Digital Identity Verification and Privacy Protection Act

Prior to task force meetings, ALEC posts these legislative member-submitted draft model policies to our website. The draft model policies are then discussed, debated, and voted on by ALEC task force members. Policies that receive final approval by legislators on the ALEC Board of Directors become official ALEC model policy. Draft model policies that fail to become official ALEC model policy are removed from the website.

Policy Status

  • Type: Model Policy
  • Status: Draft
  • Date Introduced: July 24, 2026

Task Forces

  • Communications and Technology

    • Tags

  • 2026 Annual Meeting

    • Summary

    State DMVs are already required to maintain digital images and signatures of state driver license and ID holders, along with other data needed for identification.  Today, those records understandably have very limited allowable uses, often due to statutory constraints designed to protect personal identifiable information and laws being written prior to the development of today’s massive advancement in technology used for stealing and also protecting a constituent’s information.  The bill creates a new, consent-based pathway for identity verification. Under this framework, a state agency or commercial entity can verify someone’s identity by comparing a real-time photo, a selfie, against the DMV’s stored image.  The credential holder must consent.  The verification system placed within the state’s secured IT network returns only a “match” or “no match” result or a numerical score.  No personal data is exposed.  DMV data never leaves the department. The bill also sets clear boundaries for identity verification service providers.  They may only verify against DMV data while it remains in the department’s possession.  They cannot sell, share, or retain any information outside the purposes stated in law, and identity verification service providers must follow the state’s requirements for data retention. 
    Draft

    Digital Identity Verification and Privacy Protection Act

    Section 1. Legislative Findings and Purpose.  

    The Legislature finds that:  

    • (a) Identity theft, fraud, and unauthorized access to services present significant risks to individuals, businesses, and government programs.  
    • (b) Secure and reliable identity verification promotes public safety, consumer protection, and confidence in digital transactions.  
    • (c) State-issued driver licenses and identification credentials provide a trusted source of identity information.  
    • (d) Individuals should maintain control over the use of their personal information and provide informed consent before such information is used for identity verification purposes.  

    The purpose of this Act is to establish a framework that allows authorized entities to verify identity using state-issued credential information while protecting privacy, limiting data retention, and preventing misuse of personal information.  

    Section 2.  

    1. State Issued Driver Licenses – Allowable Uses  
      • (a) For the purpose of fraud prevention, identity verification, or ensuring the integrity and security of individual identities, with the licensee’s consent, for use by:  
        • i. A state agency pursuant to an interagency agreement with the [DEPARTMENT];  
        • ii. A third party that has entered into a contract with the department to perform identity verification services for persons or entities, pursuant to standards and safeguards established by [DEPARTMENT];  
    2. An identity verification service provider may use [DEPARTMENT] data in a manner consistent with this section if such data remains in the possession of [DEPARTMENT].  
    3. The [DEPARTMENT] is authorized to set and charge a fee to allow verification of [DEPARTMENT] data by an identity verification service provider. Any revenue generated as a result of an agreement authorized by this section shall be directed to the [DEPARTMENT] to recover its costs and any remaining revenue shall be deposited into the [STATE HIGHWAY TRUST FUND].  
    4. An identity verification service provider may not retain internet protocol addresses, geolocation data, or other information that describes the location, computer, computer system, or computer network from which an applicant accesses the system.  
    5. A third party may not store images, signatures, or data used pursuant to this section without the licensee’s consent.  
    6. A third party may not sell any images, signatures, or data used pursuant to this section.