Starting May 6, Utah becomes the first U.S. state to make websites legally responsible when visitors use VPNs to bypass age verification. Senate Bill 73 treats a VPN user as physically present in Utah regardless of their spoofed location, and it bans affected sites from even explaining how VPNs work. If you run a site with "a substantial portion of material harmful to minors," your compliance burden just mutated.
The Anti-Consensus Reality: VPN Bans Don't Work the Way Legislators Think
Most coverage frames this as a tech-versus-privacy showdown. The deeper problem: the law assumes websites can reliably detect VPN traffic, then correctly attribute a user's actual physical location without that VPN. Both assumptions fracture under scrutiny.
VPN detection is an arms race, not a solved problem. Commercial detection services flag known VPN IP ranges, but residential proxy networks, corporate VPNs, and newer obfuscation protocols slip through constantly. A site complying in good faith will still miss some VPN users. The law doesn't specify what counts as "reasonable" detection effort — it simply assigns liability for the failure.
The location attribution problem is worse. A Utah resident on a corporate VPN terminating in Delaware might show Delaware IP, Delaware DNS, Delaware timezone. The site sees Delaware signals. Proving "actual location" requires data most sites don't collect: precise GPS (which browsers gate behind permission prompts), WiFi network triangulation, or billing address verification. Each introduces friction that converts users. Each carries privacy risks that compound the law's core tension.
The hidden variable: compliance cost asymmetry. Large platforms with existing fraud-prevention stacks can absorb this. Small operators — independent creators, niche forums, regional publishers — face a binary choice: implement expensive geolocation infrastructure, or geoblock Utah entirely. The latter is cheaper. Expect more "503: Service Unavailable in Your Region" errors for Utah IP ranges, even for non-VPN users caught in coarse blocking filters.
What the Law Actually Requires vs. What Remains Unresolved
Confirmed obligations under SB 73:
| Requirement | Scope | Effective |
|---|---|---|
| Age verification for "substantial portion of harmful-to-minors content" | Websites, not just apps | May 6, 2026 |
| VPN users counted as Utah-located regardless of exit node | All access methods | May 6, 2026 |
| Prohibition on VPN instructions or circumvention aid | Same affected sites | May 6, 2026 |
| Private right of action for violations | Utah residents and attorney general | May 6, 2026 |
Critical unknowns:
- "Substantial portion" threshold: No percentage defined. A site with 15% adult content? 30%? Case law will settle this, slowly and expensively.
- Verification method: The law doesn't mandate specific technology. Will photo ID upload satisfy courts? Third-party age estimation via facial analysis? Credit card checks? Each carries different failure modes and privacy exposures.
- Corporate VPN carve-out: Business use of VPNs for security isn't addressed. A Utah employee working remotely through company infrastructure accesses a restricted site — who's liable?
- Enforcement sequencing: Will the AG issue guidance first, or will private plaintiffs test boundaries immediately? The private right of action creates bounty-hunter dynamics seen in Texas's SB 8 abortion law.
The trade-off matrix for site operators:
| Approach | Cost | User Friction | Legal Risk | Collateral Damage |
|---|---|---|---|---|
| Geoblock Utah entirely | Low | Extreme for Utah users | Near-zero | False positives, PR damage |
| Basic IP geolocation + age gate | Medium | Medium | Medium-High | VPN users slip through; liable |
| Advanced fingerprinting + ID verification | High | Very High | Lower | Privacy backlash, conversion collapse |
| Exit Utah market (content removal) | Variable | None for non-Utah | Zero | Censorship by geography |
The Broader Pattern: Why This Matters Beyond Utah
California's 2025 law mandates OS-level age verification at account creation. The federal "Parents Decide Act" proposes nationalizing similar requirements. Utah's VPN targeting is a escalation vector — it addresses the obvious workaround that undermines location-based rules.
The signal: age verification is shifting from site-level to infrastructure-level to workaround-punishment-level. Each layer increases compliance surface area and decreases user anonymity.
For players and general internet users, three watchpoints:
- VPN service terms: Providers may begin restricting Utah-based subscriptions or clarifying that their tools don't guarantee location spoofing for legal compliance. Some already geofence certain server locations based on local law.
- Site behavior changes: Expect more aggressive CAPTCHA walls, payment verification requirements, and regional blocking. The independent web — forums, small publishers, creator platforms — will feel this before Netflix does.
- Litigation timeline: First enforcement actions will reveal judicial interpretation of "substantial portion" and "reasonable" VPN detection. These precedents shape whether other states copy Utah's model.
The California law's 2026 effective date creates a compliance window. The federal proposal's status remains speculative. Utah's immediate implementation makes it the test case.
What You Should Do Differently
Don't assume your VPN protects you from state-level obligations you didn't know existed. If you're in Utah, SB 73 means services may demand verification despite your VPN — or deny you service entirely. If you operate any web property with user-generated or adult-leaning content, audit your geolocation precision now; "good enough" for analytics isn't necessarily "good enough" for liability. The law's real impact won't be measured in convictions but in preemptive blocking, service degradation, and the slow constriction of anonymous access.
Disclaimer
This article provides general information about pending legislation and is not legal advice. Consult qualified counsel for compliance decisions specific to your jurisdiction and business model.
