AI Insight: Utah’s First-of-Its-Kind AI Law

As we near the end of 2024, artificial intelligence (AI) remains a focal point in headlines. Yet despite this constant attention, no comprehensive AI regulation exists in the United States and only five states have passed AI-related laws.

One state leading the way in AI regulation is Utah. In May 2024, Utah’s Artificial Intelligence Policy Act went into effect, making it the first AI-centered law in the United States. Notable features of the Act include the regulation of generative AI use and initiatives to encourage AI technology innovation within Utah.

Utah AI Act - Generative AI Regulation

With generative AI increasingly used in both written and verbal communications, Utah’s Artificial Intelligence Policy Act implements new regulations requiring disclosure of its use. Under the Act, entities using generative AI must disclose this under certain circumstances, dependent on if the entity using the generative AI is in a regulated or unregulated occupation.

For regulated occupations, disclosure requirements are stricter. The disclosure must be prominent and provided either verbally at the start of an oral exchange or electronically before a written exchange. Although the Act does not explicitly define “prominent” disclosure, it is advisable to clearly inform individuals at the start of any verbal interactions that generative AI will be used. For written exchanges, disclosure should be in clear, distinct lettering- not small print or buried in terms of service- to ensure the individual cannot overlook it. For unregulated occupations, disclosure of the use of generative AI is only required to be clearly and conspicuously disclosed when a user directly asks whether AI is being used or not. Again, what qualifies as “clear and conspicuous” is not set forth in the act, but it is recommended that if asked whether generative AI is used or not, to give a straightforward response, such as “Yes, this is generative AI.”  

If an entity does not comply with the disclosure requirements, they are likely to face consequences. For one, the Act cracks down on entities trying to avoid liability by blaming AI for violations. If a violation occurs, an entity cannot defend any violation by claiming the generative AI made the violative statement, undertook the violative act, or was used in furtherance of the violation. The entity is responsible for the violation, regardless of whether the AI itself is to “blame.” Further, violations of the Act can lead to penalties. To start, for each violation, the division director may impose an administrative fine of up to $2,500. While there is ambiguity around what exactly “each violation” refers to, in a worst-case scenario, each undisclosed AI-generated interaction could count as a separate offense, leading to a quick increase of the amount an entity is liable for. In addition, violators may face lawsuits where injunctions, disgorgement of money received after a violation, and other relief as deemed reasonable and necessary by the court could be claimed. Furthermore, the attorney general can get involved if administrative and court orders are violated. If so, the penalty is raised to $5,000 per violation. Thus, to avoid these potential liabilities, it is highly important that companies using generative AI ensure compliance with disclosure requirements as soon as possible.

Utah AI Act - Encouraging AI Innovation

Despite the push for heaving AI regulations, Utah is committed to promoting the innovation of AI technologies throughout the state. The Act, now provides AI developers in Utah, who may be overwhelmed by compliance requirements or hesitant to innovate due to potential penalties, with the support of the newly established Office of Artificial Intelligence Policy and “Artificial Intelligence Learning Laboratory Program.”

In addition to assessing AI technologies, risks, and policies, this program encourages ongoing AI development within the state. Any entity seeking to develop a qualified AI technology- a machine-based system that makes predictions, recommendations, or decisions impacting real or virtual environments- can apply for “regulatory mitigation.” Applicants must demonstrate their technical expertise, capability to responsibly develop the proposed AI technology, and possession of sufficient financial resources to meet testing requirements. Additionally, applicants must show that the AI technology has the potential to provide substantial consumer benefits outweighing any presented risks of the technology, outline a plan for ongoing monitoring and risk mitigation, and ensure that testing is limited based on risk assessments. The Office of Artificial Intelligence Policy also focuses on fostering the development AI technology in certain spaces where such technology is lacking. Currently, the Office is actively seeking program participants developing AI for healthcare applications. Specifically, those developing for use in relation to mental health care. Thus, entities can increase their chances of acceptance into the program if they are of the desired space.

If accepted to the program, participants must enter a written “regulatory mitigation agreement” with the Office of Artificial Intelligence Policy. Under this agreement, the participants will be given requirements such as record retention and data breach reporting requirements. Additionally, participants may also negotiate benefits for the twelve-month regulatory mitigation period, including:  

·      Assistance navigating regulatory concerns

·      Support with setting development benchmarks and regular testing

·      Limits on fines for violations

·      Cure periods before fines are assessed and imposed

·      A one-time 12-month extension if additional time is needed

·      Other accommodations as agreed to

Utah’s Artificial Intelligence Policy Act is just one example of the regulatory and promotional environment AI technology will encounter in the coming years. While it can be overwhelming navigating the red tape that comes with AI development and launching an AI-focused business, here at Rockridge®, we pride ourselves on staying at the forefront of the ever-changing AI and data privacy legal landscape. We are committed to ensuring our clients overcome regulatory challenges and bring their cutting-edge technologies to life.