness: Accepting SEDI credentials without consent capture, minimization logic, or anti-correlation controls can create enforcement and reputational exposure.

• Purpose Creep: Reusing SEDI-provided attributes for marketing, profiling, or unrelated analytics without fresh consent violates purpose limitation/loyalty requirements.

• Tracking or Device Surrender: Building telemetry that tracks presentations or requiring users to surrender devices contradicts the bill’s anti-surveillance and device control rules.

• Vendor Gaps: Using third-party ID vendors that cannot support Utah’s selective disclosure requirements or state-of-the-art security standards can put your business out of compliance. Review vendor contracts and test ID verification workflows before accepting SEDI credentials

Additional information

• Ombudsperson and Attorney General (AG) Pathway: Individuals can file complaints with the data privacy ombudsperson; the ombud may refer matters to the Attorney General, who may investigate and seek injunctive or declaratory relief, restitution/disgorgement, actual damages, costs, and attorneys’ fees under the statute’s enforcement framework.

• Severability and Repeals: SB 275 includes severability and repeals the prior 2025 digital identity policy sections (63A‑16‑1201 to 1203) as it moves the framework into the new program chapter.

• Optional, Privacy-first Program: SB 275 follows a year of study and stakeholder input and implements a Digital Identity Bill of Rights in operational form—no one can be compelled to obtain or use a digital ID.

Source Reference

• Utah SB 275 – State-Endorsed Digital Identity Program Amendments

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.