On May 6, 2026, Utah became the first American state to effectively target virtual private networks through age verification legislation, marking a quiet but consequential shift in how governments approach online content restrictions. The state's Senate Bill 73, signed by Republican Governor Spencer Cox in March, does not ban VPNs outright - but it creates a legal framework that may render them functionally useless for anyone seeking to access adult content without submitting to identity checks. The implications extend well beyond Utah's borders.
What SB73 Actually Does - and Why It Matters
The law's central mechanism is liability transfer. Rather than requiring individual users to prove their age, SB73 places the legal burden squarely on websites that host material harmful to minors. Any such platform must now verify that users physically located in Utah are of legal age - regardless of whether those users are masking their location through a VPN.
That single clause is where the friction begins. VPNs work by routing a user's internet traffic through servers in other locations, replacing their real IP address with one belonging to the VPN provider. Websites cannot reliably determine whether a given user is actually sitting in Salt Lake City or Berlin. Faced with that uncertainty, platforms have limited options: block all traffic originating from known VPN IP addresses, apply age verification universally across their entire user base, or risk legal exposure in Utah courts.
NordVPN has described the situation as a "liability trap." Because the mandate is structurally unenforceable, the company argues, it effectively pressures websites into subjecting millions of users - the vast majority of whom have no connection to Utah - to invasive identity checks they are under no legal obligation to complete.
SB73 adds a second provision that compounds the concern: platforms carrying a "substantial portion of material harmful to minors" are prohibited from sharing information about VPNs with their users. This stops short of criminalizing VPN use, but it restricts the flow of information about privacy tools in a way that has no precedent in American law.
The Verification Problem Nobody Has Solved
Age verification sounds administratively straightforward. In practice, it requires websites to collect and process sensitive personal data - government-issued identification, biometric scans, or behavioral signals derived from browsing history. Each method carries distinct risks.
Government ID checks link a person's offline legal identity directly to their online activity, creating a permanent record of what they accessed and when. Biometric data is immutable: unlike a password, a fingerprint or facial scan cannot be changed if it is compromised. Behavioral profiling, which some platforms including large technology companies have begun feeding into AI-driven age estimation systems, raises separate concerns about the scope of data collection and the opacity of algorithmic decision-making.
The Electronic Frontier Foundation, which has tracked age verification legislation closely, argues that none of these approaches can be made safe at scale. High-profile breaches of age verification providers in recent years have demonstrated that centralized stores of identity data are attractive targets. When those databases are compromised, the damage is not limited to financial fraud - it exposes the precise details of what users were doing online and why they needed to verify their age in the first place.
The EFF has characterized SB73's approach as a "don't ask, don't tell" policy: websites are likely only obligated to demand proof of age if they affirmatively determine that a user is both physically in Utah and using a VPN. That framing offers some relief, but the organization warns it introduces legal uncertainty that companies will inevitably resolve by erring toward maximum restriction - meaning broader verification requirements, not narrower ones.
A Precedent With Global Echoes
Utah did not develop this approach in isolation. The United Kingdom and Australia have both moved aggressively toward age verification mandates in recent years, requiring platforms to implement robust identity checks before granting access to adult content or certain social media features. The mechanics differ by jurisdiction, but the political logic is consistent: governments responding to genuine public concern about children's online exposure have found age verification to be a politically legible solution, regardless of its technical shortcomings.
Hard VPN restrictions, by contrast, have historically been associated with authoritarian governance. North Korea, Belarus, China, and Russia all maintain VPN bans or severe restrictions as instruments of state censorship. Wisconsin proposed a ban before abandoning it. Michigan pursued similar legislation. Utah found a third path - not a ban, but a structural disincentive that may produce comparable effects without requiring the state to defend an outright prohibition in court.
That distinction matters for how future laws are written. By treating VPN usage as a compliance problem rather than a prohibited act, SB73 expands the range of policy options available to legislators who want to restrict online access without appearing to attack privacy technology directly. Digital rights advocates warn this is precisely what makes the law dangerous: it normalizes the framing of privacy tools as obstacles to enforcement rather than legitimate security instruments, and it does so within a liberal democratic legal tradition that other states - and potentially Congress - may find easier to adopt than an outright ban.
The Broader Stakes for Digital Privacy
The political appeal of protecting children from harmful content is not in dispute. The question is whether age verification laws, particularly those that treat VPNs as a loophole to be closed, achieve that goal in proportion to their costs.
VPNs serve functions far beyond circumventing content restrictions. Journalists, domestic abuse survivors, political dissidents, and ordinary users concerned about corporate data collection all rely on them for legitimate security purposes. Regulations that degrade their utility - even indirectly, even through liability engineering rather than outright prohibition - impose real costs on those populations while offering uncertain benefits to the children they are ostensibly designed to protect. A determined minor with modest technical literacy can find ways around age gates; the populations most affected by eroded VPN infrastructure tend to be those with the fewest alternatives.
Utah's SB73 is a narrow law with a limited geographic reach. But as the first American statute to directly address VPN usage in the context of age verification, it establishes a template. How courts interpret it, how platforms respond to it, and whether other states replicate it will determine whether this is a cautious experiment in content regulation or the opening of a significantly more restrictive chapter in American internet law.
