Utah Becomes First State to Target VPNs in Online Age Checks
Next Wednesday, Utah will become the first state in the nation to explicitly target the use of Virtual Private Networks (VPNs) as part of age verification legislation, a move that digital rights advocates warn could fundamentally undermine online privacy while failing to achieve its stated goals.
The "Online Age Verification Amendments," formally known as Senate Bill 73, takes effect on May 6, 2026, after being signed by Governor Spencer Cox on March 19. While the majority of the bill focuses on a 2% tax on revenues from online adult content scheduled for October, the provisions regulating VPN access are set to go live this week.
The legislation amends existing Utah statutes in two significant ways. First, it establishes that an individual is legally considered to be accessing a website from Utah if they are physically located there, regardless of whether they use a VPN, proxy server, or any other means to disguise their geographic location.
Second, commercial entities that host "a substantial portion of material harmful to minors" are prohibited from facilitating or encouraging the use of a VPN to bypass age checks. This includes providing instructions on how to use a VPN or providing the means to circumvent geofencing.
Unlike previous drafts considered in other states, SB 73 doesn't explicitly ban VPN use. Instead, it creates what the Electronic Frontier Foundation (EFF) describes as a "don't ask, don't tell" enforcement model. Websites will likely only have an obligation to verify age if they actually learn a user is physically in Utah and using a VPN.
NordVPN has called the law an "unresolvable compliance paradox" and a "liability trap," arguing that it holds websites responsible for identifying users whose tools are specifically designed to be unidentifiable.
"If a website cannot reliably detect a VPN user's true location and the law requires it to do so for all users in a particular state, then the legal risk could push the site to either ban all known VPN IPs, or to mandate age verification for every visitor globally," the EFF warned in an analysis of the bill. "This would subject millions of users to invasive identity checks or blocks to their VPN use, regardless of where they actually live."
The law faces a more fundamental obstacle: the technology to reliably detect VPN use at the website level largely doesn't exist. IP reputation databases like MaxMind and IP2Proxy can flag traffic from known datacenter IP ranges, but commercial VPN providers constantly rotate addresses. Residential VPN endpoints are virtually indistinguishable from standard home connections.
For more articles like this, check out our Tech News page!