Utah's AI Policy Act (UAIPA) for construction contractors: what it actually requires, what it costs you, and the five mistakes we see every week

Utah's Artificial Intelligence Policy Act (UAIPA) — codified at Utah Code Title 13, Chapter 72 — has been law since May 1, 2024, and was substantially amended on May 7, 2025. It is the first state-level AI consumer protection statute in the United States, and it explicitly names construction contractors as a regulated occupation. Two years in, most Utah GCs we sit with have either never heard of it or have a vague sense it “doesn't apply to us yet.” It does.

What UAIPA actually says

The statute has two core obligations and one critical defense elimination.

The disclosure obligation. Any business that interacts with a consumer via generative AI must, when asked, disclose that the consumer is interacting with AI. The 2025 amendments tightened this for higher-risk contexts — health, financial, biometric, and any interaction involving advice on financial, legal, or healthcare matters — where proactive disclosure is required, not just disclosure-on-ask.

The accountability obligation. A business is liable for the actions and statements of any generative AI it deploys, the same as if a human employee had made the statement. There is no legal personality for the AI itself.

The defense that no longer exists.A business cannot defend itself by arguing that the AI made the violative statement. “The AI did it” is codified out of the defense toolkit. If your chatbot misstates a warranty term, you said it.

Why contractors are explicitly named

UAIPA defines a category of “regulated occupations” that face additional obligations under the statute — and that list includes architects, engineers, and construction contractors. The reasoning, per the legislative record, was that these occupations already operate under a state licensing regime and already owe elevated professional duties to clients. Adding AI to those duties was a small step, not a large one.

Practically, this means a Utah contractor faces stricter scrutiny than a generic Utah business when AI is involved in client-facing work. The Division of Occupational and Professional Licensing (DOPL) can also factor UAIPA findings into license review proceedings — which is the part that should keep a contractor up at night, not the per-violation penalty math.

The penalty math, sourced

UAIPA itself doesn't set a penalty schedule. Enforcement runs through the existing Utah Consumer Protection Act framework:

• §13-2-5 — Division of Consumer Protection administrative penalty: up to $2,500 per violation, imposed without court action.
• §13-11-17 — Attorney General civil penalty: up to $2,500 per non-knowing violation, up to $5,000 per knowing violation, imposed in addition to the administrative penalty.

The theoretical maximum can look catastrophic — every consumer interaction without proper disclosure can in principle be a separate countable violation. In practice, enforcement aggregates within a pattern. A homeowner files a complaint; the Division subpoenas chat logs and finds twelve prior non-disclosed interactions in the same quarter; that's twelve violations, $30,000–$90,000 depending on the AG's posture, plus a referral to DOPL.

The five mistakes we see every week

1. AI-drafted bids signed as professional analysis

An estimator uses ChatGPT to draft a proposal. The contractor signs it as their own professional work. The client asks “did AI write any of this?” The contractor says no. That single answer is the violation. Under the 2025 amendments, this falls in the high-risk category because it involves professional analysis being offered to a consumer — disclosure should have been proactive, not on-ask.

2. AI giving legal advice to your clients

Lien rights questions. Warranty terms. Change order language. Any time a chatbot, copilot, or AI assistant answers a question that touches legal interpretation, you're in a category the 2025 amendments call out by name. The Moffatt v. Air Canada precedent (2024) confirms the broader principle — a company is bound by what its chatbot says, even if the chatbot was wrong. UAIPA adds the disclosure and accountability layer on top.

3. Safety reports drafted by AI, submitted as human-authored

Health and safety is one of the high-risk categories under UAIPA. Stricter requirements apply, and stiffer penalties attach. OSHA exposure compounds the state-level liability — if the underlying report is later found to be inaccurate, the AI involvement becomes a compounding aggravator, not a defense.

4. Confidential data uploaded to public AI tools

Client financials. Plans. Sub bids. Employee data. Most 2026 E&O policies we've reviewed now contain specific exclusions for this scenario — meaning the data breach isn't covered, the UAIPA violation isn't covered, and the firm is fully self-insured for the consequences. Cyberhaven's 2024 study found 11% of data pasted into ChatGPT by employees is confidential corporate data; Salesforce's 2024 workplace survey found 55% of workers use unauthorized AI tools at work.

5. AI customer service without disclosure

The chatbot on your website. The auto-responder on your phones. The voice assistant your front-of-house deployed last quarter. Every consumer-facing AI interaction without a disclosure is a counted violation. This is the category most likely to generate a complaint, because consumers are now trained to notice when they're talking to a bot — and when they suspect they were, the complaint goes to the Division before it goes to your office.

What “having a policy” doesn't buy you

A policy on paper is not a defense. Under §13-72, you are liable for what your employees do regardless of whether your policy permitted it. The Division does not care that the policy existed — they care whether the policy was enforced. Real enforcement, at the standard plaintiff's attorneys will cite, requires four things:

• Technical controls. Public AI tools blocked or proxied on every company device. Policy without controls is opinion.
• Usage logging. What was sent, by whom, when, to which tool. If there is no log, there is no evidence of enforcement.
• Quarterly re-review.Tools change, employees change, exceptions accumulate. “We wrote it once in 2024” is not a defense in 2026.
• Signed annual acknowledgment. Provable training is the standard cited in adjacent industries (HIPAA, OSHA, FCRA), and it is starting to be cited in UAIPA-adjacent matters as well.

What we recommend

For most Utah contractors, the right sequence is inventory → disclosure → controls → attestation. Inventory tells you what AI is actually in your firm — including the shadow AI nobody asked for. Disclosure brings client-facing surfaces into UAIPA compliance. Controls turn the policy into a defensible posture. Attestation produces the document your insurance carrier and your attorney will both want to see if anything ever goes sideways.

That sequence is exactly the engagement structure we built our AI audit around. If you want to see what an engagement looks like, the AI audit page walks through it. If you'd rather start with a self-check, the 5-Minute UAIPA Self-Assessment will tell you in five minutes where you sit.

This article is not legal advice and does not create an attorney–client relationship. Citations to Utah Code are current as of June 2026; verify the live text at le.utah.gov before relying on it for compliance work.