A Conversation with Utah Representative Paul Cutler and Utah’s Chief Privacy Officer Christopher Bramwell
As artificial intelligence continues to reshape how people interact online — and as the line between authentic identity and digital impersonation grows increasingly difficult to discern — the question of how individuals prove who they are in a digital world is becoming an urgent national conversation. Few states have engaged that conversation more deliberately than Utah.
Over the past several years, Utah has built a methodical, bipartisan foundation for addressing digital identity. Beginning with early framework legislation and a formal study process mandated by 2025’s Senate Bill 260, these efforts culminated in the landmark Senate Bill 275, signed into law this year. SB 275 establishes the State-Endorsed Digital Identity Program, creates a first-of-its-kind Digital Identity Bill of Rights, and passed both chambers of the Utah Legislature unanimously. The legislation reflects a foundational principle: that identity is inherent to the individual, not conferred by government — a distinction with significant implications for how digital systems are designed and who ultimately controls them.
Central to Utah’s approach has been the Utah Office of Data Privacy, led by Christopher Bramwell, whom Governor Spencer Cox appointed as the state’s inaugural Chief Privacy Officer. The office was created by the Utah Legislature to move beyond mere compliance and drive towards a comprehensive, long-term privacy strategy, a structural decision that has allowed Utah to engage stakeholders across the political spectrum, hold statewide town halls, and arrive at consensus on legislation that other states have found politically difficult to advance. The American Civil Liberties Union has cited Utah as the only state currently approaching digital identity in a manner consistent with civil liberties principles.
Utah’s efforts have drawn attention well beyond its borders. Multiple states have entered into discussions with Utah about adopting similar approaches, and a formal multistate consortium is taking shape to help others pursue similarly comprehensive frameworks. CSG West recently spoke with two of the central architects of this work — Utah Representative Paul Cutler, a key legislative sponsor of SB 275 and related predecessor legislation, and Christopher Bramwell, Director of the Utah Office of Data Privacy and the state’s Chief Privacy Officer — to understand how Utah got here, what the legislation actually does, and what other states can learn from the experience.
How would you define digital identity in the simplest terms?
Rep. Cutler: I think of digital identity in terms of: how do I prove who I am online? In this age of AI and widespread fraud, where it’s easy to impersonate someone else, how do we prove who you are online — and how do you do it in a way that prevents government surveillance of your activities? That’s how I think about it.
Are there any misconceptions you’ve encountered about what digital identity actually is?
Rep. Cutler: I think most people, when they hear “digital identity,” assume you mean an online or mobile driver’s license — a driver’s license app on your phone. But what Chris and the broader team in Utah have been working toward goes well beyond that. This is a framework to verify your identity across all sorts of credentials and attributes that the state has jurisdiction over — professional licenses, privileges, not just a driver’s license. Anything the state can endorse, we could include.
There’s also significant interest from the private sector, particularly in healthcare, where fraud is a serious concern — both with Medicaid and more broadly. Digital identity offers a way to quickly and reliably confirm who a patient is, which means fewer errors in treatment and stronger protections against fraud.
Bramwell: The definition Representative Cutler gave was spot on. To add a bit more technical context: our approach is a cryptographic, a mathematically provable way to verify identity. We want this to be verifiable, because you’re not going to trust an identity claim just because somebody says it. With deepfakes and AI making impersonation so easy, we’re going for cryptographic proof.
The misconceptions we’re seeing — and some rise to the level of conspiracy, though that doesn’t mean they’re without factual basis — largely stem from what I’d call a misapplication of existing technology. Current approaches to digital identity have been incremental, and the technology in its current state isn’t appropriate for all the use cases we now need it to cover. If you’re talking about something a person will use over their entire life to prove things about themselves, identity needs to look very different than what it looks like today.
One example: people have said that digital identity will enable mass surveillance and tracking. There’s some nuance to that concern. The ISO standard for mobile driver’s licenses did include functionality called “server retrieval,” and some states enabled it, which is technically a form of surveillance if every use is tracked. So, we’re trying to break down what is fact versus what isn’t.
Another concern is that if government creates your digital identity, it can also delete it. That’s a valid discussion. In the current mobile driver’s license infrastructure, government can revoke that credential at any time because they’re the ones issuing and controlling it. Our approach is designed so that individuals control their identity in a way that government cannot simply take it away.
Ultimately, I think most of the misconceptions out there reflect bad design. Nobody has designed identity from the ground up as a critical public good. It’s been built from a technical services perspective. That’s what we’re doing with SEDI (state-endorsed digital identity) — asking: what should this really look like if it’s going to be a foundational part of our constitutional republic.
