Utah’s VPN age verification law represents the first US state effort to hold websites liable for users who mask their location with VPNs, creating a liability framework that could force major platforms to either implement global age verification or block anonymity tools entirely. Senate Bill 73, signed by Governor Spencer Cox on March 19, 2026, takes effect May 6, 2026, and targets commercial entities distributing material harmful to minors.
Key Takeaways
- Utah becomes the first US state to hold websites liable for VPN users bypassing age checks based on physical location rather than IP address.
- Senate Bill 73 effective May 6, 2026, prohibits sites from providing instructions on using VPNs to circumvent age verification.
- A 2% excise tax on adult content revenue begins October 2026, funding mental health and online safety programs.
- The Electronic Frontier Foundation warns the law creates a “massive liability trap” that may force sites to block VPN IPs globally or mandate universal age verification.
- Division of Consumer Protection gains authority to audit, investigate, and fine non-compliant websites.
How Utah’s VPN age verification law works
The VPN age verification law fundamentally shifts liability from users to websites. Rather than focusing on IP addresses—which VPNs mask—the law bases liability on physical location within Utah. Websites become responsible for age-verifying any user they know or should know is physically in Utah, regardless of whether that user employs a VPN or proxy service to hide their IP. The law also explicitly prohibits commercial entities from providing instructions or guidance on using VPNs to bypass age checks.
The Division of Consumer Protection gains sweeping authority to monitor compliance, conduct audits, investigate complaints, and impose administrative fines and civil penalties on violators. The division must also establish rulemaking standards for age verification methods, privacy protections, data security, and how to determine whether a website publishes a “substantial portion” of material harmful to minors. This creates a complex enforcement landscape where websites must balance liability exposure against user privacy concerns.
The dilemma facing websites and users
The Electronic Frontier Foundation warns that Utah’s approach creates a “massive liability trap” with no clear technical solution. Websites face three problematic options: block all known VPN IP addresses globally, implement age verification for all users worldwide regardless of location, or rely on a “don’t ask, don’t tell” enforcement model where they are liable only if they actively discover a Utah user on a VPN. None of these choices is palatable. Blocking VPNs globally punishes users in other states and countries who use them for legitimate privacy and security reasons. Universal age verification exposes every user to data collection and privacy risks, not just those in Utah. The enforcement ambiguity leaves websites guessing about their actual liability.
Digital rights experts describe the law as a “technical whack-a-mole” that attempts to regulate network behavior through legal liability rather than technical means. The problem is fundamental: the internet’s architecture does not easily distinguish between a user physically in Utah using a VPN and a user outside Utah using a VPN to access content. Websites cannot reliably determine physical location without invasive data collection or blocking entire categories of network traffic.
Broader implications for internet regulation
Utah’s approach builds on a wave of state-level age verification laws but takes a more aggressive stance than predecessors. A Wisconsin bill that explicitly banned VPN use was discarded as too extreme; Utah’s version does not ban VPNs outright but achieves similar pressure through liability. If other states adopt similar frameworks, the cumulative effect could reshape how the internet functions for privacy-conscious users and small publishers alike.
The law also includes a 2% excise tax on gross receipts from sales, distributions, and subscriptions of content harmful to minors, effective October 2026. Revenue funds a Minor Online Safety Restricted Account (or Teen Mental Health Restricted Account) in the General Fund, supporting mental health programs, enforcement, and minor online safety initiatives. This creates financial incentives for aggressive enforcement and ongoing regulatory expansion.
Does the law actually prevent age verification bypass?
The core tension in Utah’s VPN age verification law is whether it achieves its stated goal of preventing minors from accessing adult content. Enforcement depends on websites learning that a user is physically in Utah and using a VPN—a detection problem the law does not solve. The “don’t ask, don’t tell” enforcement model means websites are liable only if they discover the violation, not if they fail to detect it. This creates perverse incentives: sites may deliberately avoid implementing location detection to avoid triggering liability. A minor determined to bypass age verification still has many options beyond VPNs, including proxy servers, Tor, and other anonymity tools not explicitly mentioned in the law.
Comparison to other state approaches
Utah’s liability-based framework differs markedly from other age verification proposals. Rather than requiring users to prove age upfront (as some states have proposed), Utah holds websites accountable for physical location detection. This shifts the burden from users to platforms, but it also creates the liability trap that concerns privacy advocates. The discarded Wisconsin bill took a harder line by explicitly banning VPN use; Utah’s version achieves similar outcomes through legal liability without an outright ban.
FAQ
What happens if a website violates Utah’s VPN age verification law?
The Division of Consumer Protection can impose administrative fines and civil penalties on violators, though specific penalty amounts are not specified in the law. The division also has authority to investigate complaints and conduct audits to verify compliance.
Does Utah’s VPN age verification law apply to users outside Utah?
No. The law targets websites’ obligations to verify the age of users physically located in Utah. However, many websites may respond by implementing global age verification or blocking VPN IPs worldwide to avoid liability, which would affect users everywhere.
Will other states adopt similar VPN age verification laws?
Utah’s law builds on a wave of state-level age verification efforts, suggesting other states may follow. However, the legal and technical challenges—and privacy concerns raised by the Electronic Frontier Foundation—may deter some states from adopting equally aggressive approaches.
Utah’s VPN age verification law represents a significant escalation in state-level internet regulation, prioritizing age verification over user privacy and technical feasibility. The real test will come when websites begin responding, either by blocking anonymity tools globally or by implementing invasive location detection and age verification systems. Either path reshapes the internet for users far beyond Utah’s borders.
This article was written with AI assistance and editorially reviewed.
Source: Tom's Hardware
