Utah Consumer Privacy Act, Profiling Provisions (SB 227)
Effective date
Penalty
Up to $7,500 per violation. AG enforcement only.
Cure period
30 days
Obligations mapped
Tracked
Overview
Utah's comprehensive privacy law. It is the least restrictive state privacy law regarding profiling and ADM among comparable statutes: it includes opt-out for targeted advertising and sale of personal data, but does not include a general profiling opt-out or ADM impact assessment requirement. No universal opt-out mechanism requirement. Trackers sometimes incorrectly list Utah as having ADM provisions similar to other states.
This is a privacy law with automated decision-making provisions.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Developers of covered AI systems
- Deployers and users of covered AI systems
- Organizations operating in Utah
This regulation applies to both companies that build AI products and companies that use AI tools from other vendors.
SB 227
AI categories covered
- Consumer-facing AI
- Automated decision-making
- Algorithmic profiling
Specific AI use cases:
- Customer profiling and segmentation
What this requires you to do
Detailed obligation packs are not yet mapped for this entry in XIRA. Obligation areas from the catalog are listed below.
What this requires you to do
Transparency notice required
Provide transparency notices. Inform affected individuals that AI is being used and how it influences decisions.
Consumer opt-out required
Provide an opt-out mechanism. Consumers must be able to opt out of automated decision-making.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
Up to $7,500 per violation. AG enforcement only.
Cure period: 30 days.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Legislative history
effective
Takes effect
Related regulations
- In EffectAI-Specific
Utah Artificial Intelligence Policy Act (SB 149)
SB 332 extended the act's sunset from May 7, 2025 to July 1, 2027. SB 226 NARROWED disclosure requirements (not added). General consumer transactions now require disclosure only upon clear and unambiguous request. Regulated occupations require proactive disclosure for high-risk artificial intelligence interactions involving sensitive data or significant decisions. Safe harbor: if the AI system itself clearly and conspicuously discloses at the outset and throughout the interaction that it is nonhuman or AI, the entity is not subject to enforcement action. See Utah AI Policy Act Amendments (SB 226) for the 2025 amendments.
Effective
- In EffectAI-Specific
Utah AI Mental Health Chatbot Regulation (HB 452)
Regulates AI-powered mental health chatbots. Requires clear disclosure that the service is not a human clinician, limits certain advertising during therapeutic-style conversations, and restricts sharing identifiable health information. Specific disclosure timing: before user can access the chatbot, after 7 days without use, and whenever asked by the user. Health data restrictions: businesses cannot share or sell individually identifiable health information or user input with third parties, except as necessary for chatbot function or to health providers with user consent under HIPAA. Advertising restrictions: ads delivered through chatbot must be disclosed, and no user input can be used to decide whether to advertise or to customize ads. Affirmative defense requires actual policy filing with the Division of Consumer Protection, not only having a policy on file internally.
Effective
- In EffectAI-Specific
Utah AI Policy Act Amendments (SB 226 / SB 332)
SB 226 narrowed UAIPA disclosure: general consumer contexts require disclosure only on a clear and unambiguous request; regulated occupations still require proactive disclosure for high-risk artificial intelligence interactions (sensitive data and significant decisions). SB 332 extended the act's sunset from May 7, 2025 to July 1, 2027. Safe harbor unchanged: no enforcement if generative AI clearly and conspicuously discloses it is nonhuman at the outset and throughout the interaction. Applies together with the Utah Artificial Intelligence Policy Act (SB 149).
Effective
- In EffectAI-Specific
Utah Unauthorized AI Impersonation (SB 271)
Expands Utah's abuse of personal identity law to cover AI-generated deepfakes and digital replicas used for commercial purposes without consent. Prohibits distributing software primarily designed for unauthorized commercial impersonation. Covers AI-generated simulations of voice, video likeness, and audiovisual appearance. Not limited to deepfakes: it covers commercial misuse of personal identity including non-AI methods. First Amendment exemptions for newsworthiness, artistic expression, and parody. The software distribution prohibition targets nudification apps and similar tools.
Effective
Utah AI regulation guide lists every tracked rule for this jurisdiction with timelines and obligation tallies.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.