What circumstances elevated digital identity to a legislative and policy priority in Utah?
Rep. Cutler: It started with the question of how we prevent kids from accessing online services they shouldn’t. Utah has been well known for our efforts on social media and pornography sites. We believe age verification is very important, and we needed a solution to go along with that.
What has accelerated it since then is really two things. First, the AI revolution has made it alarmingly easy to impersonate someone — their voice, their image. We need better tools to prevent that kind of fraud. Second, if we don’t set the standard, someone else will. Tech companies would very much like to set that standard in a way that benefits them, they want to track your movements online. Google provides us many services, but it tracks us to sell us things. Other governments around the world are surveilling their citizens. Thoughtful people in the U.S. recognize that government tracking all our online actions is not good policy because even if you trust who’s in office today, tomorrow it will be someone else. If a capability is available and legal, it will be used. We wanted to establish that surveillance of citizens’ activities in the digital world is not acceptable, and to build a system that lets you prove who you are without enabling ongoing tracking.
Bramwell: I’ll second that. This is coming, no matter what. Digital identity is already a major focus in Europe, Asia, and China and most U.S. states don’t realize they’ve already begun implementing it through mobile driver’s licenses, without having taken strong policy stances on it. If it arrives without that deliberate policy framework, we’ll end up with the status quo: technology implemented to maximize extraction of value for corporations or governments, not to benefit individuals.
In my role as Utah’s Chief Privacy Officer, I see the promise of digital identity as two-sided. Done wrong, it’s surveillance, exploitation — all the dystopian outcomes people worry about, because those things are already happening elsewhere in the world. Done right, and the ACLU has said Utah is the only state doing it right, it becomes a deliberate public policy conversation grounded in constitutional values. Our foundational view is that identity belongs to the individual. It is not created by government and it cannot be taken away by government. That single principle fundamentally changes the entire system.
Historically, the United States has set global standards by doing something well and letting the rest of the world follow. With technology, we’ve somehow lost that posture. Our view is that states need to set this standard now because identity is a state function, and in doing so, establish a default U.S. model that can spread democratic principles globally rather than ceding that ground to approaches built around control.
Can you walk us through the legislation that established Utah’s State-Endorsed Digital Identity Program — and the steps that led to it?
Rep. Cutler: We approached this in two deliberate steps. A couple of years ago we passed legislation establishing the principles, the foundational values we believe a program like this should reflect. Then this year, we came back and said: here’s how we roll it out. There will be a program office to handle public interaction, a technology component, and funding for both.
I think the most important lesson here is that you start with the principles. You need to get people aligned on the vision before trying to fund it and put a program in place. And Chris really deserves credit for the methodical, statewide approach to educating people on those principles before we moved to implementation.
Bramwell: I’d highlight something for other legislators that made this possible from the start, something that came from the Utah Legislature itself, not the executive branch. Five years ago, the legislature created my role, which is not focused on compliance but on big-picture strategy: how do we transform privacy in a way that builds trust and transparency in a balanced way? That’s a meaningful distinction.
Most states don’t have a Chief Privacy Officer, let alone a fully funded office dedicated to leading this work. The structure in Utah is a two-part system: the legislature sets policy and law; the executive branch implements and drives it. My office coordinates with all the relevant stakeholders, reports back to the legislature continuously, and chips away at it incrementally, year after year, bill after bill. Representative Cutler, for instance, ran our first verifiable credential legislation even before SB 260, which laid important groundwork.
What that structure has allowed us to do is treat digital identity as a long-term strategy, not a one-time bill. We know that with AI on the horizon, you need verifiability — the ability to confirm that people are who they say they are and that government-issued records are genuine. A marriage license or a birth certificate should be cryptographically verifiable, so that even if someone presents a deep-fake image, you can say: that’s not real, it’s not digitally signed by the state.
If you do those two things well — sound data governance and verifiable identities — you are genuinely prepared for AI. If you skip those steps and jump straight into AI, you’ll face arbitrary processes, unequal data rights, and due process issues. That’s what we were trying to get ahead of.
Can you tell us about the Digital Identity Bill of Rights included in this year’s legislation?
Rep. Cutler: We had originally considered passing the Digital Bill of Rights separately but ultimately decided to include it in the bill and lead with it to say upfront that these are the principles we believe in most deeply. I think that gives people confidence even if they don’t fully understand the technical provisions of the legislation, they can read the Bill of Rights, understand it, and from that basis trust the broader framework.
