Regulatory Status
Utah's Artificial Intelligence Policy Act (SB 149, signed March 13, 2024; effective May 1, 2024) was the first US state law regulating private-sector generative AI. It requires any entity using consumer-facing generative AI to disclose AI involvement when clearly and unambiguously asked by the consumer. Entities operating in "regulated occupations" (those requiring a Utah Department of Commerce license or state certification — including attorneys, insurance producers, healthcare providers, and other licensed professionals) must proactively disclose AI use at the start of each interaction, without waiting to be asked. The law establishes that using AI is not a defense to violations of existing consumer protection statutes. It also creates the Office of Artificial Intelligence Policy and an AI Learning Laboratory regulatory sandbox. Amended by SB 226 (effective May 7, 2025), which narrowed the disclosure trigger to require a "clear and unambiguous" consumer request, added a "high-risk AI interaction" category requiring proactive disclosure for regulated occupations in sensitive decision contexts, narrowed the GenAI definition to systems "designed to simulate human conversation," and established a statutory safe harbor for compliant disclosures. SB 332 extended the UAIPA's sunset date from May 2025 to July 1, 2027.
Key Requirements
On-Request Disclosure (General) Any entity using generative AI in a consumer interaction must clearly and conspicuously disclose that a person is interacting with AI (not a human) when the consumer makes a clear and unambiguous request to know whether they are interacting with AI. Oral disclosure for verbal interactions; written disclosure for text-based interactions.
Proactive Disclosure (Regulated Occupations) Entities providing services in a regulated occupation — any occupation requiring a Utah Department of Commerce license or state certification — must proactively disclose GenAI use at the beginning of an interaction during a high-risk AI interaction. A high-risk interaction involves (a) collection of sensitive personal information (health, financial, or biometric data) AND (b) providing personalized recommendations, advice, or information the consumer could reasonably rely on to make significant personal decisions, including financial, legal, medical, or mental health advice.
No AI-as-Defense It is not a defense to violation of any consumer protection statute that an AI system generated the violative content or act. Liability attaches to the deploying entity.
Safe Harbor A person is not subject to enforcement action if the generative AI clearly and conspicuously discloses it is nonhuman at the outset of and throughout the consumer interaction. Disclosure must be provided orally at the start of verbal interactions and in writing before written interactions.
Insurance Implications
Relevant policy types: E&O, Cyber, D&O
Compliance Gaps to Address
No policy on AI tool usage in client matters
No disclosure to clients about AI-assisted work product
No verification process for AI-generated legal research
Unaware of professional responsibility implications of AI use
Other Industries in This State
This Industry in Other States
Disclaimer: This content is provided for informational purposes only and does not constitute legal advice. AI regulations and insurance policy terms change frequently. Consult with a qualified attorney or insurance professional for advice specific to your situation. Gridex makes no warranties regarding the accuracy or completeness of this information.