< ID Notes

Momentum continues to build around the implementation and adoption of digital credentials, with Mobile Driver’s Licenses (mDLs) leading the way as a more secure and convenient method for sharing verified personal information. States are issuing them, wallet apps are storing them, and people are using them to verify who they are without handing over their entire life story.

As adoption picks up speed, privacy and security are receiving more (well-deserved) attention. That’s where a few recent updates come in that bring more formal recommendations from technology, industry and legislative perspectives. The American Association of Motor Vehicle Administrators (AAMVA) released version 1.5 of its mDL Implementation Guidelines with highlights on security and privacy. In the last session, Utah passed SenateBill SB260, a digital identity law that puts privacy and user choice up front, and privacy advocacy groups like NoPhoneHome.org are helping shape the conversation around what responsible digital identity should look like. It’s all adding up to a clear signal that the time to build privacy-respecting, secure systems is now.

Lets' start with the latest guidelines from AAMVA. One of the most significant shifts in the new AAMVA guidelines is the removal of Server Retrieval as a method for pulling data from an mDL. This change affects in-person use cases governed by the ISO 18013-5 spec. It means verifiers can no longer reach out to issuing authorities in real time to fetch your ID data during a transaction. Instead, everything stays local, on your device, and you decide what gets shared. This is a direct move to reduce the risk of tracking, surveillance, or unauthorized data harvesting, and it’s a big win for data minimization and individual control.

Selective disclosure also gets a boost in the new guidelines. The idea has always been baked into mDL, but now the expectation is much clearer. Verifiers are expected to request only the data they need and label those requests transparently. Wallets must then give users meaningful control over what to share, including the ability to remove optional fields. It’s a deliberate step away from all-or-nothing interactions and a reinforcement that partial responses are not only valid, they’re expected. Verifiers need to build for that reality.

Another major change is around logging. Activity logs have long been a gray area for privacy. Useful for troubleshooting and transparency, but also ripe for abuse if not handled carefully. AAMVA now mandates that all logs live on the user’s device, controlled entirely by the user. That means wallet providers and verifiers can’t access them, can’t share them, and can’t use them for behavioral tracking. Users can opt in or out, export logs, or delete them altogether. It’s a model that centers user agency and prevents quiet erosion of trust through passive data capture.

While AAMVA’s work focuses on the technical side, policy is catching up too. Utah’s SB 260 is a recent example of legislation that reinforces and builds on these same privacy principles. It prohibits real-time tracking and surveillance, just like the guideline’s move to remove Server Retrieval. It backs selective disclosure with legal force by mandating minimal data use, and it reinforces user control over transaction history. The law also calls for authenticated, secure transactions, echoing the cryptographic requirements in AAMVA’s spec.

Having both the technical standards and the legal backing is powerful, and Utah’s legislation shows how states can complement industry standards and help set a higher bar for digital identity protection. If more states adopt similar rules, or if the federal government steps in to unify the landscape, everyone from individual users to large-scale verifiers benefits. Consistency makes compliance simpler, reduces risk, and keeps the privacy expectations aligned across jurisdictions.

For verifiers who want to be ready, here are some recommendations to consider:

• Prioritize Device Retrieval - this shouldn't be a challenge for any ISO 18013-5 compliant reader. A consideration for verifiers may be though that not supporting Server Retrieval might mean reduced interoperability with some international mDLs in the future.

• Design interfaces and workflows that gracefully handle partial data - selective disclosure behaviors in the wallets are inconsistent so being ready to handle different responses will create better experiences for end users and better success rates in verification.

• Enable user-controlled logs, and make sure your system respects them. 

• Stay informed about privacy laws in your target markets, because legislative alignment is beginning to matter.

There is a lot of energy right now around building a digital identity ecosystem that puts privacy and security front and center. But that window will not stay open forever. Once mDL adoption reaches critical mass, it will be much harder to roll back poor practices or retrofit protections. What’s being decided now through specs, legislation, and implementation will define what digital identity feels like for millions of people. Verifiers have a critical role to play in that future, and the ones who align with privacy-first standards today are the ones who will be best positioned to earn trust, reduce risk, and scale securely.