Main Navigation

What you should know about Utah’s newest privacy laws

This year, the Utah Legislature passed multiple privacy laws and enacted the nation’s first major artificial intelligence (AI) law — efforts that may spark similar initiatives nationwide.

Building on previous laws, Utah lawmakers continue to examine personal data processing as well as privacy rights and expectations. From requiring disclosures when individuals communicate with generative artificial intelligence (AI) chatbots to increasing protections for minors who use social media platforms, the 2024 legislative session suggests that lawmakers have stayed current on privacy technology and aim to stop deceptive tactics that can hurt consumers.

Artificial Intelligence Amendments Act (Senate Bill 149)

Utah’s AI law establishes the Office of Artificial Intelligence Policy, an AI analysis program, and liability for improperly disclosing or failing to disclose generative AI use. Effective May 1, 2024, anyone providing services in a regulated occupation must disclose, when prompted, to using generative AI to interact with someone via text, audio, or visual communication, and to create nonscripted outputs with limited to no human oversight. SB149 also requires disclosures when an individual communicates with a chatbot in a health care setting.

Social Media Regulation Amendments (SB194)

Strengthening Utah’s Minor Protection in Social Media Act, the amendments aim to broaden protections for minors using social media. Effective October 1, 2024, social media platforms must add age verification systems, embedded parental controls, and default privacy settings for minors’ accounts, such as mandatory parent-scheduled social media breaks and daily usage time limits across multiple devices.

Taking a page out of a recent book that highlights how social media use harms children and teens, including features “that prolong user engagement,” the law also prohibits autoplay functions, scroll or pagination effects that load content as long as user continues to scroll, and push notifications prompting repeated user engagement.

Motor Vehicle Consumer Data Protection Act (SB215)

The law, which went into effect on May 1, 2024, places requirements and restrictions on third-party vendor access, storing, and sharing of certain consumer data collected from “smart” vehicles, which collect large amounts of personal data, often with unanticipated consequences. Utah residents will receive consent notices from third parties that access their data, including information on why and how long they’re accessing the data. It was a smart move by the Utah Legislature, as stories emerge that car companies, such as General Motors, spied on drivers and shared data on their driving habits with auto insurers, leading to an increase in premiums.

Public Surveillance Prohibition Amendments (SB231)

Legislators updated the Utah law to account for advances in biometric surveillance technology. The law clarifies under what circumstances governmental entities can obtain and use biometric surveillance information (e.g., with a search warrant or in reaction to a public safety threat) and on “authorized properties,” including law enforcement property, correctional facilities, critical government-owned or -operated infrastructure, schools, courthouses, and airports.

Data Privacy Amendments (House Bill 491)

The most expansive privacy law of the session, which will go into full effect on January 1, 2027, establishes standardized requirements for regulated governmental entities, and creates or updates various state entities with the jurisdiction to evaluate state data privacy policy and coordinate implementation of privacy protections. Among other requirements, these entities must implement and maintain a privacy program by May 1, 2025, create ongoing privacy training for employees, identify noncompliant areas and propose a strategy to meet legal expectations.

The law creates the role of Data Privacy Ombudsperson, the first of its kind, to help consumers navigate Utah privacy remedies and even mediate between governmental entities and complainants. The law also outlines notification requirements for governmental entities when a data breach affects 500 or more people, including contacting the data subject, Utah attorney general, and Utah Cyber Center and providing certain information. Additionally, the amendments limit data collection and use; prohibit selling or sharing data unless expressly permitted by law; and give individuals the right to access and correct personal data. Notably, the law codifies Utah’s dedication to an individual’s “fundamental interest in and expectation of privacy regarding the personal data” provided to a governmental entity.

Need help?

Concerned about a University of Utah or University of Utah Health data security incident? Contact the Campus IT Help Desk at 801-581-4000, University of Utah Health ITS Service Desk at 801-587-6000, or the Information Security Office’s Security Operations Center at SOC@utah.edu for immediate assistance.

Did you receive a malicious or suspicious email? Use the Phish Alert button in UMail or forward the email as an attachment to phish@utah.edu.

Want to learn more? Reach out to the offices below.

  • Office of General Counsel: Contact Ogc-admin@lists.utah.edu if you are evaluating a service for your organization and are provided with a contract for goods or services.
  • Privacy Office: Contact baa@utah.edu if a third-party vendor will access, view, store, or use university protected health information (PHI). If the terms of service or contract suggest data collection, a business associate agreement (BAA) or other data use agreement (DUA) may be legally necessary. Contact privacy@utah.edu with general inquiries about information privacy and your rights and responsibilities.
  • IT Governance, Risk & Compliance: Contact ISO-GRC@utah.edu if you are assessing a software or hardware service for your organization. The U’s Information Security Office must evaluate the security of new software or hardware.
  • Technology Licensing Office (formerly PIVOT): Call 801-581-7792 or fill out this formif you have an idea for innovating systems using apps or software.

Is there an information privacy topic you’d like to know more about? Contact Bebe Vanek, information privacy administrator for U of U Health Compliance Services, at bebe.vanek@hsc.utah.edu.