The most important concept — and Chris could speak on this at length — is that an individual’s identity is theirs. It’s intrinsic to their existence, not something conferred by the state. The state can endorse your identity and affirm that you are who you say you are, but the state cannot take your identity away. And an individual can choose whether to participate in the digital economy with a digital version of their credentials, or to keep everything on physical documents they personally control. That right to opt out is fundamental.
There are also provisions tied to open standards, the idea that the technical standards underlying the system should be publicly accessible. Anyone should be able to read and understand them. That’s not something the federal government has traditionally been comfortable with and it’s an area where states can genuinely lead. It mirrors the philosophy of the open-source software movement, which has proven to be a remarkably effective way to build secure, sustainable systems. We’re trying to apply that same principle here.
Bramwell: Part of the strategy behind the Bill of Rights was building trust through the legislative process itself. We held many town halls across the state, collected stakeholder concerns, and spent more time on this section than probably any other part of the bill. Every item in the Bill of Rights maps back to a real risk visible somewhere in the world.
Some provisions are essentially a restatement of existing constitutional rights — how do we apply the Fourth Amendment, for instance, in a digital context? The answer is the same: government should not be surveilling you, tracking you, or building profiles of your activity. Others address newer challenges specific to the digital age.
The very first provision that identity is innate to the individual and not created by government is probably the most important. You’re seeing around the world, particularly in authoritarian regimes, a fundamentally different view: that the collective good takes precedence and that government confers identity upon people rather than the other way around. We wanted to make an unambiguous statement that in America, all governmental power derives from the people. You exist before government exists. Everything else is built upon that.
States and countries that proceed without these principles as their foundation are going to run into constitutional problems. But if you align with them, you strengthen the constitutional republic. That’s what we’re trying to demonstrate.
Tell us about the Utah Office of Data Privacy — how it was established, and how it connects to the state’s digital identity work.
Bramwell: The office itself is relatively new, though the Chief Privacy Officer role is older. I’ve been in this role, or its predecessor, for just over four and a half years, from the very beginning.
My role is strategy-focused, not compliance-focused. That distinction is part of how we got on the digital identity path. Most states are working from antiquated records management laws that were never updated when technology changed. Over the last 25 years, most states adopted new technologies without translating their records management frameworks into corresponding technology requirements. The results are widespread: government entities that never dispose of personal data according to retention schedules, that never give notice of purpose and use, and aren’t constrained in what they actually do with data. Some states don’t even have laws prohibiting government entities from selling personal data.
In Utah, we have a comprehensive government data privacy law that applies to all public entities — state agencies, cities, counties, towns, K-12, higher education. Getting that governance foundation in place was the first step. Digital identity then became a natural extension of that strategy.
The connection is this: good data governance tells people what you’re doing with their data and constrains government appropriately. Verifiable identity ensures that the people and entities you’re interacting with are who they say they are. And any service interaction with government usually involves providing data for a decision — an approval, a denial. You want that data to be verifiable. Put those two things together, and you are genuinely prepared for AI. You can do automation and machine learning in a way that is constrained, transparent, and trustworthy.
What lessons from Utah’s experience would you share with other states considering or pursuing their own digital identity policies?
Bramwell: The first thing I’d say is: don’t go at it alone. We’ve already publicly announced that we’re coordinating a consortium of other states. Please reach out. We can learn from each other, and there needs to be reciprocity between states for any of this to work at scale.
Second, be very critical. The consequences and risks here are real. As a state, you need to decide what your principles are and how to protect and empower your citizens in their interactions with government, with the private sector, and in the free market without leaving them vulnerable to exploitation.
Third, focus on earning genuine public support. This is a policy discussion that should be led by elected officials. It should not be delegated to government associations or international standards bodies that say “do it this way.” We can see the harm the current state of technology has caused, and you really do get one chance to do digital identity right.
Many states are already moving down this path, passing narrow bills without comprehensive protections without fully realizing it. Mobile driver’s licenses are digital identity. ID.me is a form of digital identity. You can’t log into IRS.gov without an ID.me account and their terms of service allow them to terminate your account at any time. That’s the kind of infrastructure that rolls out when elected officials aren’t leading the conversation.
Can you tell us about Governor Cox’s efforts to expand this work across states, and what the state-endorsed digital identity consortium looks like?
