This article is sponsored by Parsons Behle & Latimer.

Privacy today is no longer just about compliance. It’s about control, trust and readiness for artificial intelligence. As businesses adopt AI-driven tools, states are moving quickly to regulate their use, particularly where consumers are involved. Emerging AI laws focus on several themes:

  • Disclosure requirements, both proactive and prompted
  • Options for consumer opt-out or written consent in certain circumstances
  • Oversight by licensed professionals when AI influences significant or high-risk decisions
  • Protection of personal and health information in compliance with laws such as HIPAA
  • Validation of AI output and prevention of discrimination

Utah’s privacy and AI laws

Utah has taken a leading role in balancing innovation with consumer protection. Its primary privacy law, the Utah Consumer Privacy Act, took effect Dec. 31, 2023. The law establishes rights for consumers and obligations for businesses that collect or process personal data.

Building on that framework, the Utah Artificial Intelligence Policy Act became effective May 1, 2024. Incorporated into the state’s consumer protection statutes, the law introduces liability for inadequate disclosure of generative AI use and establishes the Office of Artificial Intelligence Policy to oversee compliance.

What counts as GenAI

“Generative artificial intelligence” is defined under Utah law as an AI system trained on data, designed to simulate human conversation through text, audio or visual communication, and capable of generating non-scripted outputs with limited or no human oversight (Utah Code § 13-75-101).

This definition is very broad — it covers voice chatbots and large language models such as ChatGPT.

UAIPA disclosure requirements

Utah law sets out two disclosure standards:

  1. General rule: Any person using or prompting generative AI in connection with consumer protection activities regulated by the Utah Division of Consumer Protection — such as sales, telemarketing or charitable solicitations — must disclose upon request that the consumer is interacting with AI, not a human.
  2. Regulated professions: Professionals licensed by the state (attorneys, accountants, physicians, nurses, psychologists and others) must prominently disclose AI use if it constitutes a “high-risk” AI interaction. This disclosure must be:
    1. Verbal at the start of a conversation, or
    2. Provided electronically before a written exchange (Utah Code § 13-75-103(2))

Defining “high-risk” interactions

Under Utah law, a “high-risk” AI interaction involves:

  • A collection of sensitive data such as health, financial or biometric information
  • Provision of personalized advice that could influence significant personal decisions, including financial, legal, medical or mental health advice
  • Other applications defined by UDCP rule (Utah Code § 13-75-101(5))

These definitions ensure professional judgment remains central where critical personal outcomes are at stake.

Safe harbor provisions

The law includes a safe harbor. If a generative AI system provides a clear, conspicuous disclosure of its nature at the start of a transaction and throughout the interaction, it will not face enforcement action for failing to respond correctly to a consumer’s inquiry about its status (Utah Code § 13-75-104). This provision helps businesses reduce liability while ensuring transparency.

Penalties for noncompliance

Violations can carry significant costs:

  • The Utah Division of Consumer Protection may impose fines of up to $2,500 per violation. Each deceptive act or practice counts as a separate violation, so fines may escalate quickly.
  • Courts can enjoin violations, order disgorgement of ill-gotten gains and enforce compliance.
  • The Utah attorney general may also seek fines of $5,000 per violation for breaching administrative or court orders.

Notably, the law does not provide a private right of action — enforcement remains with regulators.

What this means for businesses

Companies must evaluate whether AI tools embedded in their services, devices or operations fall within Utah’s legal requirements. If they do, businesses need to:

  • Implement clear disclosure processes
  • Train staff on when and how to provide disclosures
  • Ensure systems comply with AI-related data privacy and professional standards

Even companies not currently subject to UAIPA or similar laws should consider proactively adopting disclosure practices. Transparency builds trust and demonstrates commitment to responsible innovation — both critical in today’s market.

The bottom line

Utah’s laws make clear that AI is no longer a regulatory gray area. Businesses cannot treat AI like just another software tool. Instead, they must understand when and how disclosure, consent and oversight obligations apply. Doing so will not only avoid fines but also build consumer trust at a time when privacy and accountability are paramount.

By preparing now, Utah businesses can turn compliance into a competitive advantage — demonstrating both innovation and responsibility in the AI era.

Paul Evans is the office managing shareholder of Parsons’ Rexburg, Idaho office. He is an experienced corporate, intellectual property and data privacy attorney with significant experience in the healthcare industry. Paul focuses on helping businesses grow and protect their key assets and partnerships. His experience as general counsel and a corporate executive at multiple tech and healthcare companies provides clients with an attorney who possesses unique experience and perspective to accomplish sophisticated business and legal objectives. To contact Paul, send an email to pevans@parsonsbehle.com or call 208.607.4950.