A package of three artificial intelligence laws signed by Utah Governor Spencer J. Cox took effect on May 7, 2025, imposing disclosure, data protection, and identity-use requirements on any business deploying generative AI to serve Utah residents-regardless of where that business is headquartered.
Background
Utah's legislative effort began in March 2024, when the state enacted the Utah Artificial Intelligence Policy Act (UAIP), which became the nation's first state-level consumer protection law focused exclusively on artificial intelligence. The original statute required businesses to inform consumers when they were interacting with a generative AI system rather than a human. The 2025 session built substantially on that foundation.
According to Chambers and Partners' data protection practice guide, the Utah Legislature has now enacted statutes addressing AI, cybersecurity, social media governance, and electronic data access, making privacy compliance "an ongoing regulatory responsibility" rather than a discrete legal project for organizations operating in or serving the state. Crucially, SB 332 extended the UAIP's sunset date-which had been set to expire May 7, 2025-through July 1, 2027, signaling a long-term commitment to the framework.
Businesses must now navigate an increasingly complex patchwork of state privacy laws, with comprehensive frameworks in force across California, Virginia, Colorado, Connecticut, and Utah. Utah's 2025 amendments add AI-specific layers on top of this foundation.
Details
Governor Cox signed three AI bills into law that took effect May 7, 2025, requiring businesses to provide "you're talking to a bot" disclosures and comply with privacy requirements when using AI in consumer transactions, mental health chatbots, and certain content used for advertising, fundraising, or endorsements.
The first measure, SB 226, narrows and refines the original UAIP. Under the amended law, proactive disclosures are limited to "high-risk artificial intelligence interactions"-those in which professionals collect sensitive information such as health, financial, or biometric data, or provide recommendations that users may rely on for significant financial, legal, or medical decisions. For enterprises in regulated occupations requiring a state license or certification, this obligation activates at the start of the AI interaction. Previously, the reactive disclosure requirement applied broadly to all business activities in Utah, including business-to-business interactions; the amended law limits it to consumer transactions.
The second bill, HB 452, targets AI-powered mental health chatbots. It establishes protections by requiring clear disclosures, setting development standards, and granting enforcement authority to the Department of Consumer Protection. Providers must clearly and conspicuously disclose that the user is interacting with AI at several points: prior to access, if more than seven days have passed since the last use, and upon user request. Mental health chatbot providers may qualify for an affirmative defense if they create, implement, and comply with a written policy filed with the Utah Division of Consumer Protection and maintain documentation regarding training data, foundational models, user data collection and sharing practices, and ongoing efforts to ensure accuracy, reliability, fairness, and safety.
The third bill, SB 271, expands Utah's existing prohibitions on identity misuse. It broadens the definition of personal identity to include video likeness, voice, and audiovisual appearance-and the imitation of any of these through generative AI or other technological means.
Enforcement exposure is significant for non-compliant operators. Utah's Division of Consumer Protection can fine businesses up to $2,500 per violation, with penalties potentially rising to $5,000 per violation if a court or the Attorney General becomes involved. No private right of action exists under HB 452, though SB 271 maintains one under existing consumer protection statutes. A safe harbor is available: businesses avoid penalties under SB 226 if the generative AI clearly identifies itself as an AI assistant both at the outset of and throughout the interaction.
For enterprises operating across multiple jurisdictions, the compliance surface extends beyond Utah's borders. A business's location does not determine applicability-if Utah residents use an AI-powered service, the operator must follow these rules, covering online businesses, apps, websites, and any platform where AI communicates directly with users. According to Chambers and Partners, the 2025 amendments focus the AI disclosure obligations on instances where consumers make a clear and unambiguous request to know whether they are interacting with AI, and limit proactive disclosure obligations to high-risk interactions involving sensitive personal or regulated occupational data-a refinement that legal analysts say narrows the compliance burden for lower-risk enterprise deployments.
Outlook
Other U.S. states are advancing similar AI-related regulations with disclosure and usage requirements, meaning compliance with the UAIP framework may prove critical for organizations preparing for forthcoming rules in additional jurisdictions. Gartner forecasts that by 2027, over 40% of AI-related privacy violations will result from unintended cross-border data exposure via generative AI tools. With the UAIP now extended through July 1, 2027, enterprise compliance, legal, and procurement teams will need to embed AI disclosure protocols into vendor contracts, product interfaces, and data governance frameworks well before that date.
