Utah privacy chief outlines 'State‑Endorsed Digital Identity' plan, warns against centralized IDs
January 29, 2026 | Davis County Citizen Journalism, Davis County, Utah
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
Chris Bramwell, Utah’s chief privacy officer, told a Davis County community meeting that the state is pursuing a State‑Endorsed Digital Identity (SETI) program and a Digital Identity Bill of Rights designed to keep identity control in residents' hands and prevent surveillance.
"In my role as Chief Privacy Officer, my primary duty is to represent your privacy interest and rights," Bramwell said, describing work that consolidated privacy requirements into the Government Data Privacy Act and efforts to bring thousands of government entities into compliance. He said the state’s approach aims to avoid centralized surveillance models and to prevent private vendors from controlling users’ access to government services.
Bramwell listed five policy principles he said SB260 established: the individual owns their identity; there should be no general monitoring or tracking of digital identity use; parents are the guardians of children’s digital identities; people must have a choice of paper or digital identity; and any digital identity should follow data minimization principles. "There should be no surveillance, tracking, or monitoring of your usage of your identity or digital identity," he said.
He explained technical choices intended to protect users’ control: an architecture that issues cryptographic credentials stored in a digital wallet under a user’s control, public/private keys with rotation to limit impersonation risk, and pairwise keys that prevent correlation across transactions. Bramwell said these designs avoid server‑retrieval patterns in some mobile driver's‑license standards that ‘‘phone home’’ and create persistent tracking.
Bramwell also criticized third‑party sign‑on arrangements in some federal services. "If you go to log in to irs.gov, you have to sign in with a digital ID through a company called id.me," he said, and added that forcing residents through third‑party identity providers to access government services is problematic.
On governance, Bramwell said the SETI program would include a public‑comment period before implementation (he said 60 days), annual audits by the state auditor, public reporting and a private right of action for consumers against wallet providers that fail fiduciary duties. He described a recent State Endorsed Digital Identity Summit Utah hosted with other states and industry participants and said Utah plans to form a multi‑state consortium to share practices.
During a lengthy Q&A, Bramwell answered questions about coverage (he said the law encompasses every governmental entity in the state, including K–12 and higher education), biometrics (which he called a poor core proof because biometric data can be replayed or faked), and federal interaction. On non‑citizens and fraud, he described the possibility of temporary SETI credentials with expiration periods for visitors. He also emphasized transparency and that the legislature — not administrators — should set policy.
Bramwell framed the technical approach as defensive against impersonation and online fraud: "It's not about your data not being out there, it's nobody being able to impersonate you if your data is out there," he said, adding that key rotation and cryptographic design can limit harm after breaches.
The presentation concluded with an invitation for community engagement; Bramwell repeatedly encouraged attendees to participate in town halls and the forthcoming comment period.
What comes next: Bramwell said the legislature will consider bills to implement the program and a Bill of Rights this session; interested residents will have an opportunity to comment once the program's implementation plan is published.
"In my role as Chief Privacy Officer, my primary duty is to represent your privacy interest and rights," Bramwell said, describing work that consolidated privacy requirements into the Government Data Privacy Act and efforts to bring thousands of government entities into compliance. He said the state’s approach aims to avoid centralized surveillance models and to prevent private vendors from controlling users’ access to government services.
Bramwell listed five policy principles he said SB260 established: the individual owns their identity; there should be no general monitoring or tracking of digital identity use; parents are the guardians of children’s digital identities; people must have a choice of paper or digital identity; and any digital identity should follow data minimization principles. "There should be no surveillance, tracking, or monitoring of your usage of your identity or digital identity," he said.
He explained technical choices intended to protect users’ control: an architecture that issues cryptographic credentials stored in a digital wallet under a user’s control, public/private keys with rotation to limit impersonation risk, and pairwise keys that prevent correlation across transactions. Bramwell said these designs avoid server‑retrieval patterns in some mobile driver's‑license standards that ‘‘phone home’’ and create persistent tracking.
Bramwell also criticized third‑party sign‑on arrangements in some federal services. "If you go to log in to irs.gov, you have to sign in with a digital ID through a company called id.me," he said, and added that forcing residents through third‑party identity providers to access government services is problematic.
On governance, Bramwell said the SETI program would include a public‑comment period before implementation (he said 60 days), annual audits by the state auditor, public reporting and a private right of action for consumers against wallet providers that fail fiduciary duties. He described a recent State Endorsed Digital Identity Summit Utah hosted with other states and industry participants and said Utah plans to form a multi‑state consortium to share practices.
During a lengthy Q&A, Bramwell answered questions about coverage (he said the law encompasses every governmental entity in the state, including K–12 and higher education), biometrics (which he called a poor core proof because biometric data can be replayed or faked), and federal interaction. On non‑citizens and fraud, he described the possibility of temporary SETI credentials with expiration periods for visitors. He also emphasized transparency and that the legislature — not administrators — should set policy.
Bramwell framed the technical approach as defensive against impersonation and online fraud: "It's not about your data not being out there, it's nobody being able to impersonate you if your data is out there," he said, adding that key rotation and cryptographic design can limit harm after breaches.
The presentation concluded with an invitation for community engagement; Bramwell repeatedly encouraged attendees to participate in town halls and the forthcoming comment period.
What comes next: Bramwell said the legislature will consider bills to implement the program and a Bill of Rights this session; interested residents will have an opportunity to comment once the program's implementation plan is published.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
