A law attempting to regulate a technology that is intended to be invisible from the first line of code has an almost poetic quality. Senate Bill 73 in Utah, which goes into effect on May 6, does more than just venture into the uncharted territory of online age verification. With its eyes closed, it plunges headfirst and hopes for the best. Governor Spencer Cox signed the bill in March, making Utah the first state in the union to specifically hold websites responsible for users who use VPNs. It is audacious. It’s also either technically impossible or visionary, depending on who you ask.
In theory, the law’s mechanics are simple, but in reality, they are complex. A person is deemed a Utah user if they are physically present in Utah. Whether their traffic is routed via Singapore or Reykjavik is irrelevant. Regardless, websites with a lot of adult content need to confirm the user’s age. They’re also forbidden from publishing instructions about how to use a VPN to bypass these checks, a kind of digital “don’t ask, don’t tell” provision that has First Amendment lawyers sharpening their pencils.
| Information | Details |
|---|---|
| Law Name | Online Age Verification Amendments (Senate Bill 73) |
| State | Utah, United States |
| Signed By | Governor Spencer Cox |
| Date Signed | March 19, 2026 |
| Effective Date | May 6, 2026 |
| Primary Target | Websites hosting material harmful to minors |
| Key Provision | Holds websites liable for VPN-masked users physically located in Utah |
| Secondary Tax Provision | 2% tax on online adult content revenue (effective October) |
| Notable Critics | NordVPN, Electronic Frontier Foundation, digital rights groups |
| First-of-its-Kind | First U.S. state to legally target VPN use in age verification |
It’s hard not to notice the gap between what lawmakers seem to think websites can do and what they actually can. Detecting VPN traffic with precision is genuinely difficult. IP addresses are continuously rotated by commercial VPN services. Residential VPN endpoints look identical to ordinary home internet connections. A personal WireGuard server on a cloud provider can be set up by anyone in twenty minutes and with a credit card, and that traffic blends in with all legitimate websites hosted on the same infrastructure. Deep packet inspection is effective, but it necessitates sitting between the user and the server, which is typically only available to ISPs and authoritarian regimes.
The term “unresolvable compliance paradox,” as used by NordVPN, seems to be accurate. The Electronic Frontier Foundation cautions that the legal risk may force platforms to choose between two unappealing options: either outright ban all known VPN IP addresses or subject all visitors to intrusive identity verification. The open internet doesn’t seem to benefit from either.
Beneath all of this is a more subdued tale. The teens the law purports to protect are unlikely to be the ones most impacted. In the afternoon, tech-savvy kids will construct their own tunnels. Journalists working in dangerous environments, survivors of abuse attempting to remain anonymous, dissidents living overseas, and regular people who simply don’t want their browsing linked to their real names are typically the real casualties. Even though it isn’t mentioned in the bill’s fiscal note, there is a true cost involved.
Utah is not traveling alone. Earlier this year, the UK’s House of Lords decided to outlaw VPN services for minors. VPNs have been publicly identified by France’s minister of digital affairs as the next item on her list. After receiving negative feedback, Wisconsin withdrew its similar attempt. As this develops, it seems that legislators worldwide have determined that technology must submit to the law rather than the other way around. It remains to be seen if the technology concurs.