Bramwell: Governor Cox is well known for his position on the impact of big tech on kids, teenagers, and families. We view digital identity as a direct tool for empowering individuals in that space — giving parents the means to be the genuine guardians of their children’s digital identities and to be the ones authorizing what their kids can access online.
With that framing, the governor’s office has been actively engaging with other governors, inviting them to formally participate in the State-Endorsed Digital Identity Consortium, which was built around the values in SB 275 and the digital identity bill of rights: no tracking, no surveillance, and a commitment to strengthening rather than weakening our democratic institutions.
We’re not yet announcing the consortium’s full membership, but at the upcoming SEDI Summit you’ll see strong representation from multiple states. Idaho, for example, passed a digital identity bill this past session and explicitly referenced Utah in their process. There’s a particular focus on Mountain West states, though others will be attending as well.
Our hope is that through the consortium, states will be able to build the legislative and policy foundation to pursue their own comprehensive approaches with some pre-built tools, templates, and resources to help them get started quickly.
Can you tell us about the this year’s SEDI Summit?
Bramwell: This will be our second SEDI Summit. The first, held last October, brought together 12 states along with private sector attendees, civil liberties organizations, and members of the public. That summit was primarily educational, helping everyone understand what’s happening in this space and served as a capstone for the town halls we conducted throughout the spring and summer, and as a precursor to the legislative session.
Now that the legislation has passed and been signed into law, our plan is to convene a summit every six months. The SEDI Consortium will serve as an ongoing gathering place for states, private companies, and other stakeholders to come together and move this work forward incrementally.
At this summit, we have a strong lineup: national associations including the U.S. Chamber of Commerce, the National Association of Convenience Stores, and the Digital Chamber; representatives from major tech and digital wallet identity groups; the ACLU; and a broad private sector presence. We’re also bringing in the CARIN Alliance to speak to what’s happening in healthcare — digital identity has enormous implications for reducing fraud in that sector — as well as voices from finance and payments, and from the retail side, including Maverik and Walmart.
Legislators attending will receive 101-level education on Utah’s approach, the underlying principles, and the key concepts. Over the two days, we’ll hear from stakeholders across the ecosystem and discuss how to move forward together.
Our plan is for this to become the regular forum, every six months, where public sector and private sector align and states take back comprehensive, principled legislation. I know it can be done because Utah just did it. Now it’s about education, providing the right tools, and offering support to states that need it. If we do this right, I think you could see, within the next two to three years, a rapid and uniform national approach that is genuinely good for individuals, for the free market, and for American democracy.
This legislation seems to have garnered notably broad, bipartisan support. What do you think brought such a diverse coalition together around this issue?
Bramwell: I think it starts with our approach. We assume good intentions from every elected official, every government employee, and every citizen who showed up to a town hall with concerns. Whether someone came in thinking digital identity was dangerous or promising, we assumed they were trying to protect something they cared about, and we engaged from there.
And then we just sat down and had long, honest, difficult conversations with anyone who reached out. Individual citizens, advocacy groups, the ACLU at the national level, Apple and other big tech companies. We did dozens of town halls across the state with legislators, university partners, executive branch representatives, and we invited everyone: all citizens, all perspectives.
The result was that either people came on board or their concerns shaped the final product. Right up through the committee hearing, people on both sides said they hadn’t known if they could support this. I was doing a two-hour town hall with Eagle Forum the night before committee so their members could engage directly. In that hearing, their leader stood up and said she’d gotten what she needed and was ready to support it. The Agriculture Association lobbyist texted in support during the hearing. Groups that might have been expected to oppose this were messaging in favor.
That was a stark contrast to five years ago, when a digital identity bill drew hundreds of protesters.
Our goal was simple: unless we worked through every legitimate concern nobody was going to trust this — and trust is the whole point. So, for an entire year we did nothing but talk to everyone. I think every state could replicate that approach.
Any final thoughts before we wrap up?
Bramwell: I’d just say this clearly, for any legislators reading: this is, first and foremost, a legislative issue. The public policy needs to be defined, deliberated, and argued in your state legislature. The executive branch follows that lead — that’s our job. But the conversation has to start with elected officials.
That’s what was unique about Utah. That’s why the ACLU said we’re the only state doing it right. Legislators need to be having this discussion and they need to understand it. If you need help, the consortium is there. The summit is there. Utah is staffed and has resources to assist.
But don’t make this a national issue — it’s a state issue. When a child is born in America, their first official identity endorsement comes from the state: a birth certificate, a name given by parents and endorsed by government. That function should be replicated faithfully in the digital age and state legislators are the ones who need to make it happen.