Utah’s inaugural Data Privacy and Governance Summit revealed a bold state-led vision for citizen-controlled digital identity, ethical AI, and public data accountability—positioning Utah as a national leader in digital rights infrastructure.
Orem, Utah - May 30, 2025
Utah’s first-ever Data Privacy and Governance Summit, held May 29, 2025, at Utah Valley University, marked a significant milestone in the state’s ambitious journey toward modernizing digital governance. Sponsored by the Gary R. Herbert Institute for Public Policy, the Smith College of Engineering and Technology, and the Utah Office of Data Privacy, the event gathered over 650 public officials, technologists, policy leaders to confront one of the most urgent challenges of the digital age: building trust in how governments collect, store, and use personal data.
Governor Spencer Cox opened the summit with a message that framed data governance not just as a technical issue, but a matter of personal liberty and constitutional principle. “You hold a sacred trust,” Cox told attendees, referring to the duty of public servants to protect Utahns’ data. “And we’re here to talk about how we keep and build on that trust.”
He invoked the state’s legacy of valuing communication privacy, from 19th-century telegraph protections to the landmark Government Records Access and Management Act (GRAMA) of 1991. That legacy, he noted, reached a new height with the passage of the Government Data Privacy Act (GDPA) in 2024—“the most comprehensive public-sector privacy law in the country.” More than legislation, the Governor positioned data privacy as a civil rights issue: “Our agency is tied up with our data. It is a part of us.”
The summit showcased the leaders behind Utah’s legal and operational modernization. Senator Kirk Cullimore and Representative Jefferson Moss, primary sponsors of the GDPA, were joined by State Chief Privacy Officer Christopher Bramwell and Marvin Dodge, Executive Director of the Utah Department of Government Operations. “It’s not just about compliance; it’s about trust, accountability, and making sure that government lives up to those constitutional responsibilities,” said Cullimore. The GDPA mandates all government entities to implement privacy programs by December 31, 2025, with tools, templates, and training provided by the state. “Our commitment is to provide tools, training, and resources so that you can just grab it and go,” said Dodge, emphasizing support rather than bureaucracy.
Utah’s legislative innovation doesn’t stop with privacy. SB 260, entitled "Individual Digital Identity Amendments" and sponsored by Senator Cullimore, introduces a state-backed digital identity framework that puts individuals, not institutions, in control. “You as an individual have identity… It is not controlled by the government, not controlled by corporations, and cannot be taken away by them,” said Senator Cullimore. In contrast to surveillance-oriented systems in the EU or China, SB 260 ensures Utahns decide what data to disclose, when, and to whom. “It’s not good enough anymore,” said State CIO Allen Fuller, critiquing driver’s licenses as inadequate for digital life. “It doesn’t have a way to really present itself digitally, online.”
Technologists on the panel—including Samuel Smith, an open standards developer—advocated for cryptographically secure, citizen-controlled identifiers based on protocols like KERI, not blockchain. “Your parents identified you, not the state,” Smith said, arguing for identity rooted in individual agency. “We need unique identifiers that can be controlled by citizens, not sourced from state agencies or private companies.” Representative Paul Cutler reinforced this ethos by reading directly from SB 260: “The individual controls which identifiers to disclose, where they are stored, and whether to use a digital or physical identity.”
The economic implications were not lost on Representative Moss, soon to head the Governor’s Office of Economic Opportunity. “Entrepreneurs want stability, consistency, and we’ve given that,” he said, noting that Utah’s privacy-forward stance could drive growth in secure digital identity and privacy tech. Timothy Ruff a digital trust expert, pointed to Utah’s influence in prompting a nationwide ban on phone-home mechanisms in mobile IDs. “We started that ball, and now the whole country is following,” he said.
Challenges remain. Interoperability with other states and commercial exploitation of digital IDs loom large. “We’ve said interoperability is a lesser concern than security and privacy,” said Joe McCrae, CTO of the Division of Technology Services, “but we need public discussions to navigate the middle ground.” Fuller floated the creation of a dedicated Department of Identity, distinct from the driver’s license bureau, to better serve minors and non-drivers. An RFI is currently underway to evaluate technologies and policies, with a legislative report expected next session.
