This bill adds a new section to Idaho Code that constrains how state and local public entities may use digital identification. It defines "digital identification" as an electronic credential on a personal device, preserves the validity of physical IDs, forbids agencies from requiring or conditioning services on digital IDs, and prevents agencies from demanding device access or using presentation as consent to search.
The statute also narrows operational uses of electronic credentials — limiting them to immediate identity checks, prohibiting cross‑agency tracking and retention beyond the transaction, and creating enforceable remedies: injunctive and declaratory relief, attorney’s fees, statutory damages between $500 and $2,500 per violation, and a potential civil penalty up to $5,000 for knowing violations after a 30‑day cure period. The act takes effect July 1, 2026.
At a Glance
What It Does
Creates statutory definitions and bars public entities from requiring, denying, delaying, or conditioning government services on a person's use of an electronic credential stored on a personal device. It forbids surrendering, unlocking, or searching a device incident to presentation of such a credential and limits retention and cross‑agency use of identity data.
Who It Affects
All Idaho public entities (state agencies, departments, boards, commissions, political subdivisions, and their contractors) that issue, accept, or verify identity credentials; Idaho residents who interact with government services; and IT and records teams responsible for identity verification workflows.
Why It Matters
The bill forces agencies to maintain non‑digital alternatives, constrains identity verification design choices, and creates a private enforcement route that can generate statutory damages and penalties — changing risk calculations for agency compliance and vendor contracts.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The statute opens with two definitions that matter for implementation: it ties "digital identification" to electronic credentials issued by public entities and stored or displayed on a personal device, and it adopts a broad definition of "public entity" that includes contractors acting for the state. Those definitions determine when the protections apply and who must follow them.
Operationally, the law forbids public entities from making digital credentials mandatory or using refusal or inability to present one as a basis to deny, delay, or reduce access to any government service, benefit, license, employment, or education. It expressly preserves routine paper or other physical IDs as legally sufficient — agencies must continue to accept non‑digital proofs of identity.The bill tightens device privacy: agencies cannot require people to surrender or unlock personal devices to show identity, and presenting a digital credential does not equal consent to search the device.
Observations of other content on a device cannot be used as the basis for probable cause or further searches. These lines are designed to separate limited identity verification from general device searches.Finally, the statute restricts how identity credentials may be used after presentation.
Agencies may use a digital credential only for immediate verification, and they may not retain identity data beyond the transactional need, track individuals across services, or deploy a shared credentialing system across agencies. The enforcement framework allows a person to sue for declaratory or injunctive relief, recover attorney fees, collect statutory damages per violation, and triggers possible civil penalties when an agency knowingly violates the law and fails to cure after written notice within thirty days.
The Five Things You Need to Know
The bill defines "digital identification" as an electronic credential issued by a public entity and stored or displayed on a personal electronic device.
Public entities may not require, condition, deny, delay, or reduce any government service, benefit, license, employment, education, or access because someone refuses or cannot use digital identification.
Agencies cannot demand that a person surrender or unlock a personal device, and presenting a digital credential does not constitute consent to search; incidental observations on a device cannot establish probable cause.
Digital identification may be used only for immediate identity verification; agencies may not track individuals, retain identity data beyond the transaction, or use a universal/shared credential across agencies.
The statute creates a private right of action with attorney's fees, statutory damages of $500–$2,500 per violation, and a civil penalty up to $5,000 for knowing violations that remain uncured after 30 days' written notice.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions of digital identification and public entity
This subsection sets the boundary of the law: "digital identification" is limited to electronic credentials issued by public entities and presented on a personal device; "public entity" reaches state government bodies and contractors. That scope matters because privately issued digital IDs (for example, a private employer badge not issued by the state) likely fall outside the statute, while contractors acting on behalf of the state do not.
Prohibition on requiring digital IDs and preservation of physical IDs
Subsection (2) bars public entities from making digital credentials mandatory and prohibits conditioning any governmental service or benefit on their use. It also clarifies that existing physical, non‑digital identification remains valid — an operational requirement for agencies that may have been transitioning toward digital‑first workflows and must maintain alternative acceptance practices.
