AI Laws in Utah (UT)

What SB 149 requires

Utah has enacted SB 149 — AI Policy Act. Generative AI must disclose AI nature when asked. First comprehensive state AI law in US. This page explains what the law requires in plain language, who is in scope, the penalty for non-compliance, and what your business needs to do before the May 1, 2024 deadline.

Who is in scope

The law covers businesses that use AI to interact with consumers, make consumer-facing decisions (credit, pricing, recommendations, content delivery), or generate AI content that is presented to the public. Company size does not determine whether you are in scope — a startup with ten employees using an off-the-shelf AI hiring tool has the same disclosure obligations as an enterprise running a custom-built model. What matters is whether the AI system makes or substantially informs a decision that affects a Utah resident in a consequential way. Notably, the obligation extends to vendors: if your company deploys an AI tool built by a third party, you — as the deployer — are responsible for ensuring it meets Utah's requirements, even if you did not build it.

Key compliance requirements

Utah's consumer AI transparency requirements focus on two baseline obligations: disclosure and opt-out. Businesses must inform consumers when an AI system is involved in a consequential decision — meaning a decision that meaningfully affects a consumer's access to services, pricing, credit, or opportunities. The opt-out requirement gives consumers a mechanism to request human review or to decline AI-driven processing entirely. Meeting this standard is not just a notice-posting exercise: companies need to map every consumer-facing AI touchpoint, verify that their disclosure language is accurate and readable, and build a functioning human-review pathway that responds to opt-out requests within a defined window.

Penalties for non-compliance

The financial consequences of non-compliance under SB 149 are real and enforceable now. Utah sets a maximum civil penalty of Up to $2,500 per violation. Penalties accumulate per violation — meaning a company that has deployed an AI tool to thousands of consumers without required disclosures faces compounding exposure, not a single capped fine. Consumer AI violations in Utah may also attract federal coordination: the FTC's Operation AI Comply sweep (September 2024) demonstrated that state and federal enforcers share intelligence on companies with widespread AI disclosure failures.

What to do now

Build your AI inventory first. You cannot comply with Utah's requirements if you do not know which systems are in scope. Map every AI or automated decision system your company uses that touches Utah residents — including third-party vendor tools integrated into your product.

Draft accurate disclosure language. Work with legal counsel to produce disclosure statements that accurately describe what your AI does, what data it uses, and what the consumer can do if they want human review. Vague or boilerplate disclosures will not satisfy Utah's requirements.

Build the opt-out pathway. Implement a functioning process for consumers to request human review or opt out of AI-assisted processing. Test it before the deadline — regulators will look for live, working mechanisms, not documented promises.

Assign a compliance owner. Designate someone — legal counsel, a privacy officer, or a dedicated AI governance lead — to track regulatory developments, own the audit documentation, and respond if an enforcement inquiry arrives. The compliance deadline is May 1, 2024. Don't wait until the deadline to start.

Utah AI law in the broader regulatory landscape

Utah's law does not exist in isolation. The trend across the United States is toward more regulation, not less: at least 20 states enacted or proposed AI-specific legislation in 2025 alone, and federal enforcement agencies — the FTC, EEOC, CFPB, and HHS — have all issued guidance making clear that existing laws apply to AI systems even where no AI-specific statute exists. Companies doing business across state lines must track each state's requirements independently — there is no federal preemption that would allow a company to satisfy Utah's law and automatically comply with requirements in Illinois, Colorado, or New York.

The EU AI Act applies to any company serving EU customers, even if you're based in Utah. Penalties reach €35M or 7% of global revenue. Deadline: August 2, 2026.