Utah AI Policy Act (stack — SB 149 + 2025 + 2026 amendments) — Obligations, Requirements & Enforcement

Utah AI Policy Act (stack — SB 149 + 2025 + 2026 amendments)

Jurisdiction:

Utah

enforcing

Effective:

May 1, 2024

Authority:

Utah Division of Consumer Protection

Official text Verified Apr 18, 2026

Obligations Covered

Transparency & Disclosure Data Governance Record-Keeping & Documentation Risk Assessment Human Oversight

Timeline

Milestone	Date	Notes
SB 149 signed	Mar 13, 2024	Gov. Cox signed
SB 149 effective	May 1, 2024	Office + disclosure + criminal mirror
Boyd appointed	Apr 30, 2024	Director, Office of AI Policy
Office formally launched	2024-07 (month only)	Per GovTech, May 2025
SB 226, SB 271, SB 332, HB 452 effective	May 7, 2025	Four-bill single-day package
First required annual report	Nov 30, 2025	To Business & Labor Interim Committee
HB 320 effective	May 6, 2026	Learning Lab restructure
Second annual report	Nov 30, 2026	Replacement-drafting spine
Chapter 72 sunset	Jul 1, 2027	Office + Lab + agreements expire; other chapters survive

General GenAI Disclosure #

Obligation:

Transparency

enforcing

Effective:

May 7, 2025

Risk tier:

general

Scope:

suppliers in consumer transactions

Requirements

Requirement	Details
On-request disclosure	Must disclose AI use when consumer makes "clear and unambiguous request"
Safe harbor	Clear + conspicuous disclosure at outset and throughout eliminates enforcement exposure (§13-75-104)

Penalties

Violation	Fine
Admin enforcement	Up to $2,500 per violation
Court enforcement	Up to $2,500 per violation; disgorgement; attorney fees; investigative fees
Order violation	Up to $5,000 per violation

High-Risk GenAI Disclosure in Regulated Occupations #

Obligation:

Transparency

enforcing

Effective:

May 7, 2025

Risk tier:

high-risk

Scope:

regulated-occupation providers

Requirements

Requirement	Details
Proactive disclosure	Required only for "high-risk AI interactions" (§13-75-101(5)): sensitive data (health/financial/biometric) or personalized advice in finance/legal/medicine/mental health
Verbal at start	Required at start of oral exchange
Written before start	Required in electronic messaging before written exchange

Penalties

Violation	Fine
Same as general disclosure	$2,500 admin / $2,500 court / $5,000 order violation

Mental Health Chatbot Disclosure #

Obligation:

Transparency

enforcing

Effective:

May 7, 2025

Risk tier:

high-risk

Scope:

mental health chatbot suppliers

Requirements

Requirement	Details
Pre-access disclosure	Must disclose before user may access chatbot features
Post-gap disclosure	Disclosure at start of interaction when >7 days since user's last interaction
On-prompt disclosure	Disclosure any time user asks whether AI is used
Carve-out	Scripted-only output (meditations, mindfulness) and referral-to-human-therapist bots excluded (§13-72a-101(10)(b))

Penalties

Violation	Fine
Admin	Up to $2,500 per violation
Court	Up to $2,500 per violation; disgorgement; attorney fees
Order violation	Up to $5,000 per violation

Mental Health Chatbot Data Protection #

Obligation:

Data Governance

enforcing

Effective:

May 7, 2025

Risk tier:

high-risk

Scope:

mental health chatbot suppliers

Requirements

Requirement	Details
No sale/sharing	May not sell or share identifiable health information or user input with third parties
Health care exception	Permitted when user-consented or user-requested to health care provider or health plan
HIPAA-equivalent controls	Third-party sharing for functionality requires HIPAA Parts 160 + 164 Subparts A/E compliance as if supplier were a covered entity

Penalties

Violation	Fine
Same as chatbot disclosure	$2,500 admin / court / $5,000 order violation

Mental Health Chatbot Safety Policy #

Obligation:

Record Keeping

enforcing

Effective:

May 7, 2025

Risk tier:

high-risk

Scope:

mental health chatbot suppliers

Requirements

Requirement	Details
15-element policy	Written policy covering intended purposes, therapist involvement, clinical best practices, testing, risk identification, user reporting, acute-risk protocols, safety reviews, safe-use instructions, AI-awareness disclosure, engagement-over-safety prohibition, non-discrimination, HIPAA compliance
Documentation	Foundation models used, training data, HIPAA compliance, user data practices, ongoing accuracy/safety efforts
Filing	Must file with Division of Consumer Protection + annual fee
Compliance requirement	Must comply with filed policy at time of alleged violation

Penalties

Violation	Fine
Affirmative defense	Available only against §58-1-501(1) and (2) unauthorized-practice actions; not against DCP enforcement

AI-Generated Personal Identity Abuse #

Obligation:

Transparency

enforcing

Effective:

May 7, 2025

Risk tier:

high-risk

Scope:

any person using or distributing tools for personal-identity creation

Requirements

Requirement	Details
Expanded scope	Personal identity now covers name, title, picture, portrait, video likeness, voice, audiovisual appearance — including AI simulation/reproduction
Voice definition	Any computer-generated sound "readily identifiable and attributable" to an individual
Tool distribution liability	Knowingly distributing tools whose "intended primary purpose" is unauthorized personal-identity content creation for commercial purposes = abuse
Exemptions	News, public affairs, sports, art, parody, political speech; §230 interactive-computer-service safe harbor

Penalties

Violation	Fine
Civil action
Criminal

Regulatory Mitigation and Joint Interpretation Agreements #

Obligation:

Record Keeping

enforcing

Effective:

Invalid Date

Risk tier:

variable (per agreement)

Scope:

Learning Lab participants

Requirements

Requirement	Details
Participant eligibility	Five prongs per §13-72-402: technical capability, financial resources, substantial consumer benefits outweighing risks, risk-monitoring plan, appropriately-limited scope
Agreement contents	Scope limits, safeguards, mitigation granted, required consumer disclosures, reporting requirements (§13-72-401(4))
Counterparties	OAIP + relevant state agency or governmental entity (judiciary, higher-ed, political subdivisions per HB 320)
Term	Initial 12 months + up to 2 × 12-month extensions (36 months total per §13-72-403)
Mandatory audits	OAIP "shall perform regular audits" while agreement is active (§13-72-401(6), HB 320)
Agreement types	Regulatory mitigation (waives specified law) or joint interpretation (clarifies statute application to AI)
Annual report	Nov 30 to Business & Labor Interim Committee: learning agenda, findings/participation/outcomes, executed agreements, recommended legislation (§13-72-201(3)(d))

Penalties

Violation	Fine
Agreement violation

Liability for AI-Assisted Violations #

Obligation:

Record Keeping

enforcing

Effective:

Invalid Date

Risk tier:

all

Scope:

any principal using or prompting GenAI

Requirements

Requirement	Details
Civil (§13-75-102)	"Not a defense" that GenAI made the violative statement, undertook the violative act, or was used in furtherance
Criminal (§76-2-107)	Principal may be found guilty if they commit offense "with the aid of" or "intentionally prompt" GenAI to commit offense

Penalties

Violation	Fine
Civil	Per underlying consumer-protection statute
Criminal	Per underlying offense — no separate penalty