During the luncheon session, UVU professor Dr. George Rudolph presented Utah’s next frontier in data governance: an AI-assisted system designed to standardize policies and protocols across state and local agencies while reducing administrative overhead. He described a framework that integrates a centralized knowledge base with decentralized data access, enabling both consistency and flexibility in execution. “Compliance doesn’t have to mean bureaucracy,” Dr. Rudolph said. “Our goal is to make privacy compliance scalable, automated, and user-friendly.”
The system includes intuitive interfaces and AI-assisted compliance tools that translate complex legal mandates into clear, actionable tasks. UVU student Caitlin Stratton, working in collaboration with the Herbert Institute, introduced and demonstrated the Data.gov AI tool, which she helped develop. The tool walks agencies through each requirement of the Government Data Privacy Act (GDPA), starting with foundational steps like designating a Chief Administrative Officer (CAO) and registering that role with the Digital Archives.
Stratton showcased how the tool streamlines record retention by allowing agencies to adopt the state’s general retention schedules with a single click. She then demonstrated its privacy notice generator, using a grant program as a case study. The tool pre-populates compliant language and mandatory disclosures, providing visual feedback and tracking to help agencies monitor their progress and compliance maturity. “We designed it so public servants can focus on their mission, not legalese,” Stratton explained. “The AI doesn’t just answer questions—it guides you through a journey.”
The broader vision, according to Dr. Rudolph, is to use AI to treat compliance not as a binary but as a progressive spectrum—offering support for agencies at every stage of readiness while reducing the potential for human error. Plans for the next phase include automated auditing, further standardization, and more robust privacy analytics. At its core, the initiative aims to build trust in digital governance through responsible, transparent, and efficient use of AI.
The summit included a final breakout panel featuring Dr. Barclay Burns, UVU Chief AI Officer; Zach Boyd, Director of Utah’s Office of AI; Lisa Shepherd of the Utah House; Navina Forsythe, Chief Data and Privacy Officer at the Health Policy Network; and Privacy Commissioner Samuel Smith. Their focus: striking a sustainable balance between data utility and individual privacy in a world of AI and analytics.
“Synthetic data gives us a way to preserve analytical value while decoupling from identity,” said Dr. Burns, highlighting the growing use of data clones, anonymization, and differential privacy in sectors like healthcare and public health. He emphasized that traditional privacy techniques like zero-knowledge proofs often fail under AI’s correlation capabilities. “Data wants to correlate—that’s its nature,” said Zach Boyd. “The question is whether we can channel that power without letting it turn against the people it’s supposed to serve.”
The panelists explored the idea of data as agency, not just property—a right to be defended, not traded. “Our digital selves are real,” said Dr. Burns. “And if we don’t protect them, we risk losing more than privacy—we risk losing autonomy.” Several called for fiduciary models and transparency mandates to curb economic incentives for data misuse. One expert framed it plainly: “We need data governance structures that treat information as a public utility—something that’s managed for the common good, not for maximum extraction.”
Technological strategies like user-controlled linkage, secure data supply chains, and privacy-first design were presented as essential tools to prevent algorithmic abuse. But the speakers didn’t shy away from tough truths. “Synthetic data is powerful, but it’s not always trustworthy,” one said. “If it doesn’t reflect the real world accurately, it can mislead just as much as it protects.”
The panel issued this final challenge:: “Most people don’t yet realize how much they’ve given up. Until we change that, we need laws that protect people even when they don’t know they’re at risk.”
Utah’s inaugural Data Privacy and Governance Summit was a clarion call for a future in which innovation and privacy are not competing interests but complementary imperatives. As Senator Cullimore noted, “We’re in the infancy stages, but we’re light years ahead of almost every other jurisdiction, not only in the country, but in the world.”
