Summary SEDI’s duty of loyalty provision shifts the basis for regulating online interaction from the data to the relationship. Where GDPR and similar frameworks treat personal data as the object to be governed, duty of loyalty treats the relationship between the individual and the organization as the thing that matters. MyTerms gives that relationship concrete, operational rails.

I’m sitting in a session at IIW hosted by Sam Smith on the duty of loyalty. Sam made the point that duty of loyalty is fundamentally about the relationship, not the data—and that caught my attention because of my past work on framing identity as being more about relationships than attributes. I have long argued that we build identity systems to manage relationships, not identities.

If that is true, then the way we regulate those systems ought to focus on the relationships too. But most privacy regulation starts with the data instead. GDPR, CCPA, and their descendants define categories of personal information, prescribe what can be collected, require consent for processing, and mandate deletion on request. The regulatory object is the data itself—not the relationship that gives the data meaning. And for all their ambition, data protection regimes have done little besides annoy everyone with cookie consent dialogues; the surveillance business models they were supposed to curtail are doing just fine.

This data-centric focus is not accidental; it reflects a deeper assumption. GDPR and its descendants treat people as data subjects—consumers of services whose information is processed by a controller. The person has rights over their data, but no standing as an independent party in the relationship. They are subjects, not participants.

If you start from first person identity instead, where people have a unique digital existence and are not merely rows in someone else’s database, then it’s natural to see them as autonomous parties who enter relationships on their own terms. The duty of loyalty follows naturally from that framing.

In their 2022 paper “Legislating Data Loyalty,” Hartzog and Richards make a similar argument. The real problem, they say, is not what happens to the data; it is what happens in the relationship between the person who trusts and the institution that holds power. They propose a duty of loyalty—borrowed from fiduciary law—that would prohibit organizations from processing data or designing systems in ways that conflict with the best interests of the people who trust them.

This shifts the focus from procedural compliance around data to substantive obligations within a relationship. The relationship provides the context for the interactions that happen within it; the duty of loyalty informs that context. As I explored in Are Transactional Relationships Enough?, our online relationships are almost all transactional, administered by platforms that make product decisions to monetize the interaction rather than serve the people in it. A duty of loyalty directly addresses that imbalance.

That is exactly what Utah’s SEDI legislation does. The duty of loyalty provision in the statute places a fiduciary obligation on institutions that use or rely on a state-endorsed digital identity: they owe loyalty to the person whose identity they hold. This is not a data-handling rule. It is a relationship rule. It says that the institution is not free to use the identity relationship for its own benefit at the expense of the identity holder. As I wrote in A Legal Identity Foundation Isn’t Optional, SEDI provides the legal base layer for first-person digital trust. The duty of loyalty is the provision that makes that base layer meaningful; it gives the identity holder standing not as a data subject but as a party in a relationship with enforceable expectations.

The shift matters because data-centric regulation has a structural weakness: it lets institutions comply with the letter of the law while still exploiting the relationship. You can minimize data collection, publish a privacy policy, and offer an opt-out button—and still design systems that manipulate, surveil, and extract value from the people who depend on them.

A duty of loyalty cuts through that. It asks whether the institution is acting in the interest of the person who trusted it, not whether it followed the right procedures with the right categories of data. Importantly, digital relationships are voluntarily entered into by both parties; the institution chooses to accept the identity credential, and the individual chooses to present it. That voluntary entry is what gives the duty of loyalty its legal and moral footing—both sides opted into the relationship, and so both sides are bound by its terms.

As I explored in MyTerms and SEDI’s Duty of Loyalty, MyTerms gives this relationship-based obligation concrete, operational rails. Today, the terms governing our online interactions are 60-page contracts of adhesion that no one reads and no one negotiates—unilateral declarations by the institution, take it or leave it. These adhesion contracts are the inevitable product of regulating data rather than relationships; when the law only asks institutions to disclose what they do with data and obtain consent, a take-it-or-leave-it document is all that is required.

A duty of loyalty expressed through MyTerms replaces that with a bilateral contract. The individual’s machine-readable terms define what loyalty looks like in a specific interaction; the institution agrees to those terms when it accepts the credential. Both parties hold a record of the agreement. The duty of loyalty gets teeth when there is a protocol for expressing and auditing what the individual expected. SEDI, operationalized through MyTerms, moves us from a world where institutions write the rules and people click “I agree” to one where both parties enter a relationship with mutual obligations and enforceable terms.

Photo Credit: Digital Relationships from ChatGPT (public domain)