Utah's SB 73 takes effect on May 6, 2026, making it the first U.S. state to hold commercial websites legally liable for users who access age-restricted content through a VPN or proxy to spoof their geographic location. The law does not just regulate what content sites may show - it directly targets the use of anonymization tools as a bypass mechanism, creating liability that reaches platforms anywhere in the world.
What SB 73 Actually Says About VPNs
The law's central innovation is jurisdictional: instead of relying on IP address geolocation, which any VPN can change in seconds, SB 73 holds websites responsible for the physical presence of users in Utah. A site is liable whether or not the user's IP address resolves to Utah, as long as that user is physically in the state. This is a fundamental break from how internet jurisdiction has worked for decades.
The statute goes further. Websites are explicitly prohibited from providing instructions, links, or encouragement for using VPN services to circumvent age verification requirements. Linking to a "how to use a VPN" guide - or even referencing VPNs as a workaround in a FAQ - becomes potential legal exposure under the law. Signed by Utah's governor on March 19, 2026, SB 73's age verification and VPN provisions activate on May 6, with a separate 2% excise tax on adult content revenue taking effect October 1, 2026.
The EFF's Liability Trap: No Clean Exit for Platforms
The Electronic Frontier Foundation has described SB 73 as a "liability trap" - a law structured so that technical compliance is effectively impossible without imposing significant costs on users who have nothing to do with Utah. Because no technology can verify with certainty whether a user behind a high-quality VPN is physically located in the state, websites face a binary choice with no middle ground.
The first option is to block all known VPN IP address ranges globally. This would cut off legitimate VPN users worldwide - journalists, privacy advocates, remote workers, and anyone who simply prefers encrypted browsing - who have no connection to Utah and pose no regulatory concern. The second option is to require government-issued ID or biometric age verification from 100% of their visitors, regardless of where those visitors are located. Both outcomes build infrastructure that was not previously required: one creates a global VPN blocklist; the other creates a cross-site database linking real identity to browsing behavior.
Which Sites Are Affected and What Compliance Looks Like
SB 73 applies to commercial entities where a "substantial portion" of content is classified as harmful to minors - in practice, primarily adult content platforms. To satisfy the "reasonable age verification" standard, sites are expected to use government-issued IDs, biometric age estimation systems, or third-party identity verification services. All three methods require collecting sensitive personal data from every user who needs to prove their age - not just those who are minors.
The VPN-specific provisions, however, create knock-on pressure for a much broader category of websites. Any site that wants to avoid Utah liability while also avoiding the cost of universal identity verification has a single realistic option: block VPN IP ranges entirely. Security researchers and civil liberties groups note that VPN blocklists are inherently imprecise, frequently blocking legitimate users, corporate networks, and Tor exit nodes alongside the VPN traffic they are intended to target.
Utah in the National Context: 25+ States and Growing
Over 25 U.S. states have passed age verification laws since 2022. Nebraska (LB 383, effective July 1, 2026), West Virginia (HB 4412, effective June 12, 2026), Ohio (HB 96), and Florida (HB 3) are among the states with active or pending requirements. The legal landscape is moving toward a patchwork where platforms must satisfy the most restrictive state's standard to operate nationally without liability exposure.
What distinguishes SB 73 is its explicit targeting of VPN-based bypass. No other state law has directly inserted VPN use into a liability framework for age verification compliance. The law appears designed in part to counter the documented surge in VPN adoption that followed earlier age verification mandates - including in Utah itself, where VPN downloads spiked after earlier legislation. Lawmakers have effectively escalated: if users can work around the first law with a VPN, make VPN use itself a trigger for platform liability.
What SB 73 Means for VPN Users
A VPN remains essential for protecting your network traffic, encrypting data on public networks, and shielding your browsing from your ISP and third-party trackers. None of that changes under SB 73. What changes is the regulatory environment in which VPN use occurs.
SB 73 marks a qualitative shift in how legislators are treating VPN use: not as a crime for the user, but as a liability multiplier for the platform. The practical outcome for privacy-conscious users is increased blocking. As more states adopt the Utah model - basing compliance obligations on physical presence rather than IP location - platforms will face mounting pressure to treat VPN connections as unverifiable and therefore risky. The space where a VPN preserves both access and anonymity will narrow with each state that follows Utah's lead.
Related Coverage on vpnlab.io
The age verification compliance wave continues to reshape the privacy landscape globally:
- EU Finds Meta in Breach of DSA: Instagram and Facebook Fail to Keep Children Under 13 Off Platforms - the European Commission's preliminary findings against Meta show how regulators on both sides of the Atlantic are demanding the same thing: identity-linked age assurance that makes anonymous access impossible.
- Apple Just Made the Apple ID an ID: iOS 26.4 Ships Mandatory UK Age Verification - when the verification layer moves to the operating system, not even a VPN changes the equation.
- Sony Forces Age Verification on PlayStation UK and Ireland: No ID, No Gaming - hardware platforms rolling out ID requirements show the same trend reaching offline-rooted devices.
