On May 6, 2026, Utah became the first U.S. state to make websites legally liable for users who bypass age-verification gates using a VPN. Senate Bill 73, formally the Online Age Verification Amendments, treats anyone physically located in Utah as a Utah user, regardless of what their IP address says. The law also bars covered sites from explaining how VPNs work.
Governor Spencer Cox signed the bill on March 19 after it passed with minimal opposition. The vote was 22-2 in the Senate and 66-1 in the House. The VPN-liability provisions barely surfaced in floor debates. The bill was marketed as child safety and voted on as child safety.
What the Law Actually Does
SB 73 imposes two core requirements on websites hosting content deemed harmful to minors. First, if more than 33 percent of a site's content qualifies as material harmful to children, the site must verify that every physically present Utah user is at least 18. This applies even if the user masks their location with a VPN or proxy.
Second, covered sites cannot provide instructions on how to use a VPN to circumvent age checks. They cannot encourage VPN use. They cannot facilitate geofencing workarounds.
The Electronic Frontier Foundation calls this a First Amendment problem, warning that the law "prevents platforms from providing basic, truthful information about a lawful privacy tool to their users." VPN services remain legal. Using them is legal. Explaining how they work is, in most contexts, legal. Utah carved out a category of website where it isn't.
A Liability Trap
NordVPN described SB 73 as an "unresolvable compliance paradox" and called it a "liability trap." The complaint is straightforward: websites cannot reliably detect VPN users. The tools are specifically designed to be undetectable. Commercial VPN providers rotate millions of IP addresses across thousands of exit nodes. Residential proxy networks route traffic through real household broadband connections that are indistinguishable from legitimate users.
The EFF echoed this concern, calling VPN detection a "technical whack-a-mole that likely no company can win." No comprehensive blocklist exists. Providers add new IP addresses constantly. Setting up a personal WireGuard instance on any major cloud provider takes minutes.
Websites have received no guidance from Utah on how to comply. No safe harbor has been established. No compliance timeline beyond "now" has been communicated.
The Two Bad Options
Website operators facing SB 73 have limited choices. They can attempt to block all known VPN IP addresses, which experts say is technically impossible to do comprehensively. Or they can mandate age verification for every visitor globally, regardless of location.
Either path creates problems. Blocking VPN IPs affects legitimate privacy users worldwide. Global age verification forces millions of people to hand sensitive data to third-party verification services. As one analysis noted, the law creates a "guilty until proven innocent" environment for platforms. If a site allows a Utah minor through because they used a VPN, that site is now on the hook for a lawsuit.
The people most likely to be affected are not determined circumventers. Anyone with technical knowledge can run a private tunnel. The law will disproportionately impact journalists, security-conscious users, abuse survivors, and others who rely on commercial VPN services for legitimate privacy protection.
The Pattern Is Familiar
Utah's approach follows a predictable cycle. When the UK's Online Safety Act mandated age verification for adult content in July 2025, VPN sign-ups surged more than 1,400 percent on the first day of enforcement. Proton VPN reported it overtook ChatGPT to become the most downloaded free app on Apple's UK App Store. NordVPN saw a 1,000 percent spike in UK subscriptions.
The response to age-verification mandates has been consistent across jurisdictions. Users who care about privacy route around restrictions. The remaining population submits sensitive data to verification systems that present their own security risks. Biometric databases are concentrated targets. Verification services process government IDs and facial recognition selfies. Unlike passwords, stolen biometric data cannot be changed.
What Comes Next
Legal challenges are expected. The Free Speech Coalition has sued every state that has passed an age-verification law. Utah likely won't be different. The speech-restriction provision, the one that bans websites from explaining how a VPN works, is the most legally vulnerable part of the bill.
Meanwhile, SB 73 is now a live template. Michigan's pending bill goes further than Utah. Wisconsin tried something similar earlier this year and stripped the VPN-targeting language only after backlash. In the UK, the House of Lords voted 207-159 in January to ban VPN services for users under 18, with those amendments now heading to the House of Commons. France's digital affairs minister has said VPNs are "next on my list."
For the 26 other U.S. states with age-verification laws, Utah is the experiment. If SB 73 survives legal challenge, those states have a template for adding VPN-targeting provisions. If it is struck down, it establishes precedent that VPN-targeting is unconstitutional regardless of the policy goal.
The bill's sponsor, Republican Senator Cal Musselman, told ABC4 that SB 73 "is about accountability, not censorship" and requires companies profiting from harmful material to "take reasonable steps to keep it out of children's hands." Critics argue the reasonable steps required are technically impossible to take.
Utah's law doesn't make VPN use illegal for individuals. It pushes liability onto websites. The state has decided that the architecture of internet anonymity is someone else's problem to solve. That someone is every website operator doing business with users who might be physically standing in Utah.