Limits on device access, searches, and evidentiary use
Subsection (3) prohibits agencies from requiring surrender or unlocking of personal devices for identity verification, states that presenting a digital credential does not equal consent to search, and forbids using incidental observations on a device to establish probable cause. That places a bright line between identity checks and broader device searches, forcing agencies and frontline staff to separate verification tasks from law enforcement activities.
Use, retention, and cross‑agency tracking restrictions
Subsection (4) narrows permissible uses: digital credentials may be used only for immediate identity verification; agencies may not retain identity data beyond that transaction, track individuals across services, or implement a universal/shared credential across multiple agencies. Practically, agencies will need to reassess logging, audit trails, and any centralized credential systems to avoid de facto retention or tracking.
Enforcement, damages, and civil penalties
Subsection (5) creates a private enforcement mechanism: affected persons can seek declaratory or injunctive relief and recover attorney fees. Statutory damages range from $500 to $2,500 per violation, and courts can order immediate relief to restore access. A civil penalty up to $5,000 per violation is available when an entity 'knowingly' violates the section and fails to cure within thirty days after written notice; that notice-and-cure requirement shapes agency compliance strategies and risk assessments.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Idaho residents who prefer paper IDs: The bill guarantees continued acceptance of physical, non‑digital identification for government interactions, protecting people without smartphones or who decline digital credentials.
- Privacy‑focused individuals and advocates: The device search and data‑retention limits prevent broad collection and cross‑service tracking, reducing risks of routine surveillance tied to identity workflows.
- Recipients of public services with accessibility constraints: People who cannot use or carry personal devices (due to disability, cost, or safety concerns) retain access to services without being forced into a digital system.
- Civil liberties organizations and individual plaintiffs: The private right of action with statutory damages creates standing and a financial deterrent against noncompliant agency practices.
- Local IT and records managers seeking clarity: The statute's restrictions give concrete compliance targets (no retention, no tracking, no cross‑agency credentialing) around which to design processes and contracts.
Who Bears the Cost
- State and local public entities: Agencies must maintain non‑digital alternatives, change identity‑verification procedures, train staff, and possibly rework IT systems to prevent retention and cross‑agency use, raising operational costs.
- Contractors performing identity services for the state: Vendors must adjust product designs and contracts to comply with limits on retention, tracking, and device access, potentially reducing features or increasing compliance work.
- Law enforcement and regulatory teams: The ban on device searches tied to presentation of credentials may complicate investigations and require clearer protocols and legal processes to obtain device access lawfully.
- Agency legal and risk offices: Exposure to statutory damages, attorney fees, and potential civil penalties increases litigation risk and necessitates administrative notice-and-cure workflows when violations are alleged.
- Technology procurement budgets: Replacing or modifying centralized credential systems or audit logs that currently retain identity data may demand additional procurement spending and migration projects.
Key Issues
The Core Tension
The bill pits two legitimate goals against each other: protecting individual privacy and autonomy over personal devices versus enabling efficient, secure government identity verification and fraud prevention. Tight limits reduce surveillance and preserve access for non‑digital users, but they also constrain agencies' ability to centralize identity infrastructure and to collect the logs and signals commonly used to detect fraud and secure systems.
The bill draws a firm line around governmental use of electronic credentials, but its practical implementation raises knotty questions. For example, the prohibition on retaining identity data "beyond a transaction" will force agencies to define the temporal boundary of a transaction: is an audit log that records a verification event "retention beyond the transaction"?
Agencies will need to reconcile legitimate audit, fraud‑prevention, and reporting obligations with the ban on retention and tracking, potentially requiring narrow exceptions or technical solutions such as ephemeral tokens.
Another unresolved issue is how the device‑search prohibitions interact with law enforcement authority. The statute prevents using presentation of a credential as consent to search and disallows using incidental observations as probable cause, but it does not address exigent circumstances, warrants, or separately authorized investigatory powers.
Determinations about what constitutes "incidental observation" versus actionable intelligence will fall to courts and could produce uneven outcomes. Finally, the civil enforcement design — statutory damages per violation plus a civil penalty for knowing, uncured violations — raises questions about cumulative liability for systemic practices that affect many people, and about what procedural steps constitute adequate written notice and cure.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.