AI Laws in Utah (UT)
Suppliers using generative AI must disclose it up-front only in high-risk interactions (e.g., regulated professions or consequential advice) and otherwise only on a consumer's clear and unambiguous request; separately, AI mental-health chatbots must disclose they are not human and face data-sharing and advertising limits (HB 452).
What SB 149 requires
Utah has enacted SB 149 — AI Policy Act (amended 2025 by SB 226 & SB 332) and HB 452 — AI mental-health chatbot rules. Suppliers using generative AI must disclose it up-front only in high-risk interactions (e.g., regulated professions or consequential advice) and otherwise only on a consumer's clear and unambiguous request; separately, AI mental-health chatbots must disclose they are not human and face data-sharing and advertising limits (HB 452). This page explains what the law requires in plain language, who is in scope, the penalty for non-compliance, and what your business needs to do before the In effect since May 1, 2024 (2025 amendments effective May 7, 2025; sunset July 2027) deadline.
Who is in scope
The law covers businesses that use AI to interact with consumers, make consumer-facing decisions (credit, pricing, recommendations, content delivery), or generate AI content that is presented to the public, and developers who build AI systems classified as high-risk — typically systems that influence consequential decisions in credit, employment, healthcare, education, housing, or government services — and the companies that deploy them. Company size does not determine whether you are in scope — a startup with ten employees using an off-the-shelf AI hiring tool has the same disclosure obligations as an enterprise running a custom-built model. What matters is whether the AI system makes or substantially informs a decision that affects a Utah resident in a consequential way. Notably, the obligation extends to vendors: if your company deploys an AI tool built by a third party, you — as the deployer — are responsible for ensuring it meets Utah's requirements, even if you did not build it.
Key compliance requirements
Utah's consumer AI transparency requirements focus on two baseline obligations: disclosure and opt-out. Businesses must inform consumers when an AI system is involved in a consequential decision — meaning a decision that meaningfully affects a consumer's access to services, pricing, credit, or opportunities. The opt-out requirement gives consumers a mechanism to request human review or to decline AI-driven processing entirely. Meeting this standard is not just a notice-posting exercise: companies need to map every consumer-facing AI touchpoint, verify that their disclosure language is accurate and readable, and build a functioning human-review pathway that responds to opt-out requests within a defined window.
Utah's risk-assessment framework requires that developers and deployers of high-impact AI systems conduct formal impact assessments before deployment and re-evaluate them when the system changes materially. An impact assessment must document the intended purpose of the system, the data it uses, the populations it affects, known accuracy limitations, and what bias-testing was performed. Deployers must also publish a summary of the assessment that is accessible to consumers and regulators — internal documentation alone is insufficient. Critically, the assessment is not a one-time exercise: Utah's law contemplates ongoing monitoring, with a duty to update documentation when performance data or demographic outputs shift.
Penalties for non-compliance
The financial consequences of non-compliance under SB 149 are real and enforceable now. Utah sets a maximum civil penalty of Up to $2,500 per violation (administrative, Utah Div. of Consumer Protection). Penalties accumulate per violation — meaning a company that has deployed an AI tool to thousands of consumers without required disclosures faces compounding exposure, not a single capped fine. Consumer AI violations in Utah may also attract federal coordination: the FTC's Operation AI Comply sweep (September 2024) demonstrated that state and federal enforcers share intelligence on companies with widespread AI disclosure failures.
What to do now
Build your AI inventory first. You cannot comply with Utah's requirements if you do not know which systems are in scope. Map every AI or automated decision system your company uses that touches Utah residents — including third-party vendor tools integrated into your product.
Draft accurate disclosure language. Work with legal counsel to produce disclosure statements that accurately describe what your AI does, what data it uses, and what the consumer can do if they want human review. Vague or boilerplate disclosures will not satisfy Utah's requirements.
Build the opt-out pathway. Implement a functioning process for consumers to request human review or opt out of AI-assisted processing. Test it before the deadline — regulators will look for live, working mechanisms, not documented promises.
Complete impact assessments for high-risk systems. Follow the framework in SB 149 to produce a written assessment covering intended use, training data, affected populations, accuracy benchmarks, and bias mitigation. Retain the documentation for at least the period specified in the law's record-keeping provisions.
Assign a compliance owner. Designate someone — legal counsel, a privacy officer, or a dedicated AI governance lead — to track regulatory developments, own the audit documentation, and respond if an enforcement inquiry arrives. The compliance deadline is In effect since May 1, 2024 (2025 amendments effective May 7, 2025; sunset July 2027). Don't wait until the deadline to start.
Utah AI law in the broader regulatory landscape
Utah's law does not exist in isolation. The trend across the United States is toward more regulation, not less: at least 20 states enacted or proposed AI-specific legislation in 2025 alone, and federal enforcement agencies — the FTC, EEOC, CFPB, and HHS — have all issued guidance making clear that existing laws apply to AI systems even where no AI-specific statute exists. Companies doing business across state lines must track each state's requirements independently — there is no federal preemption that would allow a company to satisfy Utah's law and automatically comply with requirements in Illinois, Colorado, or New York.
Recent AI law developments in Utah
Updated July 12, 2026Recent news coverage of AI regulation and policy in Utah. Headlines are aggregated automatically; follow each link for the full story.
Coverage from Bloomberg Law News on AI legislation and regulation relevant to Utah.
Coverage from GlobeNewswire on AI legislation and regulation relevant to Utah.
AI bills moving through the Utah legislature
Updated July 11, 2026AI-related bills currently tracked in the Utah legislature, updated automatically from Open States and the state legislature's own official record. Follow each link for the official bill text, sponsors, and status history.
Applicable laws
↗ Each law links to its primary government source. Full source list below.
Landmark AI laws in Utah, bill by bill
Dedicated pages for Utah's headline AI laws — status, penalty, effective date, and the official text.
Signed into law by
Utah AI compliance by industry
AI compliance by company size
Jump to top-risk sectors for your company size
Quick resources for Utah
Industry risk levels in Utah
Do you also serve EU customers?
The EU AI Act applies to any company serving EU customers, even if you're based in Utah. Penalties reach €35M or 7% of global revenue. Deadline: August 2, 2026.
Other states with active AI laws
Related resources
Anchored to the primary government source (statute, bill text, or agency rule) and verified directly against it · Last verified Jul 2, 2026. See our methodology.
- ↗le.utah.govhttps://le.utah.gov/~2024/bills/static/SB0149.html
- ↗le.utah.govhttps://le.utah.gov/~2025/bills/static/HB0452.html
- ↗davispolk.comhttps://www.davispolk.com/insights/client-update/utah-scales-back-reach-gener…
