On May 6, 2026, Utah's Senate Bill 73 became the first law in the United States to impose legal liability on websites when users employ a VPN to circumvent age verification systems. The law was challenged in court the same day it took effect, and the state agreed to pause enforcement of its VPN-specific provisions until September while litigation proceeds. The legal precedent, however, is already written - and its implications reach well beyond Utah's state lines.
What the Law Actually Requires
Signed by Governor Spencer Cox on March 19, 2026, SB 73 targets any website hosting what it defines as a "substantial portion of material harmful to minors." Such sites must enforce age verification for users physically located in Utah. The law is explicit on one point that sets it apart from earlier age verification statutes: physical location governs, not IP address. A VPN, proxy, or Tor connection does not alter a user's legal status under the law. If that person is sitting in Utah, the website is required to treat them as a Utah resident and enforce age checks accordingly.
Fines start at $2,500 per violation for a first offense and rise to $5,000 for repeat infractions. Enforcement authority rests with Utah's Division of Consumer Protection, which is authorized to use AI-based detection tools to identify non-compliant sites. The law also prohibits covered websites from publishing instructions on how users might employ a VPN to bypass those checks - a provision the Electronic Frontier Foundation flagged on the day of enactment as a potential First Amendment violation, arguing that restricting truthful information about a legal privacy tool stands on unstable constitutional ground.
The Compliance Problem No Tool Can Solve
The law's core requirement creates a technical obligation that the industry has no clean answer for: detect every VPN user accessing your platform from Utah. That is not achievable. VPN providers have spent years building detection-evasion into their products - obfuscated protocols, traffic masking, HTTPS mimicry - because detection has always been the threat. There is no compliance tool that catches all of them.
The practical options available to websites under this framework are each costly in different ways. A site can block all known VPN IP ranges, which sweeps up ordinary privacy-conscious users alongside anyone trying to evade age requirements. It can require identity verification from every visitor, regardless of where they appear to be connecting from. Or it can decide that legal exposure in Utah is not worth the operational complexity and restrict access to the state outright. None of these outcomes is neutral. Each one imposes a burden on users who have done nothing prohibited. According to survey data from AAC, 79 percent of Americans report concern that submitting personal information for age verification exposes their data to risk - which means the compliance path and the privacy concern run directly against each other.
A Legal Challenge on Day One - and a Broader Legislative Pattern
At least one adult content provider filed suit against Utah on May 6, the law's first day in effect. The central argument, as reported by the Salt Lake Tribune, is that the VPN provision would effectively require the company to enforce age verification for users anywhere in the world, not just Utah - since there is no reliable technical method to confirm that any given VPN user is or is not physically present in the state. Utah agreed not to enforce the VPN-specific provisions until September while the case proceeds.
Utah was not operating in isolation. In early 2025, Wisconsin advanced age verification legislation that included a VPN restriction provision comparable to Utah's. After public pressure from digital rights advocates and residents, Wisconsin lawmakers removed that provision entirely in February 2026. A revised version of the bill is now awaiting the governor's signature. Michigan has filed legislation that would go further still, requiring internet service providers to monitor and block VPN connections at the network level - though that bill has not yet been scheduled for a hearing.
The pattern suggests that legislators across the country are actively testing how far these restrictions can extend, and that public and legal pushback does influence outcomes. Wisconsin's reversal is evidence of that. What the Utah litigation produces in September - and beyond - will inform the calculus in every other state capitol watching the case.
The Technology Shift Already Underway
Laws like SB 73 are accelerating a shift in how VPN technology is built and marketed. A standard VPN connection generates recognizable traffic signatures that detection systems can flag. Obfuscated protocols are designed to prevent that. By disguising encrypted traffic to resemble ordinary HTTPS web browsing, they give detection tools nothing identifiable to act on. Most major VPN providers now offer some form of obfuscation. Proton VPN's Stealth protocol is among the more technically robust implementations: it wraps WireGuard traffic inside TLS - the same encryption layer that underpins standard web browsing - making the connection effectively indistinguishable from normal internet traffic at the inspection layer.
This is not a niche feature anymore. As state-level enforcement regimes attempt to make VPN use legally consequential, the commercial incentive to build undetectable VPNs grows proportionally. Utah's law may have intended to close a loophole. In practice, it may be widening the technical arms race between detection and evasion - while placing the legal and financial burden for an unwinnable fight squarely on the websites caught in the middle.
